Where Hospitals Are Still More Cyber Reactive Than ProactiveSteve Low of KLAS Research and Ed Gaudet of Censinet Discuss New Benchmarking Study
While some hospitals appear to be making progress in certain areas of cybersecurity risk management, many more are still more reactive than proactive in terms of embracing recommended best practices that can help advance their level of cyber maturity, said Steve Low, president of KLAS Research, and Ed Gaudet, CEO of consulting firm Censinet.
KLAS Research, Censinet and the American Hospital Association recently embarked on a research survey - the Healthcare Cybersecurity Benchmarking Study - to help explore the level of cybersecurity maturity in 48 U.S. hospitals.
Data and analysis from that study were also included in a larger research document examining cybersecurity resiliency at U.S. hospitals, which was released in April by the Department of Health and Human Services.
The KLAS, Censinet and AHA research survey aimed to measure adherence by hospitals to security controls recommended by the National Institute of Standards and Technology Cybersecurity Framework and the Health Industry Cybersecurity Practices, or HCIP, a guidance of best practices developed by HHS' 405(d) Task Group.
Drilling down into the findings, hospitals showed some pronounced areas of relative strength and weakness, Low said.
"We saw significant weaknesses in proactive risk mitigation," he said. When it came to following the NIST framework, many hospitals had "comparatively robust controls" in place for incident response and detection, but they appeared less proactive when it came to third-party risk mitigation and asset management.
"They're getting their own house in order, but they're farther behind when it comes to engaging with third parties, and the challenge that presents is: That's where they have so many risks," Low said in an interview with Information Security Media Group.
Similar kinds of weaknesses were found with IT asset management practices, Gaudet added. "Unless you go through a proper inventory of your digital assets, it's hard to understand where the risks are and then put in the right controls to protect patient safety and overall care delivery."
In this video interview with Information Security Media Group, Low and Gaudet also discuss:
- Correlations between the implementation of certain recommended security best practices and cyber insurance premiums;
- Findings related to medical device cybersecurity risk management;
- Key takeaways from the study that hospitals should consider.
Low formerly ran KLAS Research's vendor research business. Prior to joining KLAS, he held leadership, IT advisory and consulting positions at several major firms.
Gaudet has more than 30 years of software experience. He has spent the last decade working with healthcare providers to modernize and automate their cyber risk and security infrastructure. Gaudet is a member of the HHS' 405(d) Cybersecurity Working Group and of various Health Sector Coordinating Council task groups.