Healthcare Cybersecurity Benchmarking Study 2024
Improving Cybersecurity Preparedness through NIST CSF & HICP Best Practices
With cyberattacks on the rise, having a strong cybersecurity strategy is a must for healthcare organizations, especially as they face post-pandemic resource constraints and staffing shortages. Many are protecting their data by adopting and implementing cybersecurity frameworks and best practices, such as the NIST Cybersecurity Framework (NIST CSF) and the Health Industry Cybersecurity Practices (HICP). NIST CSF and HICP are accessible resources for healthcare organizations, and high NIST CSF and HICP coverage is a strong indication of cybersecurity preparedness. This report—a collaboration between Censinet, KLAS, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council—provides an update to previous research on the status of healthcare cybersecurity preparedness. It also examines the effect of governance and resource investment on cybersecurity preparedness and insurance premiums. Data for this report comes from 58 respondents (54 payer or provider organizations and 4 healthcare vendors) who were interviewed September–December 2023.
What Are NIST CSF & HICP?
When this report refers to cybersecurity coverage, it is specifically talking about coverage of NIST CSF and HICP. NIST CSF 1.1 is a cross-industry cybersecurity framework consisting of five functions. HICP is a set of ten healthcare-specific cybersecurity mitigating practices based on the top threats to healthcare cybersecurity. Both NIST CSF and HICP are recommended by the HHS 405(d) Program; recently published Healthcare and Public Health Sector Cybersecurity Performance Goals from the Department of Health and Human Services are also based on NIST CSF and HICP. In this report sample, most respondents have adopted NIST CSF and use it as their primary cybersecurity framework.
Healthcare Provider & Payer Cybersecurity Preparedness at a Similar Level Compared to 2023 Benchmarking Study; Repeat Respondents See Increased Coverage across Measurements
Based on NIST CSF and HICP metrics, healthcare cybersecurity coverage is at a similar level as it was in 2023. Average coverage across the five NIST CSF functions shows that organizations are generally more reactive than proactive in their approach to cybersecurity, with the Identify function having the lowest coverage and the Respond function having the highest. This year’s HICP coverage is also similar to last year’s, confirming that most organizations have Email Protection Systems in place but have a long way to go with Medical Device Security and Data Protection and Loss Prevention.
25 of the healthcare delivery organizations in the research sample also participated in last year’s benchmarking study. Year over year, these repeat organizations on average have seen improved coverage in all NIST CSF functions as well as HICP best practices, and their average NIST CSF and HICP coverage is higher than that of other participating provider and payer organizations. Repeat organizations saw the largest increase in the following NIST CSF categories: Response Improvement, Recovery Improvement, Business Environment, and Recovery Planning. Improved coverage in HICP areas was slightly lower in magnitude and largely seen in Data Protection and Loss Prevention, Vulnerability Management, and Incident Response.
Supply Chain Risk Management Remains NIST CSF Category with Lowest Coverage
Of the many categories within the NIST CSF framework, Supply Chain Risk Management (a component of the Identify function) remains the one with the lowest coverage. The lack of adoption of this category is particularly alarming given that the healthcare industry is more likely than other industries to be victimized by third-party data breaches. Additionally, higher coverage of Supply Chain Risk Management is associated with smaller increases in cybersecurity insurance premiums. The HICP best practices have limited impact on Supply Chain Risk Management coverage when organizations use NIST CSF as their primary framework, but HICP does increase coverage for organizations that don’t use NIST CSF as their primary framework.
Higher Cybersecurity Preparedness & Resiliency Strongly Correlated with Lower Insurance Premium Growth
On average, respondent organizations who adopt NIST CSF have lower year-over-year increases to their cybersecurity insurance premiums. In particular, those using NIST CSF as their primary cybersecurity framework report premium increases one-third the percentage reported by non-NIST CSF organizations. Higher coverage within the NIST CSF categories related to cyber resiliency is especially correlated with lower increases in cybersecurity premiums. Focusing on these areas helps organizations mitigate the impact of breaches on patient care and safety and maintain business continuity.
ÂHigh Program Ownership by Information Security Leaders Continues to Contribute to Higher Coverage
As discussed in last year’s benchmarking study, organizations whose information security leaders have greater ownership of cybersecurity-related areas more often achieve higher cybersecurity coverage. KLAS used a linear regression analysis to determine the impact of several variables on cybersecurity coverage. The level of cybersecurity program ownership by information security leaders continues to be significantly correlated with high coverage. While the industry average for NIST CSF and HICP coverage is 70%–71%, organizations that assign information security leaders higher percentages of program ownership achieve above-average cybersecurity coverage. In particular, higher program ownership is correlated with significantly higher coverage in the HICP areas of Endpoint Protection Systems and Data Protection and Loss Prevention. Among organizations that participated in both the 2023 and 2024 studies, those that increased cybersecurity program ownership under their CISO almost always saw increased coverage. The NIST CSF categories that these organizations invested in include Access Management, Network Management, and Disaster Recovery Programs.
ÂVendors Take a More Preventive Approach to Cybersecurity Preparedness
Vendors play an integral role in healthcare cybersecurity; if critical third-party systems and devices used for care delivery are compromised, they can negatively impact care quality and patient safety. Four vendors are included in this report sample, all of whom have adopted NIST CSF 1.1. This limited sample shows that on average, vendors have similar NIST CSF coverage to other respondents; however, the level of coverage within the five NIST CSF functions varies between vendors and payer/provider organizations. Payers and providers typically show more coverage for the Respond function than vendors, while vendors show comparatively higher coverage across the Identify and Protect functions.
About This Report
The 2024 Healthcare Cybersecurity Benchmarking Study is co-sponsored by Censinet, KLAS Research, the American Hospital Association, the Health Information Sharing and Analysis Center, and the Healthcare and Public Health Sector Coordinating Council. This study is the industry’s first and only collaborative initiative to establish robust, objective, and actionable peer benchmarks to strengthen cybersecurity maturity and resiliency across the healthcare sector. Research for the 2024 study included 58 participating organizations—including healthcare delivery organizations and healthcare vendors—and analyzes coverage across the NIST Cybersecurity Framework and the Health Industry Cybersecurity Practices as well as key organizational and cybersecurity program performance metrics.
Study Sponsors
Writer
Natalie Hopkins
Designer
Jess Wallace-Simpson
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2024 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.