TRENDING:

Safe & Sound with Marianne Kolbasuk McGee

Endpoint Security , Governance & Risk Management , Healthcare

Adoption of Security Best Practices: A Status Report

New Study Sizes Up Healthcare Organizations' Efforts to Battle Cyberthreats Marianne Kolbasuk McGee (HealthInfoSec) • July 3, 2019    
Adoption of Security Best Practices: A Status Report

Are healthcare organizations becoming better prepared to battle evolving cyberthreats?

See Also: The Cybersecurity Swiss Army Knife for Info Guardians: ISO/IEC 27001

A new study by the College of Healthcare Information Management Executives and healthcare IT research firm KLAS offers an interesting assessment of preparedness.

The study examined responses from 649 small, midsized and large healthcare entities regarding their adoption of 10 cybersecurity best practices recommended in a report issued late last year by the Department of Health and Human Services (see: HHS Publishes Guide to Cybersecurity Best Practices).

The report, "Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients," was the culmination of a two-year effort involving more than 150 cybersecurity and healthcare experts. The Cybersecurity Information Sharing Act of 2015 had mandated that HHS develop practical cybersecurity guidelines.

A Status Report

According to the CHIME/KLAS study, here's where healthcare entities of various sizes stand in their adoption of several key best practices:

Endpoint Protection: Regardless of size, most organizations say they have deployed some type of email and endpoint protection systems. That includes email filtering systems and endpoint encryption. But larger organizations - including hospitals with more than 300 beds - are further ahead in their deployment of more mature practices and technologies, such as digital signatures to verify that emails come from trusted sources and have not been manipulated in transmission, as well as mobile device management systems.

Identity and Access Management: Many organizations say they are transitioning from homegrown identity and access management solutions to commercial solutions to support their identity policies. More than 80 percent of surveyed organizations say they have implemented single sign-on solutions to enable quick and easy access to multiple systems with a single login. Small organizations - those hospitals with fewer than 50 beds - were far less likely to have implemented multifactor authentication.

Regardless of size, organizations reported little adoption of adaptive/risk-based authentication, which requires additional verification based on the risk level of the action being attempted.

Data Loss Prevention: DLP solutions have been widely adopted, although deployment of on-premises DLP solutions has slowed as organizations have transitioned to the cloud. Organizations indicate they are more likely to back up data in a physical location than to use cloud backup services. Very few small organizations report using data or infrastructure as a service. While midsize and large organizations are more likely to use these services, adoption is still limited.

Network Access Control: Most organizations say they have implemented network access control solutions to monitor devices that connect to their networks. Less than half of small organizations, however, say they are using network segmentation to control the spread of malware. Large organizations report more sophisticated and more frequent vulnerability scanning and application testing. Smaller organizations more frequently turn to penetration testing to identify vulnerabilities.

Incident Response: Most organizations say they have an incident response plan in place and participate in an information sharing and analysis organization. However, only half of organizations report they conduct an annual enterprisewide exercise to test their incident response plan.

Medical Devices: Medical device security remains a top concern for organizations, especially as they weigh patient safety risks. But many organizations report that their medical device security programs are supported by cybersecurity practices in other IT areas, including endpoint protection, IAM, asset management, network management and vulnerability management.

Large organizations are more likely to have invested in technology to support their medical device security programs. And many organizations of all sizes report they haven't formalized internal ownership of medical device security and are just beginning to bring security into the medical device procurement process, including pre-purchase risk assessments, software bills of materials and patching provisions.

Governance: Small organizations are less likely to use some basic cybersecurity policies, such as having a dedicated CISO; implementing a formal governance, risk management, and compliance program; and instituting policies for bring-your-own-device management.

Glimmers of Hope?

While the CHIME/KLAS findings seem to show that many healthcare organizations are indeed making the effort to improve their cybersecurity posture, many gaps obviously still need to be filled - especially at smaller organizations.

So, what's at the top of your organization's best practice priority list for the second half of 2019?



About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.