2020 was notably bad for the healthcare sector considering the record numbers of reported data breaches. Ransomware was a big threat. Emsisoft identified 560 ransomware attacks on healthcare companies last 2020. According to Comparitech, the cost of loss in downtime due to ransomware attacks in 2020 was $20.8 billion, which is more than double the cost in 2019.
The healthcare cybersecurity consulting company CynergisTek just published the 2021 Annual State of Healthcare Privacy and Security Report. It mentioned that despite the substantial risk of a security breach in the healthcare sector due to the huge numbers of cyberattacks, a lot of healthcare companies still do not completely comply with the NIST Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule.
To put together the report entitled Maturity Paradox: New World, New Threats, New Focus, the yearly risk assessments at 100 healthcare companies in 2020 were used to determine the overall NIST CSF conformance. The report revealed that
- 75% of healthcare companies had enhanced overall NIST conformance.
- 64% of healthcare companies did not satisfy the 80% NIST conformance level, which is regarded as the passing grade.
- The majority of the improvements done in 2020 were small.
- 53 healthcare companies had enhanced NIST conformance year over year
- 32 healthcare companies were significantly under the 80th percentile
- 17 healthcare companies had diminished NIST conformance year-over-year.
To increase the toughness against ransomware as well as other cyberattacks, it is important for healthcare companies to boost their security posture. It won’t be possible to remain one step in advance of threat actors when companies don’t take steps to enhance NIST CSF and HIPAA Security Rule compliance.
Although good conformance ratings are an excellent sign of security posture, they don’t always reveal the degree to which healthcare companies have lowered risk. For 2021’s report, CynergisTek put a lot less focus on conformance scores and evaluated the steps healthcare companies had taken to determine which key functions of the NIST CSF seemed to be truly driving lasting security enhancements, with the objective of determining the best possibilities for both short- and long-term good results.
The Identity function gives the base upon which the remainder of the key functions is based upon, yet 73% of healthcare companies had low performance in this function. Supply chain risk management and asset management were two key areas that must be resolved. The healthcare supply chain is a common concern and a weak link in medical care. A lot of healthcare companies have difficulty confirming if third-party vendors satisfy particular security conditions. 76% of healthcare companies were unable to protect their supply chains.
The Protect function calls for safety measures to be put in place to secure critical infrastructure and information. One of the primary places where companies were failing is the protection of information by using encryption. A company’s default for keeping protected information of any type and transferring it must involve encryption. High performers attained 90% conformance for the security of data at rest, while the remainder of the industry only had 30% conformance.
In the Detect function, a significant difference between high and low performers was observed. But overall, healthcare companies had good levels of conformance; To be regarded as a high performer it’s required to have the detect function considerably enforced and to make sure there’s substantial automation of security tracking.
The Respond function pertains to a company’s capability to immediately carry out the right activities if a cybersecurity event is discovered. This is an area that needs to have significant improvements. Only the greatest performers are actively looking into notifications from detection systems, and merely high performers were continually and significantly mitigating problems.
The recover function determines activities needed to go back to normal functions following a cybersecurity event. Although there were breaks among the high performers, conformance was normally excellent, however, significant enhancements must be done by low performers. About 66% of healthcare companies are underperforming when it comes to recovery planning.
CynergisTek found various facets of security that healthcare companies must concentrate on over the next 12 months:
- Enhance security function automation
- Confirm technical settings for people and procedures
- Conduct exercises and drills at the business level to check all parts of the business
- Protect the supply chain
- Look past the demands of the HIPAA Rules and improve privacy and security procedures all the more
The researchers identified significant enhancements in the companies’ HIPAA privacy programs in 2020, including a number of healthcare companies making outstanding development. Nonetheless, more can be improved. CynergisTek determined certain privacy areas that must be targeted in 2021.
These steps include using user access tracking tools and doing proactive instead of reactive tracking, dealing with faulty HIPAA permissions, blocking violations of the Minimum Necessary Rule by identifying requirements to restrict PHI disclosure, changing inadequate privacy guidelines and procedures, and making sure the new policies are enforced, and responding to unacceptable Hybrid Entity designations.