Hospital-based organizations remain highly susceptible to cyberattacks, and in fact, in certain respects, are falling behind, as the threats to patient care organizations nationwide are only increasing and intensifying almost daily now. Those are some of the core conclusions of a report on cybersecurity preparedness released late last month by the Austin, Texas-based CynergisTek consulting firm. Indeed, the report stated, among other findings, that:
Ø Only 44 percent of providers across the continuum (e.g., hospital and health systems) conformed to the protocols of the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce
Ø Healthcare supply chain security is one of the lowest ranked areas for NIST CSF
Ø COVID-19 demonstrated how broken the healthcare supply chain is with providers buying PPE from unvetted suppliers
Ø The report also revealed bigger healthcare institutions with bigger budgets didn't necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less.
The full text of CynergisTek’s 2020 Annual Report, entitled, “Moving Forward: Setting the Direction,” can be found here. As CynergisTek’s leaders note in the overview to their report, “In our third annual report “Moving Forward: Setting the Direction,” we evaluate the state of security in healthcare utilizing NIST CSF and compare it against 3-years’ worth of historical client data,” they write, referring to the Cybersecurity Framework created and maintained by the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce.
The report focuses on three key areas that CynergisTek’s leaders believe are exceptionally important in the current moment.
“First,” they write, “scores overall are down when looking at NIST CSF. Only scores for conformance with the HIPAA Security Rule were up by 1 percent from 2018 (75 percent) to 76 percent in 2019 and up from 70 percent in 2017. A reasonable improvement over 3 years but slowing significantly from 2018 to 2019. In terms of NIST CSF with the full use of NIST CSF 1.1 for our assessments in 2019, we expected some decline in those scores due to the changes in managing cybersecurity within the Supply Chain (1 new category in the Identify Function). NIST CSF 1.1 also introduced 10 new sub-categories in the Identify, Protect, and Respond Functions. Unfortunately, scores declined in all Functions except Detect which remained at an average score of 2.1 across all three years,” they write.
“And finally, the industry may be too focused on getting good grades rather than reducing risk. While comparisons to others in the industry are important and help you understand where you stand and where others are focusing, they don’t reduce your risk or protect you. This is not about the scores. Cybersecurity is about risk management — at the enterprise level, not just IT and Security risks. That is really what the HIPAA Security Rule was about — not getting ‘compliant’ (because there is no such thing) but building an on-going risk management process. Looking at a neighboring facility or even across the sector and saying ‘we’ve done enough’ is dangerous. This isn’t a matter of running faster than your friend like in the old joke where two men are running and one them says to the other: ‘I don’t have to run faster than the bear. I just have to run faster than you.’ The cyber-criminal isn’t just looking for a snack, he/she will target specific institutions, data and people and will change course or shift approaches faster than a bear can. In other words, in cybersecurity, if you are not improving, you are falling behind in managing your risks — the bad guys keep getting better, the technology more complex and more of it is being deployed.”
Meanwhile, when it comes to advice for the IT security leaders in patient care organizations, CynergisTek’s leaders have several key pieces of advice, namely these:
Ø When it comes to cybersecurity, it’s all about rinse, repeat, and repeat again! Organizations that had a regular risk assessment and prioritized remediating the outcomes/insights learned from those assessments, and then dedicated staff, organizational support, and effort to the prioritized targets had significant improvement on their NIST CSF conformance and score.
Ø Attackers are pivoting and the attack surface is expanding.
Ø New rules are and will complicate healthcare and security. When it comes to interoperability, information blocking, state privacy laws and adjacent sectors, we just haven’t moved far enough beyond COVID-19 or adopted interoperability to adequately focus on it. However, it is coming and it won’t be as simple as it seems.
Ø Talking (or planning) is not doing. Organizations that simply did assessments but did not plan and act on their assessment findings stayed flat or lost ground.
And the Sep. 17 press release announcing the release of the report quoted Caleb Barlow, president and CEO of CynergisTek, as saying that “We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary. These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system. However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
Following the release of the report, David Finn, executive vice president of strategic innovation at CynergisTek, spoke with Healthcare Innovation Editor-in-Chief Mark Hagland regarding the report and some of its implications. Below are excerpts from that interview.
What does the overall landscape look like to you right now?
The annual report for us really is a survey of the assessments we’ve done in the past 12 months. We were a little bit surprised, because we discovered NIST’s CSF scores are down across the board. We expected with NIST’s new version of CSF scores that we’d see declines in certain areas, but frankly, they’re across the board. And when organizations stopped being very rigorous, they slid backwards. If they were not making changes and adjustments in near-real time we found that they were actually losing ground. We also found that a lot of organizations have been too focused on their scores, and not as focused on what’s important, which is reducing risks. It goes back to the old check-box mentality.
Are organizations beginning to securitize all the devices that remote-based workers are using now in healthcare?
We are starting to see organizations go back to do some cleanup. But the interoperability and information-blocking rules now actually require more information-sharing. So it’s a difficult moment, and it’s also a different world now, everything’s changed. And we have to rethink everything in terms of security and privacy. And we’ve long known that security work can disrupt clinical workflows; but during COVID-19, we’ve found that changes in clinical workflows can disrupt security. We’re really going to have to bring the clinicians to the table, figure out what we need to know, and build security into clinical workflows.
What does that mean in practical terms, as patient care organization leaders try to move forward?
It really means adding security and privacy into processes. People didn’t understand that the healthcare business really runs on information and information technology. And the daily work of clinicians and everyone else, even to the level of housekeeping, is so important. But the information technology, information security, and privacy people, were never at the table, as clinical and other systems got set up; they were brought in later on. And what we’ve learned from COVID-19 is that you can’t do it separately. You’ve got to bring in the privacy and security people while you’re building the new clinical processes and implementing new technology. So many people don’t understand what interoperability is really going to mean. But as people bring in their FitBits and cardio apps, etc., and hospitals end up with dozens if not hundreds of APIs, they’re going to have to look at security upfront; and they’re going to have to bring in the patients from the start as well. It’s the patients who have to use the data in their lives.
What are a few of the specific stumbles that you’re seeing in hospital-based organizations right now?
One thing we’ve seen historically, and now they’re probably even more overwhelmed—they do their annual risk assessment, and end up with their list of 100 things, and they either are overwhelmed, and consequently, nothing gets done; or they prioritize those lists, and say we’ll work on three items and engage everyone. But when we dug into the organizations that had made progress and then slipped back, the ones that did well took an enterprise risk management approach. We need to realize that it’s a journey, not a destination.
What should IT and IT security people do in medical groups? They tend to be not as far along as hospital systems.
That’s a great question. We’re already anticipating merger and acquisition activity increasing. And because of the cost of all this technology, and of compliance with security systems, will be expensive, you have to build that cost into your valuations, you have to build security and privacy into your acquisition processes, whether you’re acquiring or being acquired. In the meantime, those practices that are big enough to have limped along, they’re going to have to engage some outside resources. They may have had outside resources that have been great at desktop security but not cloud security. So they’re going to have to get the help they need. And that doesn’t necessarily mean long-term contracts; it may mean targeted expert guidance. But people are going to have to realize that you can’t do this by yourself anymore; it’s too big, and we’re all interconnected. And if the people you’re dealing aren’t secure, you’re not going to be secure, either.
And the other thing, and I think practices can do this. And people say, people are your first line of defense, others say, people are your last line of defense. I say both are true. We don’t do enough training of people, training them on phishing attacks, etc. Even patients need to be educated about phishing. We’re going to have to greatly expand training and awareness.
What does the next two to three years look like to you?
I think we’re going to have to rethink everything, and with that will come a lot of changes. With the addition of supply chain to the NIST CSF, that will require work; but we’ve learned during COVID-19 that supply chain is more important than ever. And we’re going to see that some technologies have to be added, and some existing ones will require more focus. We’re going to have to look at devices being used for remote access and telehealth; look at identity access management, particularly for telehealth. I used to say, encryption and data loss prevention are two no-brainer areas, when I was CISO. And new medical devices, particularly ventilators, coming onto the network. So we’re finally going to have to really address medical devices’ security; we’ve been dancing around that issue for years.
And finally, with COVID, we’re redefining everything—how people shop, how people travel. And healthcare is a part of that change, too. We’re literally redefining the way that healthcare is delivered. And the minute you separate privacy and security from processes, you’re going to have problems. I’ve been doing this for 39 years now, and some of this, I’ve been saying for that entire time.
You have to think about how you get ahead of the curve, right? You can’t just think about daily routines.
You’re exactly right. And healthcare has traditionally been very risk-averse. We really have entered consumer-driven healthcare, and we’re going to have to deal with it. And that does mean you’re going to have to change on a routine basis.
