Even though large health organizations are using more sophisticated cybersecurity strategies, their smaller counterparts still aren’t. They are falling behind.
Health IT Security tells us that a new report from KLAS and CHIME finds that smaller providers aren’t keeping pace with governance, risk management, and other security elements.
What Is The CHIME and KLAS Survey?
CHIME and KLAS researchers analyzed responses from more than 600 health providers that participated in the 2018 Healthcare’s Most Wired survey.
The research included an emphasis on measuring key areas that can help advance the healthcare industry as well as on gathering information about organizations’ technology strategies (which include not just technology adoption but also the refinement of processes and the development of people).
The Most Wired research helps to identify gaps in healthcare organizations’ technology adoption and strategies and highlights areas in which the industry has opportunities to make progress.
What Did The Findings Reveal?
1. It showed that larger health organizations have a better grasp of their cybersecurity practices. They use more frequent and sophisticated and more frequent vulnerability scanning and application testing. Small providers typically depend on penetration testing to test for vulnerabilities.
- Vulnerability assessments find security gaps but don’t determine flaws that can be exploited; where vulnerability scanners alert organizations to flaws and where they are located.
- Penetration tests make attempts to exploit security gaps in an IT system to learn if unauthorized access or other malicious activity is possible. It identifies flaws that pose a threat to an application.
- You need both vulnerability assessments and penetration testing to get a detailed picture of flaws and associated risks.
2. Smaller healthcare providers struggle with multi-factor authentication (MFA). Only half of those surveyed use MFA to shore-up vulnerabilities.
3. Most of the large and small providers have an incident response plan in place. They also participate in information-sharing and analysis organizations. By sharing cybersecurity best practices and knowledge, healthcare organizations can collectively bolster the industry’s defenses against threats. But, the survey revealed that only half conduct an annual exercise to test these incident response plans.
4. As healthcare becomes increasingly digital, it has become ever-more important for organizations to be able to recover from disasters quickly. Progress in using data-loss prevention tools has begun to slow as more providers transition to the Cloud. More organizations are backing up data in a physical location than in a cloud backup service. It’s advised that you do both.
5. The good news is that most small providers have implemented email and endpoint protection systems. And more than 70% conduct phishing simulations at least quarterly, with many performing those tests more frequently.
6. Resources are lacking for many small-to-medium providers. And it’s troubling as they appear overconfident in their privacy maturity as breaches are increasing.
In response to these resource gaps, the Healthcare and Public Health Sector Coordinating Council has provided guidance on how smaller healthcare organizations can lean on student internships and transition IT staff into security roles.
IT Security Is Still A Work-In-Progress In Healthcare
According to Steven Cagle, CEO of Clearwater:
“Even in the most mature organizations, these best practices and tools are often not implemented for every system or device across the enterprise. Furthermore, different systems and their components may require different security controls based on their unique attributes. In today’s complex IT environment, with too few available resources and dollars for cybersecurity, how does an information security leader decide what to address first and how best to reduce risk?
Foundational to a good security program is an enterprise-wide, information system-based security risk analysis. A risk analysis will identify and evaluate the applicable vulnerabilities and threats for each system based on its profile, as well as which controls are in place to address these scenarios.”
CHIME (The College of Healthcare Information Management Executives) reports:
“Due to a growing number of internal and external security threats, it has become increasingly more difficult for healthcare organizations to protect their sensitive information, including patients’ personal health information.
To defend themselves from these growing threats, healthcare organizations have purchased technology to safeguard their systems, hired security consultants to provide advisory and technical services, and created internal programs to instill best practices.
However, security is still developing in healthcare, and few organizations have a comprehensive program in place. When it comes to adopting a security framework, organizations are shifting from self-developed security information frameworks to NIST and HITRUST.
Other core components of a comprehensive security program include dedicating a senior security leader, having an adequate security budget, establishing governance and oversight committees, and meeting regularly to report gaps in security and progress toward closing them.”
We hope you found this article helpful. If so, check out others in Our Blog.
How Is Patient Scheduling IT Increasing Patient Happiness?
Why Is Cybersecurity So Important In The Healthcare Industry?
Are You Following Best Practices For HIPAA ePHI Security? 10 Steps To Follow