Supply chain risks and asset management remain key areas in need of improvement among healthcare’s cybersecurity efforts, according to a recent report benchmarking dozens of organizations.
The collaborative analysis, penned by KLAS Research, echoed earlier editions that found most healthcare organizations are “preparing for when, not if, they will need to employ incident response, disaster recovery and business continuity strategies.”
But beyond spotting the gaps, it also outlined correlations between self-reported implementation of cybersecurity frameworks and best practices with relevant organizational metrics. For instance, it found lower annual increases in cybersecurity insurance premiums for healthcare organizations that use the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)— which is recommended by the federal government and private sector partners for HIPAA compliance—as their primary framework.
KLAS conducted the analysis (PDF) in collaboration with healthcare risk-assessment vendor Censinet, the American Hospital Association, the Health Information Sharing and Analysis Center, the Healthcare and Public Health Sector Coordinating Council and the Scottsdale Institute.
The cybersecurity maturity and resiliency study reviewed 69 healthcare and payer organizations’ self-reported adoption and implementation of either NIST CSF 2.0 and three other frameworks and best practices: the Healthcare and Public Health Cybersecurity Performance Goals (HPH CPGs), the Health Industry Cybersecurity Practices (HICP), and the NIST AI Risk Management Framework (NIST AI RMF). Data were collected during the final four months of 2024.
The report’s authors noted that, among NIST CSF 2.0’s six functions, the “identify” function (64%) again had the lowest coverage alongside the newly added “govern” function (64%), while the “respond” function (85%) was disproportionately better covered than others. This, along with the elevated reported coverage of the “recovery” function (78%) suggests a "more reactive than proactive" approach is winning out as the likelihood of a breach increases for both the healthcare organizations and their third-party vendors, they wrote.
Related
PE-backed healthcare companies falling behind in cybersecurity preparedness, report finds
Also under NIST CSF 2.0, the researchers called out low coverage of supply chain risk management (52%, under the “govern” function) and asset management (53%, under the “identify” function).
“The low coverage for supply chain risk management is especially concerning, as the number of third-party breaches in the healthcare industry has continued to increase year-over-year,” they wrote.
An analysis of the HPH CPGs outlined similar room for improvement regarding third-party risk management and asset management.
Among the subset of organizations that responded to the optional questions on the HICP, researchers found that most organizations have practices in place relating to email protection systems (86%) and cybersecurity oversight and governance (83%). However, network-connected medical device security lagged for the benchmark study’s third consecutive year with 48% reported coverage, which KLAS researchers said again “supports findings from NIST CSF 2.0 and the HPH CPGs that third-party risk management and asset management still lag behind in industry coverage.”
As for NIST AI RMF, a cross-industry framework for assessing and managing artificial-intelligence-specific risks, researchers noted that the 13 organizations that chose to describe their coverage “are in the early stages of AI risk management, and many face challenges with risk remediation due to uncertainties surrounding AI.” In contrast to traditional cybersecurity risk management, they recommended organizations establish cross-departmental ownership “that includes a broad set of stakeholders in order to achieve safe, secure, and ethical use of AI.”
Related
One year later: Lessons learned from the Change Healthcare cyberattack
Participants in the benchmarking study were provided additional findings related to operating metrics and peer group comparisons as an incentive to participate. The outline of where healthcare organizations are still falling short on cybersecurity and AI come as about three-fourths say they are ramping up their IT investments in these and other areas.
