KLAS Contact
Contact KLAS
Contact KLAS
2023 BEST IN KLAS
Preferences
Related Series
Healthcare Cybersecurity Benchmarking Study
How Aligned Is the Industry to NIST and HICP Best Practices?
Author
Steve Low
Author
Dan Czech
Author
Ruirui Sun
Current Time Inside Cache Tag Helper: 5/29/2023 12:17:21 AM and Model.reportId = 3102
The digitalization of healthcare has brought with it many benefits but also some challenges, cybersecurity being among the most significant. As healthcare organizations introduce new technology into their environments, questions often arise as to how and where to allocate resources in order to best reduce cyber risk. This report—a collaboration between Censinet, KLAS, and the American Hospital Association (AHA)—is intended to provide high-level insights into the current state of cybersecurity preparedness in healthcare and thus highlight potential areas of focus.The findings in this report are based on evaluations completed by 48 healthcare organizations, ranging from small critical access hospitals to large multispecialty practices and large academic medical centers. The questions were designed to measure adherence to the guidelines recommended by the NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP), with additional questions added to gain insight into organizations’ cybersecurity investments and resources and the span of control given to information security leadership.
if you don't have a login, getting started is easy.
Maturity with NIST Five Functions
Organizations Are More Reactive than Proactive, Especially in Identifying Asset and Supply Chain Risk
Survey results indicate that healthcare organizations are still mostly reactive rather than proactive when it comes to cybersecurity, especially when it comes to identifying cybersecurity risks. Of the six categories within the Identify function, organizations have particularly low coverage in Supply Chain Risk Management, Asset Management, and Risk Management. More than 40% of organizations are not compliant with conducting response and recovery planning with suppliers and third-party providers.
Of the five functions in the NIST cybersecurity framework, organizations report the highest average coverage in the Respond function. This is driven largely by maturity in the Analysis category, which measures an organization’s investigation, forensics, categorization, analysis, and understanding of cybersecurity incidents. All organizations report investigating notifications from detection systems, with the vast majority reporting coverage in this area of at least 70%.
Supply Chain Risk Management has the lowest coverage of any subcategory across all five NIST functions. A particular challenge is that conducting testing with third-party suppliers is resource intensive, requiring coordination between both the healthcare organization and the vendor. It also demands process management that many healthcare organizations may not yet have the maturity to provide. However, efforts in this area can pay off—organizations that report higher Supply Chain Risk Management coverage are more likely to report lower year-to-year increases in their cybersecurity insurance premium.
Alignment with HICP Guidance
Email System Protections Are in Place; Medical Device Security Has a Long Way to Go
HICP guidance differs based on organization size, and respondents self-selected into one of three groups based on size, complexity, IT capabilities, cybersecurity investment, and other criteria as laid out by HICP. Of the participating organizations, 27 self-selected as large, 20 as medium, and 1 as small.
Regardless of size, organizations report the highest coverage for email protection. For most of the metrics that fall under email protection, more than half of organizations report 100% coverage. On the other hand, medical device security is an area of industry-wide vulnerability, with average coverage barely over 50%. Almost all responding organizations ensure medical devices are wiped of all data when decommissioned. However, when such configuration is supported by the manufacturer, less than two-thirds configure medical devices to allow only known processes and executables to run on medical devices, and most of these organizations report doing this for only some devices.
The HICP guidelines for large organizations include all subpractices recommended for medium organizations as well as additional, more advanced subpractices targeted specifically to large organizations. Large organizations are nearly equal with medium organizations in their adoption of the shared recommendations, while their adoption of the large-organization recommendations is much lower, especially in the areas of data protection and loss prevention, endpoint protection systems, and asset management.
Two of HICP’s cybersecurity practice areas—network management and medical device security—show significant correlation between an organization’s coverage in that area and how much of that area is owned by information security leadership. Organizations with full information security ownership of their network management report 64% coverage in this assessment area, an improvement of 9 percentage points over organizations with no information security ownership. Similarly, organizations with full information security ownership of medical device security report 63% coverage in this assessment area, which is 18 percentage points more than organizations with no ownership. Organizations wishing to improve coverage in these areas should consider establishing structure and governance that give clear responsibility and ownership to those most suited to manage the risk.
Snapshot of Cybersecurity Expense
Key Findings
Healthcare organizations do well at responding to cybersecurity incidents, particularly when it comes to incident analysis. But the data shows a lack of proactivity in managing third-party products and services.
Organizations that report lower coverage of Supply Chain Risk Management are more likely to report higher year-to-year increases in their cybersecurity insurance premium, indicating that efforts to better assess and identify risk with supply chain providers can pay off.
Most organizations have email protection systems in place that cover a majority of their entities.
Medical device security is a significant vulnerability, but ownership of this area by information security leadership has a significantly positive impact. This correlation suggests that coverage in this area can be improved by aligning ownership under the most appropriate leadership.
Ownership by information security leadership also shows a positive correlation with network management coverage. Organizations wishing to improve coverage in this area should consider giving ownership to those most suited to manage the risk.
Large organizations may lack the resources to meet the HICP guidelines targeted specifically to large organizations. Their coverage in most of these areas is significantly lower than their coverage of the guidelines that they share with medium organizations.
About This Report
Conducted by Censinet, KLAS Research, and the American Hospital Association (AHA), this study is intended to establish collaborative cybersecurity benchmarks for the healthcare industry. The findings are based on evaluations completed by 48 healthcare organizations, ranging from small critical access hospitals to large multispecialty practices and large academic medical centers. The study questions were designed to measure adherence to the guidelines recommended by the NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP), with additional questions added to gain insight into organizations’ cybersecurity investments and resources and the span of control given to information security leadership.
Study participants were given access to additional, more in-depth analysis of the findings. To participate in future benchmarking studies, please contact Censinet at benchmarking@censinet.com.
Study Sponsors
The healthcare cybersecurity benchmarking study is provided in partnership with the following sponsors:
Special Thank-You
The study authors extend a special thank-you to the following individuals/groups for their guidance and expertise:
John Riggi
National Advisor for Cybersecurity and Risk
AHA
Erik Decker
Vice President & CISO
Intermountain Healthcare
HHS 405(d) Program and Task Group
Maturity with NIST Five Functions
Organizations Are More Reactive than Proactive, Especially in Identifying Asset and Supply Chain Risk
Survey results indicate that healthcare organizations are still mostly reactive rather than proactive when it comes to cybersecurity, especially when it comes to identifying cybersecurity risks. Of the six categories within the Identify function, organizations have particularly low coverage in Supply Chain Risk Management, Asset Management, and Risk Management. More than 40% of organizations are not compliant with conducting response and recovery planning with suppliers and third-party providers.
Of the five functions in the NIST cybersecurity framework, organizations report the highest average coverage in the Respond function. This is driven largely by maturity in the Analysis category, which measures an organization’s investigation, forensics, categorization, analysis, and understanding of cybersecurity incidents. All organizations report investigating notifications from detection systems, with the vast majority reporting coverage in this area of at least 70%.
Supply Chain Risk Management has the lowest coverage of any subcategory across all five NIST functions. A particular challenge is that conducting testing with third-party suppliers is resource intensive, requiring coordination between both the healthcare organization and the vendor. It also demands process management that many healthcare organizations may not yet have the maturity to provide. However, efforts in this area can pay off—organizations that report higher Supply Chain Risk Management coverage are more likely to report lower year-to-year increases in their cybersecurity insurance premium.
Alignment with HICP Guidance
Email System Protections Are in Place; Medical Device Security Has a Long Way to Go
HICP guidance differs based on organization size, and respondents self-selected into one of three groups based on size, complexity, IT capabilities, cybersecurity investment, and other criteria as laid out by HICP. Of the participating organizations, 27 self-selected as large, 20 as medium, and 1 as small.
Regardless of size, organizations report the highest coverage for email protection. For most of the metrics that fall under email protection, more than half of organizations report 100% coverage. On the other hand, medical device security is an area of industry-wide vulnerability, with average coverage barely over 50%. Almost all responding organizations ensure medical devices are wiped of all data when decommissioned. However, when such configuration is supported by the manufacturer, less than two-thirds configure medical devices to allow only known processes and executables to run on medical devices, and most of these organizations report doing this for only some devices.
The HICP guidelines for large organizations include all subpractices recommended for medium organizations as well as additional, more advanced subpractices targeted specifically to large organizations. Large organizations are nearly equal with medium organizations in their adoption of the shared recommendations, while their adoption of the large-organization recommendations is much lower, especially in the areas of data protection and loss prevention, endpoint protection systems, and asset management.
Two of HICP’s cybersecurity practice areas—network management and medical device security—show significant correlation between an organization’s coverage in that area and how much of that area is owned by information security leadership. Organizations with full information security ownership of their network management report 64% coverage in this assessment area, an improvement of 9 percentage points over organizations with no information security ownership. Similarly, organizations with full information security ownership of medical device security report 63% coverage in this assessment area, which is 18 percentage points more than organizations with no ownership. Organizations wishing to improve coverage in these areas should consider establishing structure and governance that give clear responsibility and ownership to those most suited to manage the risk.
Snapshot of Cybersecurity Expense
Key Findings
Healthcare organizations do well at responding to cybersecurity incidents, particularly when it comes to incident analysis. But the data shows a lack of proactivity in managing third-party products and services.
Organizations that report lower coverage of Supply Chain Risk Management are more likely to report higher year-to-year increases in their cybersecurity insurance premium, indicating that efforts to better assess and identify risk with supply chain providers can pay off.
Most organizations have email protection systems in place that cover a majority of their entities.
Medical device security is a significant vulnerability, but ownership of this area by information security leadership has a significantly positive impact. This correlation suggests that coverage in this area can be improved by aligning ownership under the most appropriate leadership.
Ownership by information security leadership also shows a positive correlation with network management coverage. Organizations wishing to improve coverage in this area should consider giving ownership to those most suited to manage the risk.
Large organizations may lack the resources to meet the HICP guidelines targeted specifically to large organizations. Their coverage in most of these areas is significantly lower than their coverage of the guidelines that they share with medium organizations.
About This Report
Conducted by Censinet, KLAS Research, and the American Hospital Association (AHA), this study is intended to establish collaborative cybersecurity benchmarks for the healthcare industry. The findings are based on evaluations completed by 48 healthcare organizations, ranging from small critical access hospitals to large multispecialty practices and large academic medical centers. The study questions were designed to measure adherence to the guidelines recommended by the NIST Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP), with additional questions added to gain insight into organizations’ cybersecurity investments and resources and the span of control given to information security leadership.
Study participants were given access to additional, more in-depth analysis of the findings. To participate in future benchmarking studies, please contact Censinet at benchmarking@censinet.com.
Study Sponsors
The healthcare cybersecurity benchmarking study is provided in partnership with the following sponsors:
Special Thank-You
The study authors extend a special thank-you to the following individuals/groups for their guidance and expertise:
John Riggi
National Advisor for Cybersecurity and Risk
AHA
Erik Decker
Vice President & CISO
Intermountain Healthcare
HHS 405(d) Program and Task Group
Writer
Elizabeth Pew
Designer
Natalie Jamison
Project Manager
Andrew Wright
This material is copyrighted. Any organization gaining unauthorized access to this report will be liable to compensate KLAS for the full retail price. Please see the KLAS DATA USE POLICY for information regarding use of this report. © 2023 KLAS Research, LLC. All Rights Reserved. NOTE: Performance scores may change significantly when including newly interviewed provider organizations, especially when added to a smaller sample size like in emerging markets with a small number of live clients. The findings presented are not meant to be conclusive data for an entire client base.