peshkov - stock.adobe.com

Health IT Security Challenges Persist for Hospital Systems 

Cybersecurity remains a challenge for healthcare systems.

Basic health IT security and cybersecurity remain a struggle for many healthcare systems in the United States, according to a new report. 

The “Maturity Paradox: New World, New Threats, New Focus,” report, published by CynergisTek on July 28, states that “most hospitals critically lack the ability to secure their supply chain systems.” 

CynergisTek, a cybersecurity consulting firm, reviewed just under 100 assessments of healthcare providers, including hospitals, physician practices, accountable care organizations (ACOs), and business associates, according to a press release on the report.  

“These assessments measure organizations’ security posture against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), a standardized framework first published in 2014 intended to help protect American critical infrastructure,” it stated.  

The fourth annual report stated that supply chain management was the second-lowest scoring assessment it examined.  

“Even among high-performing organizations that have significantly improved over the past four years, scores averaged 2.7 out of five, reflecting a universal challenge that companies face in identifying and addressing risks across their supply chains,” it stated. “With an acceptable score above a three, only 23% of organizations passed on supply chain security – and barely – not even high performers achieved above a three.” 

Healthcare organizations struggle to validate “whether third-party partners are meeting contractual security obligations,” it noted.  

With the recent attacks on third-parties, it is “imperative for organizations to dedicate time and resources to supply chain security before risks expand exponentially,” the new report noted.  

“The past year has been arguably the most trying on the U.S. and global healthcare systems. We saw cybercriminals attack hospitals and healthcare institutions when they were at their most vulnerable – the industry made it through, granted with some bumps and bruises,” said David Finn, EVP at CynergisTek, in a press release. 

 “It is the responsibility now – of stakeholders, C-suite, IT managers, and anyone involved in protecting our healthcare system – to ensure that patient care remains resilient even in an environment with growing cyberattacks,” Finn continued.  

Healthcare organizations need to focus on four main improvements in order to be proactive in battling cyberthreats, according to the CynergisTek report. 

The report recommends that healthcare organizations: 

First, organizations may consider practicing exercises and drills “at the enterprise level, testing all components of the business...Practice on a large scale, and then build out a playbook...”    

Second, organizations should secure the supply chain. 

“As demonstrated in this year’s findings, supply chains present a potential vulnerability with wide-ranging and unpredictable impact,” the report states. “Security leaders need to assess current investments and devise a plan of action that aims to rapidly remediate this major vulnerability. That should include, minimally, a risk-based assessment of critical third-party vendors based on access, data they hold or access and services they provide.” 

Next, organizations should focus on automating and validating. 

“Automating security functions and validating technical controls for people and processes are foundational in any solid security,” the report stated. “Security automation can detect, investigate, and even remediate cyber events and threats in near-real-time, so it is crucial to focus on automation that can be manually diagrammed. Then, adopt that automation gradually and roll out training to effectively leverage the tools so the right people can follow the appropriate procedures.” 

Finally, it may be prudent to improve organizational awareness and training. People are healthcare organizations’ first and last lines of defense. The report notes that “half of organizations are not training and informing end users regarding security on an ongoing basis.” .  

“This trend is pervasive both within and outside of organizations. CynergisTek found a critical lack of education and understanding among C-Suite executives and board members, who have unique obligations and fiduciary responsibilities,” the release stated. 

“Consistent with this year’s findings regarding the overall vulnerability of the supply chain, CynergisTek also found that many third-party vendors and partners lack training and understanding of their role in cybersecurity preparedness.” 

David Finn, EVP of External Affairs, Information Systems & Security at CynergisTek told HealthITSecurity in an interview that organizations are battling an ever-changing risk environment. 

“No organization will ever “fix” everything in their computer environment," Finn stated. "Even if you had unlimited staffing and budgets, you simply cannot fix everything. Because everything is changing, even as you fix it.  You can, however, reduce your risks. That ultimately is what cybersecurity is all about – mitigating and managing risk.  It’s not about stopping every single cyber event on your network or systems.”

Next Steps

Dig Deeper on Cybersecurity strategies