AUSTIN, Texas--(BUSINESS WIRE)--Today, CynergisTek, a leading cybersecurity firm helping more than 1,000 hospitals navigate emerging security and privacy issues, released their new annual report, “Moving Forward: Setting the Direction.” The third annual report revealed that only 44 percent of providers across the continuum, including hospital and health systems, conformed to protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) - with scores in some cases trending backwards since 2017.
Analysts examined nearly 300 assessments of provider facilities across the continuum, including hospitals, physician practices, ACOs and Business Associates assessed by CynergisTek against the NIST CSF.
The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers.
“We found healthcare organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary,” said Caleb Barlow, president and CEO of CynergisTek. “These issues, combined with the rapid onset of remote work, accelerated deployment of telemedicine and impending openness of EHRs and interoperability, have set us on a path where investments need to be made now to shore up America’s health system. However, the report isn’t all doom and gloom. Organizations that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools have seen significant improvements to their NIST CSF conformance scores.”
CynergisTek’s report revealed bigger healthcare institutions with bigger budgets didn't necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less. In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.
“What our report has uncovered over recent years is that healthcare is still behind the curve on security. While healthcare’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo won’t cut it,” said David Finn, EVP of Strategic Innovation at CynergisTek. “The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19.”