New Report Reveals Only 44% of Healthcare Institutions Meet National Standards on Cybersecurity
17 September 2020 - 3:00PM
Business Wire
CynergisTek’s Annual Report Lifts the Veil on
Healthcare System and the State of Cybersecurity Distress; Supply
Chain Proves to be Major Vulnerability
Today, CynergisTek, a leading cybersecurity firm helping more
than 1,000 hospitals navigate emerging security and privacy issues,
released their new annual report, “Moving Forward: Setting the
Direction.” The third annual report revealed that only 44 percent
of providers across the continuum, including hospital and health
systems, conformed to protocols outlined by the National Institute
of Standards and Technology’s Cybersecurity Framework (NIST CSF) -
with scores in some cases trending backwards since 2017.
Analysts examined nearly 300 assessments of provider facilities
across the continuum, including hospitals, physician practices,
ACOs and Business Associates assessed by CynergisTek against the
NIST CSF.
The report also found that healthcare supply chain security is
one of the lowest ranked areas for NIST CSF conformance. This is a
critical weakness, given that COVID-19 demonstrated just how broken
the healthcare supply chain really is with providers buying PPE
from unvetted suppliers.
“We found healthcare organizations continue to enhance and
improve their programs year-over-year. The problem is they are not
investing fast enough relative to an innovative and well-resourced
adversary,” said Caleb Barlow, president and CEO of CynergisTek.
“These issues, combined with the rapid onset of remote work,
accelerated deployment of telemedicine and impending openness of
EHRs and interoperability, have set us on a path where investments
need to be made now to shore up America’s health system. However,
the report isn’t all doom and gloom. Organizations that have
invested in their programs and had regular risk assessments,
devised a plan, addressed prioritized issues stemming from the
assessments and leveraged proven strategies like hiring the right
staff and evidence-based tools have seen significant improvements
to their NIST CSF conformance scores.”
CynergisTek’s report revealed bigger healthcare institutions
with bigger budgets didn't necessarily perform better when it comes
to security, and in some cases, performed worse than smaller
organizations or those that invested less. In some cases, this was
a direct result of consolidation where systems directly connect to
newly-acquired hospitals without first shoring up their security
posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that
healthcare is still behind the curve on security. While
healthcare’s focus on information security has increased over the
last 15 years, investment is still lagging. In the age of remote
working and an attack surface that has exponentially grown, simply
maintaining a security status quo won’t cut it,” said David Finn,
EVP of Strategic Innovation at CynergisTek. “The good news is that
issues emerging in our assessments are largely addressable. The bad
news is that it is going to require investment in an industry still
struggling with financial losses from COVID-19.”
Leading factors influencing performance include poor security
planning and lack of organizational focus, inadequate reporting
structures and funding, confusion around priorities, lack of staff
and no clear plan.
To overcome these challenges, key strategies to bolster
healthcare security and achieve success include:
- Look under the hood at security and privacy amid mergers and
acquisitions: For health systems planning to integrate new
organizations into the fold through mergers and acquisitions,
leadership should look under the hood and be more diligent when
examining the organization’s security and privacy infrastructure,
measures and performance. It’s important to understand their books
and revenue streams as well as their potential security risks and
gaps to prevent these issues from becoming liabilities.
- Make security an enterprise priority: While other
sectors like finance and aerospace have treated security as an
enterprise-level priority, healthcare must also make this kind of
commitment. Understanding how these risks tie to the bigger picture
will help an organization that thinks it cannot afford to invest in
privacy and information security risk management activities
understand why making such an investment is crucial. Hospitals and
healthcare organizations should create collaborative,
cross-functional task forces like enterprise response teams, which
offer other business units an eye-opening look into how security
and privacy touch all parts of the business including financial,
HR, and more.
- Money isn’t a solution: Just throwing money at a problem
doesn’t work. Security leaders need to identify priorities and have
a plan which leverages talent, tried and true strategies like
multi-factor authentication, privileged access management and
on-going staff training to truly up level their defenses and take a
more holistic approach, especially when bringing on new services
such as telehealth.
- Accelerate the move to cloud: While healthcare has
traditionally been slow to adopt the cloud, these solutions provide
the agility and scalability that can help leaders cope with
situations like COVID-19, and other crises more effectively.
- Shore up security posture: We frequently learn the hard
way that security can disrupt workflow. COVID-19 taught us that
workflow can also disrupt security and things are going to get
worse before getting better. Get an assessment quickly to determine
immediate needs and coming up with a game plan to bolster defenses
needed in this next normal.
About Methodology
CynergisTek’s Annual Report and the rankings are based on
aggregating maturity ratings of nearly 300 security risk
assessments performed across provider facilities by CynergisTek in
2019, using the NIST Cyber Security Framework as the benchmark
standard. Based on those assessments and using a six-point scale
(using 0 – 5, with 0 – Incomplete to 5 – Optimized Process), the
team examined if processes were in place to meet desired outcomes
and continuously improved to achieve current and projected goals.
All of the subjects of this analysis were also measured against the
HIPAA Security Rule. CynergisTek calculated the national average of
the nearly 300 assessments, which accounts for providers across the
entire continuum of care including Business Associates, Critical
Access Hospitals, and Academic Medical Centers, Health Systems,
Physician Groups and Payers.
About CynergisTek
CynergisTek is a top-ranked cybersecurity firm dedicated to
serving the information assurance needs of the healthcare industry.
CynergisTek offers specialized services and solutions to help
organizations achieve privacy, security, and compliance goals.
Since 2004, the company has served as a partner to hundreds of
healthcare organizations and is dedicated to supporting and
educating the industry by contributing to relevant industry
associations. The company has been recognized by KLAS as a
top-performing firm in healthcare cybersecurity and was awarded the
2019 Top Healthcare Cybersecurity Consultants in Black Book IT
Advisory Outcomes Survey.
View source
version on businesswire.com: https://www.businesswire.com/news/home/20200917005041/en/
Media Contact: Allison + Partners Jaime Tero 415-755-8639
jaime.tero@allisonpr.com
CynergisTek (AMEX:CTEK)
Historical Stock Chart
Von Jun 2024 bis Jul 2024
CynergisTek (AMEX:CTEK)
Historical Stock Chart
Von Jul 2023 bis Jul 2024