An Analysis of Cybersecurity Practices in Healthcare

A recent report by KLAS and CHIME looked at the cybersecurity practices of healthcare providers based on recent guidance issued on the subject. The results? Although some best practices seem to be on the radars of organizations of all sizes, overall findings suggest that small practices have some work to do.

In their white paper, KLAS and CHIME look at a document recently released by the 405(d) Task Group, which was put together by the Department of Health and Human Services (HHS) following the Cybersecurity Act of 2015. The document “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”, outlines 10 cybersecurity practices that organizations should focus their attention on.

10 Cybersecurity Practices

1. Email Protection Systems
2. Endpoint Protection Systems
3. Access Management
4. Data Protection and Loss Prevention
5. Asset Management
6. Network Management
7. Vulnerability Management
8. Incident Response
9. Medical Device Security
10. Cybersecurity Policies

KLAS and CHIME used responses from over 600 providers gathered in the 2018 Healthcare’s Most Wired survey to assess how healthcare organizations are doing in their adoption of these cybersecurity best practices.

How are organizations doing with their adoption of cybersecurity practices and how can you improve yours?

Below are the key findings laid out by KLAS and CHIME on how organizations are doing with the 10 cybersecurity practices recommended by the Task Group.

1. Email Protection Systems – Practices of all sizes seem to be doing well with their email protection, with most organizations having deployed email protection systems.

• Are you protecting your email? Email protection includes filtering and encryption services to help keep attackers out. With email being the most common attack vector, protecting it is critical, but only one component of keeping attackers at bay when it comes to email threats. Along with technology protections, organizations should be providing simulated phishing to strengthen employee awareness and prevent a successful phishing attack or ransomware attempt.

2. Endpoint Protection Systems – Similar to email protections, practices of all sizes are also doing well with deploying endpoint protection systems. It is worth noting however, that 20% of small organizations have not implemented an intrusion-detection and prevention system (IDPS), an important first line of defense in endpoint protection.

• Are you protecting your endpoints? With mobility becoming more common in the workplace, it’s critical to ensure that ALL endpoints are properly protected. Endpoint protection includes antivirus, encryption, mobile device management (MDM), and more.

3. Access Management – Most organizations stated that they have adopted access management policies, however, less than half of small organizations have implemented multifactor authentication (MFA). There has been little adoption for adaptive/risk-based authentication for organizations of all sizes.

• Are you managing access? Managing user access is critical, especially in the healthcare industry. As cybercriminals continue to target healthcare, they will continue trying to crack employees’ credentials, send phishing emails, etc. It is important to make it difficult for attackers to get in, thus implementing controls like MFA is critical.

4. Data Protection and Loss Prevention – Data loss prevention (DLP) tools are in place for most organizations, including 70% of small organizations. All organizations stated that they back up their data, however, the majority do so offsite rather than in the cloud.

• Are you addressing data protection and loss prevention? Patient data must be shared securely, meaning that data must always be protected including at rest, in use, and in motion. Policies and procedures should be in place to address this process, which is a basis for DLP. Encrypting your data and ensuring you have backups available is essential for businesses of all sizes.

5. Asset Management -The survey collected little information when it comes to how organizations are managing their assets, however, almost all respondents said they are properly disposing of devices with PHI.

• Are you managing your assets? Knowing what devices are used within your organization is extremely important, however, simply tracking what devices you’ve purchased is no longer enough. Organizations should know what operating system their devices are running, MAC and IP addresses, locations, patching information and more. Policies should be in place that outline how you’re managing assets, including how you’re properly disposing of them when the time comes.

6. Network Management – Nearly all organizations have network access controls (NAC) to monitor devices that are connected to the network. Organizations are doing well with firewalls and device security, which are widespread, however less than half of small organizations reported having their networks segmented.

• Are you managing your networks? Managing your network is incredibly important at keeping cybercriminals out. It is absolutely necessary for all organizations regardless of size to have their networks properly segmented, that way if an attack were to occur it would not spread to the entire network. In addition, protecting your network with firewalls and device security should be a top priority.

7. Vulnerability Management – 90% of large organizations are running vulnerability scans at least quarterly, while only 60% of small and medium-sized businesses are doing the same. Despite the Task Group recommending large organizations run penetration tests, small organizations are more likely to do so. Some small organizations reported that resource constraints prevent them from involving multiple business units in their remediation.

• Are you managing your vulnerabilities? Vulnerability scans will look for and identify vulnerabilities found within your organization. Adding in penetration testing through internal or external teams will also help you with your vulnerability management, allowing for a deeper look at your vulnerabilities. Policies should be implemented so that after you have conducted a vulnerability scan, you will be prepared to prioritize and remediate the identified vulnerabilities.

8. Incident Response – Most organizations have an incident response plan in place, however only half of them conduct an annual enterprise-wide test to see if that plan is successful.

• Do you have an incident response plan? Having an incident response plan is yet another crucial cybersecurity practice for organizations of all sizes. This plan should include policies and procedures for handling an incident, quickly and efficiently isolating and mitigating security events, how to handle breach notifications, etc. In addition to having an incident response plan in place, it should be tested at least annually to verify that the plan works the way you intend it to.

9. Medical Device Security – Medical device security was found to be a top security concern for survey respondents due to the challenges that are present with them, like their potential to be breached and put patient safety at risk. The top two security struggles identified with medical devices include out-of-date operating systems that cannot be patched and a lack of inventory of assets due to a large number of devices that need to be secured.

• Are you securing medical devices? Although it may be easier for small organizations to secure their medical devices due to a lower volume of devices and strong policies for doing so, organizations of all sizes should make this a priority. While difficult to do so, do your best to keep an inventory of your medical devices and verify that the list is current. If a vulnerability is known for a device and you are aware of that device and its location, you can begin addressing that vulnerability much quicker.

10. Cybersecurity Policies – Small organizations are less likely to have cybersecurity policies in place, such as dedicating an individual to be the chief information security officer (CISO), or a bring-your-own-device (BYOD) policy.

• Do you have your cybersecurity policies in place? A strong cybersecurity program includes policies and technology to support them. Don’t overlook the importance of implementing cybersecurity policies. KLAS and CHIME state, “While various policies underly each of the previous nine cybersecurity practices, organizations’ overall security policies should include the following elements: proper classification of data; definition of roles and responsibilities within the organization (including proper governance); employee education; definition of acceptable data and tool usage; definition of proper use of personal and employer-provided devices; and creation of a cyber attack response plan.”

Although not all cybersecurity best practices are being ignored in the healthcare industry, it is safe to say that there is work to be done, especially within smaller organizations.

Remember, it’s not only the government and your state of compliance you need to worry about, it’s cybercriminals too.

For more information regarding the cybersecurity best practice guidance issued by the Task Group, put together by the Department of Health and Human Services, check out our recent webinar!