Even among the most advanced healthcare organizations, implementing cybersecurity measures can be ineffective if not done consistently and with best practices in mind. Lack of resources and limited budgets can make it tough to prioritize information security.
According to a report by the College of Healthcare Information Management Executives (CHIME) and KLAS Research, the foundation to a good healthcare security program is a thorough analysis that can identify highest risks, optimize deployment of security controls and measure progress.
Advised by the Health Industry Cybersecurity Practices (HICP) Guidelines, CHIME and KLAS surveyed more than 600 healthcare organizations to determine where provider organizations stand today in their adoption of 10 overarching cybersecurity practices.
The surveyed organizations were of varying sizes. Small organizations were classified as 1 to 50 beds, mid-sized organizations were classified as 51 to 100 beds and large organizations were classified as more than 300 beds. The following are highlights from the report:
1. Email Protection Systems
Key Finding: Email is the most common attack vector through which healthcare organizations are put at risk.
- More than 70 percent of surveyed organizations conduct such simulations at least quarterly, with many doing it more frequently.
- 16 percent of small and mid-size organizations do not conduct phishing simulations at all or do them less than once a year.
- Digital signatures allow users to verify that emails come from trusted sources.
- Large organizations are three times more likely than their smaller counterparts to use digital signatures.
2. Endpoint Protection Systems
Key Finding: Regardless of size, most organizations have deployed email and endpoint protection systems, establishing an initial layer of defense against internal and external threats.
- About 20 percent of small organizations have not implemented intrusion-detection and protection systems.
- The majority of surveyed organizations have implemented mobile device management to secure both hospital-owned and BYOD smartphones and tablets.
Recommendation: The opportunity remains for small organizations to implement mobile device management software. Doing so ensures that protected health information remains contained on devices and that organizations have the ability to wipe a device should it become lost or disconnected from a secured hospital network.
3. Access Management
Key Finding: Many organizations are transitioning from homegrown identity and access management (IAM) solutions to commercial solutions to support their identity policies. Multi-factor authentication (MFA) remains a gap for half of small organizations.
Identity and Access Management (IAM) Technology
- 83 percent of surveyed organizations have implemented single sign-on solutions to access multiple systems with a single login.
- Large organizations are significantly more likely to have implemented identity management and provisioning tools.
Multifactor Authentication (MFA)
- Phishing scams are proving more successful at compromising users’ credentials, increasing the need for multi-factor authentication (MFA).
- Less than half of smaller organizations have an MFA solution in place today.
- Regardless of size, organizations report little adoption of adaptive/risk-based authentication.
4. Data Protection and Loss Prevention
Key Finding: Data-loss prevention (DLP) solutions have been widely adopted, though deployment of on-premises DLP solutions has slowed as organizations have transitioned to the cloud. Organizations are more likely to back up data in a physical location than to use cloud back-up services.
Data-Loss Prevention (DLP) Tools
- The majority of surveyed organizations, including over 70 percent of small organizations, report having a DLP tool in place.
- Organizations that use exact data matching or fingerprinting are more likely to be satisfied with their DLP tools and less likely to report false positives.
Data Encryption and Back-Up
- The encryption of server databases and enterprise network storage devices is less common in small organizations.
- Very few small organizations report using Data or Infrastructure as a service.
- Medium and large organizations are more likely to use these services.
5. Asset Management
Key Finding: Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management and procurement teams.
- Nearly all organizations report proper disposal of Protected Health Information (PHI)-containing assets.
- Only 50 percent of small organizations and 60 percent of mid-size organizations use RFID/RTLS technology to identify and track assets.
6. Network Management
Key Finding: Most organizations have network access control (NAC) solutions to monitor devices that connect to their networks; however, less than half of small organizations are using network segmentation to control the spread of infections.
- Large organizations are more likely to have a single, enterprise-wide wireless infrastructure.
- Small and mid-size organizations are more likely to have multiple discrete networks deployed for different purposes.
Recommendation: Small organizations should prioritize network segmentation to isolate the impact of an attack.
7. Vulnerability Management
Key Finding: Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Small organizations more frequently turn to penetration testing to identify vulnerabilities.
- 90 percent of large organizations and 60 percent of small and midsize organizations run vulnerability scans at least quarterly.
Recommendation: Penetration testing should be standard practice for large organizations, though small organizations are the most likely to perform general penetration tests or wireless penetration tests at least once a quarter.
8. Incident Response
Key Finding: Most organizations have an incident-response plan in place and participate in an information sharing and analysis organization (ISAO); only half of organizations conduct an annual enterprise-wide exercise to test their plan.
- Large organizations are most likely to participate with the Health Information Sharing and Analysis Center (H-ISAC).
- Small organizations are more likely to look to nearby HIE partners rather than national ISAOs.
Recommendation: Organizations of all sizes should have an incident-response plan outlining policies and practices for quickly and efficiently isolating and mitigating adverse security events. These plans should involve all applicable hospital departments and should include guidelines for proper notification should a breach occur.
9. Medical Device Security
Key Finding: Medical device security remains a top concern for organizations as they weigh patient-safety risks. Their medical-device-security programs are often supported by strong cybersecurity practices in other areas.
Top medical-device-security struggles
- Out-of-date operating systems that organizations cannot patch
- A lack of asset and inventory visibility due to insufficient tools and the large number of devices that must be secured
Recommendation: Use specific applications of technologies already mentioned, such as endpoint protection, IAM, asset management, network management, and vulnerability management, to secure medical devices.
10. Cybersecurity Policies
Key Finding: Small organizations are less likely to utilize cybersecurity policies such as a dedicated chief information security officer (CISO), board-level committees and governance, risk management, and compliance (GRC) committees, and bring-your-own-device (BYOD) management.
- Small and medium organizations are nearly four times as likely to lack a CISO at their organization compared to large organizations.
- Nearly half of medium and large organizations have cybersecurity as a topic at board meetings at least quarterly.
- Most organizations have a governance, risk, and compliance (GRC) committee in place.
- Less than half of organizations (and fewer than one in five small organizations) have a board-level committee overseeing their cybersecurity program.
Recommendation: Organizations’ overall security policies should include the following elements:
- Proper classification of data
- Definition of roles and responsibilities within the organization (including proper governance)
- Employee education
- Definition of acceptable data and tool usage
- Definition of proper use of personal and employer-provided devices
- Creation of a cyberattack response plan
Last updated on 10/8/19.