5 Key Insights from The Healthcare Cybersecurity Benchmarking Study
The Healthcare Cybersecurity Benchmarking Study, co-led by Censinet, KLAS Research, and the American Hospital Association, and sponsored by leading health systems, is the industry’s first initiative to establish robust, trusted, and actionable peer benchmarks to help healthcare organizations strengthen cybersecurity maturity and resiliency. The Study produced detailed findings and peer benchmarks across three key areas:
- Organizational Key Performance Indicators (KPIs)
- The NIST Cybersecurity Framework (CSF)
- The 405(d) Health Industry Cybersecurity Practices (HICP)
Findings from this landmark Study also served as one of the primary sources of data included in the recently published HHS Hospital Cyber Resiliency Initiative: Landscape Analysis.
Here are 5 key insights from the first wave of the Study (which included 48 healthcare delivery organizations):
1. Healthcare is Still More Reactive than Proactive in Cybersecurity
Much like the relative infrastructure in place to manage acute care episodes versus preventing chronic disease at health systems, the Study found that the healthcare industry currently is better positioned to respond to security incidents versus identifying (and mitigating) cyber threats before they become incidents. The Study found “Identify” ranked lowest in maturity across all 5 NIST CSF Functions while “Respond” ranked highest.
NIST CSF Function Coverage
2. “Supply Chain Risk Management” Ranks Last in NIST CSF Maturity
Digging deeper into the key drivers of Insight #1 above, the Study found “Supply Chain Risk Management” ranks last in relative HDO maturity across all 23 NIST CSF Categories. Despite best intentions, managing third-party risk still faces significant headwinds as it remains a highly-manual and time-consuming process. Moreover, just as the attack surfaces and the threat landscape keep growing, CISOs find themselves facing one of the most acute cybersecurity workforce shortages in modern history.
Adding fuel to the fire, it should be noted that the largest healthcare breach in 2022 did not occur at a top Health IT company – it was a hacking incident at a printing & mailing vendor, affecting 2.7 million individuals across 37 different HDOs.
NIST CSF Category Coverage
3. Higher Third-Party Risk Coverage Correlated with Lower Cyber Insurance Premium Growth
The Study found statistically-significant correlation between higher third-party risk assessment maturity and lower annual increases in cyber insurance premiums. The Study also found significant challenges acquiring and keeping cyber insurance coverage as well as extraordinary annual growth in premium costs: large-sized organizations saw an average increase of 46% in premium cost last year, while medium-sized organizations saw 50% growth, on average. Anecdotal interviews with hospitals and health systems found increasing policy exclusions, shrinking policy coverage amounts, and even instances of cyber insurers refusing to pay out on claims after a security incident.
4. While Email Protections Are Largely In Place, There’s Still A Long Way to Go on Medical Device Security
The Study found wide disparity in the [Health Industry Cybersecurity Practices Publication (HICP])(https://405d.hhs.gov/information) adoption across the ten best practice areas, with email protections ranking highest in adoption and medical device security ranking last in coverage across HDOs with just over 50% coverage. With 10 -15 network connected medical devices per bed, and the market for Internet-of-Medical-Things (IoMT) growing rapidly, this will certainly be a key focus area for both BioMed leaders and CISOs – especially with ransomware groups now directly threatening patient care and safety.
5. Higher CISO Program Ownership Correlates with Higher HICP Coverage for Medical Device Security
Looking into implications for programmatic changes and their effect on security, the Study also found an interesting, statistically-significant correlation between CISO program ownership and HICP adoption for medical device security. Specifically, when the CISO’s office owned responsibility for medical device security, HDOs saw an 18 percentage point increase in HICP coverage – from 45% with no ownership to 63% with complete ownership.
Conclusion:
As ransomware increasingly shuts down care operations at hospitals across the country, healthcare organizations are now forced to manage cyber risk as patient safety risk. These organizations are seeking out solutions to help them understand the risks they face and fight back against these emerging threats. Peer benchmarking is an invaluable tool for identifying, assessing, and, ultimately, mitigating cyber risk across the enterprise. By comparing cybersecurity program performance and maturity to peer organizations, IT/Security teams can identify where critical gaps in security exist today, prioritize allocation of scarce resources, and help justify future investment in cybersecurity to their Boards to make the overall enterprise more resilient -- and safer for patients.