Even among the most advanced healthcare organizations, implementing cybersecurity measures can be ineffective if not done consistently and with best practices in mind. Lack of resources and limited budgets make prioritizing information security tough.

According to a report by the College of Healthcare Information Management Executives (CHIME) and KLAS Research, the foundation of a good healthcare security program is a thorough analysis that can identify the highest risks, optimize the deployment of security controls, and measure progress.

Advised by the Health Industry Cybersecurity Practices (HICP) Guidelines, CHIME and KLAS surveyed more than 600 healthcare organizations to determine where provider organizations stand today in adopting ten overarching cybersecurity practices.

The surveyed organizations were of varying sizes. Small organizations were classified as one to 50 beds, mid-sized organizations were classified as 51 to 100 beds, and large organizations were classified as more than 300 beds.

The following are highlights from the report:

1. Email Protection Systems

Key Finding: Email is the most common attack vector through which healthcare organizations are put at risk.

The Facts:

Phishing Simulations

• More than 70% of surveyed organizations conduct such simulations at least quarterly, with many doing it more frequently.

• 16% of small and midsize organizations do not perform phishing simulations or do them less than once a year.

Digital Signatures

• Digital signatures allow users to verify that emails come from trusted sources.

• Large organizations are three times more likely than their smaller counterparts to use digital signatures.

2. Endpoint Protection Systems

Key Finding: Regardless of size, most organizations have deployed email and endpoint protection systems, establishing an initial layer of defense against internal and external threats.

The Facts:

• About 20% of small organizations have not implemented intrusion detection and protection systems.

• Most surveyed organizations have implemented mobile device management to secure hospital-owned and BYOD smartphones and tablets.

Recommendation: The opportunity remains for small organizations to implement mobile device management software. Doing so ensures that protected health information remains on devices and that organizations can wipe a device if it becomes lost or disconnected from a secured hospital network.

3. Access Management

Key Finding: Many organizations are transitioning from homegrown identity and access management (IAM) solutions to commercial solutions to support their identity policies. Multifactor authentication (MFA) remains a gap for half of small organizations.

The Facts:

Identity and Access Management (IAM) Technology

• 83% of surveyed organizations have implemented single sign-on solutions to access multiple systems with a single login.

• Large organizations are significantly more likely to have implemented identity management and provisioning tools.

Multifactor Authentication (MFA)

• Phishing scams are proving more successful at compromising users’ credentials, increasing the need for multifactor authentication (MFA).

• Less than half of smaller organizations have an MFA solution in place today.

• Regardless of size, organizations report little adoption of adaptive/risk-based authentication.

4. Data Protection and Loss Prevention

Key Finding: Data-loss prevention (DLP) solutions have been widely adopted, though deployment of on-premises DLP solutions has slowed as organizations have transitioned to the cloud. Organizations are more likely to back up data in a physical location than to use cloud backup services.

The Facts:

Data-Loss Prevention (DLP) Tools

• Most surveyed organizations, including over 70% of small organizations, report having a DLP tool in place.

• Organizations that use exact data matching or fingerprinting are more likely to be satisfied with their DLP tools and less likely to report false positives.

Data Encryption and Backup

• The encryption of server databases and enterprise network storage devices is less common in small organizations.

• Very few small organizations report using Data or Infrastructure as a service.

• Medium and large organizations are more likely to use these services.

5. Asset Management

Key Finding: Today’s security requirements are challenging historical asset management practices, making it increasingly necessary for organizations to establish clear policies that align their IT, information security, healthcare technology management, and procurement teams.

The Facts:

• Nearly all organizations report proper disposal of Protected Health Information (PHI)-containing assets.

• Only 50% of small and 60% of midsize organizations use RFID/RTLS technology to identify and track assets.

6. Network Management

Key Finding: Most organizations have network access control (NAC) solutions to monitor devices connecting to their networks; however, less than half of small organizations use network segmentation to control the spread of infections.

The Facts:

• Large organizations are more likely to have a single, enterprise-wide wireless infrastructure.

• Small and midsize organizations are more likely to deploy multiple discrete networks for different purposes.

Recommendation: Small organizations should prioritize network segmentation to isolate the impact of an attack.

7. Vulnerability Management

Key Finding: Large organizations report more sophisticated and frequent vulnerability scanning and application testing. Small organizations more frequently turn to penetration testing to identify vulnerabilities.

The Facts:

• 90% of large organizations and 60% of small and midsize organizations run vulnerability scans at least quarterly.

Recommendation: Penetration testing should be standard practice for large organizations, though small organizations are the most likely to perform general penetration or wireless penetration tests at least once a quarter.

8. Incident Response

Key Finding: Most organizations have an incident-response plan in place and participate in an information-sharing and analysis organization (ISAO); only half of organizations conduct an annual enterprise-wide exercise to test their plan.

The Facts:

• Large organizations are most likely to participate with the Health Information Sharing and Analysis Center (H-ISAC).

• Small organizations are more likely to look to nearby HIE partners rather than national ISAOs.

Recommendation: Organizations of all sizes should have an incident-response plan outlining policies and practices for quickly and efficiently isolating and mitigating adverse security events. These plans should involve all applicable hospital departments and include guidelines for proper notification should a breach occur.

9. Medical Device Security

Key Finding: Medical device security remains a top concern for organizations as they weigh patient safety risks. Strong cybersecurity practices in other areas often support their medical-device-security programs.

The Facts:

Top medical-device-security struggles

• Out-of-date operating systems that organizations cannot patch.

• A lack of asset and inventory visibility due to insufficient tools and the large number of devices that must be secured.

Recommendation: Use specific applications of technologies already mentioned, such as endpoint protection, IAM, asset management, network management, and vulnerability management, to secure medical devices.

10. Cybersecurity Policies

Key Finding: Small organizations are less likely to utilize cybersecurity policies such as a dedicated chief information security officer (CISO), board-level committees and governance, risk management and compliance (GRC) committees, and bring-your-own-device (BYOD) management.

The Facts:

• Small and medium organizations are nearly four times as likely to lack a CISO at their organization compared to large organizations.

• Nearly half of medium and large organizations have cybersecurity as a topic at board meetings at least quarterly.

• Most organizations have a governance, risk, and compliance (GRC) committee in place.

• Less than half of organizations (and fewer than one in five small organizations) have a board-level committee overseeing their cybersecurity program.

Recommendation: Organizations’ overall security policies should include the following elements:

• Proper classification of data.

• Definition of roles and responsibilities within the organization (including proper governance.)

• Employee education.

• Definition of acceptable data and tool usage.

• Definition of proper use of personal and employer-provided devices.

• Creation of a cyberattack response plan.