Blue Planet Studio - stock.adobe
Understanding barriers to cyber resilience in healthcare
Cyber resilience is essential to ensure swift response and recovery from a cybersecurity incident, but it is a constant challenge for healthcare organizations.
Cyber resilience is a key concept for security practitioners in any industry, especially those in critical infrastructure. An organization that maintains a strong degree of cyber resilience will ideally be able to continue operating in the face of a myriad of challenges, such as cyberattacks or natural disasters.
Cyber resilience refers to the ability of a computing system to identify, respond, and recover swiftly amid a security incident. In healthcare, disruptions to critical systems can cause not only operational difficulties but also negative effects on patient care, making cyber resilience essential.
Government entities and private industry groups have long recognized the importance of cyber resilience. For example, in 2023, HHS and the Health Sector Coordinating Council (HSCC) Cybersecurity Working Group (CWG) issued a comprehensive landscape analysis focused on exploring the current state of cybersecurity resilience in U.S. hospitals.
The analysis, which combined results from two quantitative studies with conversations with participating hospitals, revealed several gaps in hospital cyber resilience, including lapses in multi-factor authentication (MFA) adoption, supply chain risks, and the use of antiquated systems.
Research from LevelBlue, formerly known as AT&T Cybersecurity, revealed similar trends across several sectors, including healthcare.
“Across the board, there are common barriers when it comes to cyber resilience. Healthcare doesn’t necessarily understand what cyber resilience means to the organization because cybersecurity and the business are not aligned,” Theresa Lanowitz, chief evangelist at LevelBlue, said in an interview with HealthITSecurity.
“There's no idea of what cyber resilience really means. So, if there is some big event, they don't know how to come together as a larger organization to remediate against this type of event. And the IT estate has become so unwieldy and so complex that there's just not a lot of visibility into it.”
While efforts to improve cyber resilience across the sector are improving greatly, understanding the barriers to maintaining it can help healthcare organizations make additional progress.
What factors inhibit cyber resilience in healthcare?
“From a cybersecurity perspective, as much as we have talked over the last couple of years since the pandemic that security has become a business requirement, it's really not. It is still siloed, it is still underfunded, it is still something that is not thought of at the top level,” Lanowitz said.
LevelBlue’s research revealed that 74% of respondents across all surveyed industry verticals reported that cyber resilience is primarily the responsibility of cybersecurity teams and is not an enterprise-wide priority. The figure rose to 76% in healthcare specifically, showing an even greater dependence on security teams alone to manage risk.
What’s more, 77% of total respondents described their budgets as reactive rather than proactive, and 61% said that there was a lack of understanding about cybersecurity at the board level.
The HHS landscape analysis showed significant variance in hospital cyber resiliency, especially for smaller hospitals. The landscape analysis highlighted cyber resilience knowledge gaps and lower investments in cybersecurity due to slim to negative financial margins as factors that contribute to this variance.
“Many of the hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information, but cost and poor awareness of existing resources is a strong deterrent,” the landscape analysis stated.
In addition to knowledge gaps, budget and executive buy-in challenges, Lanowitz emphasized that ongoing innovation adds to cyber risk as well, making resilience more nuanced.
“Computing continues to evolve in healthcare. We see use cases such as endpoints, such as wearables being very common. For remote patient monitoring after surgery, we see the use of robotics inside of hospitals for delivery to nurses stations, for example,” Lanowitz noted.
“We see these endpoints being extremely diverse. And so that whole IT estate now has to include all of those endpoints, and that's what the healthcare industry has to be able to look at.”
Innovation is positive, but balancing innovation with cyber risk is a significant challenge. The majority of survey respondents across all industries affirmed that computing innovation outweighs the corresponding increase in risk, but many acknowledged that the trade-off makes cyber resilience more complex.
Researchers found that a lack of visibility into the entire IT estate, the use of outdated hardware and software, pervasive supply chain risks and challenges with retaining cyber talent all contribute to cyber resilience challenges as well, researchers found.
Despite these challenges, healthcare organizations can take actionable steps to minimize these cyber resilience challenges.
Strategies for improving cyber resilience
“What we found out is that for all the talk we've had over the past couple of decades about big data and reporting and analytics and metrics, very few people are using any type of reporting,” Lanowitz suggested.
Nearly 70% of LevelBlue survey respondents said they were not using reporting metrics and analysis to inform cyber resilience actions. Lanowitz suggested that more collaboration and use of data in this space could help organizations improve cyber resilience.
“Make sure that your cybersecurity team and your line of business and your executives are aligned,” Lanowitz said.
In addition to increasing communication at the C-suite level, employee training and outreach have the potential to improve cyber resilience. The landscape analysis revealed that 86% of surveyed hospitals reported that their users are informed and trained on their cybersecurity duties, though there was significant variability in the level of training provided to hospital staff.
“Additionally, little data was available on the adequacy and effectiveness of training and outreach efforts,” the landscape analysis stated, further highlighting the importance of collecting data and analyzing metrics to inform security actions.
HHS also noted that there was room for improvement in MFA adoption and vulnerability assessments, both of which are already widely used in healthcare. The landscape analysis noted that MFA is used in more than 90% of surveyed hospitals, but it may not be used consistently across key systems and access points, creating additional risk areas.
Additionally, HHS observed improvements from organizations that adopted the Health Industry Cybersecurity Practices (HICP) resource, a publication consisting of voluntary, industry-led guidance to bolster healthcare cybersecurity. Specifically, the research linked HICP adoption to comprehensive National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) coverage.
“This indicates that organizations that focus on HICP Practices will gain value and benefit towards managing implementation of the NIST CSF cybersecurity framework, proving the investment in hygiene pays dividends in larger programmatic maturity,” the landscape analysis stated.
Cyber resilience is an ongoing effort, rather than something that can be definitively achieved by an organization. Even so, healthcare organizations can use the resources available to them, such as the HICP, to bring their organizations to a more resilient state.