New Report Reveals Only 44% of Healthcare Institutions Meet National Standards on Cybersecurity

CynergisTek’s Annual Report Lifts the Veil on Healthcare System and the State of Cybersecurity Distress; Supply Chain Proves to be Major Vulnerability

AUSTIN, TX (September 17, 2020) – Today, CynergisTek, a leading cybersecurity firm helping more than 1,000 hospitals navigate emerging security and privacy issues, released their new annual report, “Moving Forward: Setting the Direction.” The third annual report revealed that only 44 percent of providers across the continuum, including hospital and health systems, conformed to protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF) – with scores in some cases trending backwards since 2017.

Analysts examined nearly 300 assessments of providers across the continuum, including hospitals, physician practices, ACOs and Business Associates assessed by CynergisTek against the NIST CSF.

The report also found that healthcare supply chain security is one of the lowest ranked areas for NIST CSF conformance. This is a critical weakness, given that COVID-19 demonstrated just how broken the healthcare supply chain really is with providers buying PPE from unvetted suppliers

CynergisTek’s report revealed bigger healthcare institutions with bigger budgets didn’t necessarily perform better when it comes to security, and in some cases, performed worse than smaller organizations or those that invested less. In some cases, this was a direct result of consolidation where systems directly connect to newly-acquired hospitals without first shoring up their security posture and conducting a compromise assessment.

Leading factors influencing performance include poor security planning and lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of staff and no clear plan.

To overcome these challenges, key strategies to bolster healthcare security and achieve success include:

  • Look under the hood at security and privacy amid mergers and acquisitions: For health systems planning to integrate new organizations into the fold through mergers and acquisitions, leadership should look under the hood and be more diligent when examining the organization’s security and privacy infrastructure, measures and performance. It’s important to understand their books and revenue streams as well as their potential security risks and gaps to prevent these issues from becoming liabilities.
  • Make security an enterprise priority: While other sectors like finance and aerospace have treated security as an enterprise-level priority, healthcare must also make this kind of commitment. Understanding how these risks tie to the bigger picture will help an organization that thinks it cannot afford to invest in privacy and information security risk management activities understand why making such an investment is crucial. Hospitals and healthcare organizations should create collaborative, cross-functional task forces like enterprise response teams, which offer other business units an eye-opening look into how security and privacy touch all parts of the business including financial, HR, and more.
  • Money isn’t a solution: Just throwing money at a problem doesn’t work. Security leaders need to identify priorities and have a plan which leverages talent, tried and true strategies like multi-factor authentication, privileged access management and on-going staff training to truly up level their defenses and take a more holistic approach, especially when bringing on new services such as telehealth.
  • Accelerate the move to cloud: While healthcare has traditionally been slow to adopt the cloud, these solutions provide the agility and scalability that can help leaders cope with situations like COVID-19, and other crises more effectively.
  • Shore up security posture: We frequently learn the hard way that security can disrupt workflow. COVID-19 taught us that workflow can also disrupt security and things are going to get worse before getting better. Get an assessment quickly to determine immediate needs and coming up with a game plan to bolster defenses needed in this next normal.

About Methodology

CynergisTek’s Annual Report and the rankings are based on aggregating maturity ratings of nearly 300 security risk assessments performed by CynergisTek in 2019, using the NIST Cyber Security Framework as the benchmark standard.  Based on those assessments and using a six-point scale (using 0 – 5, with 0 – Incomplete to 5 – Optimized Process), the team examined if processes were in place to meet desired outcomes and continuously improved to achieve current and projected goals. All of the subjects of this analysis were also measured against the HIPAA Security Rule. CynergisTek calculated the national average of the nearly 300 assessments, which accounts for providers across the entire continuum of care including Business Associates, Critical Access Hospitals, and Academic Medical Centers, Health Systems, Physician Groups and Payers.

About CynergisTek

CynergisTek is a top-ranked cybersecurity firm dedicated to serving the information assurance needs of the healthcare industry. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. Since 2004, the company has served as a partner to hundreds of healthcare organizations and is dedicated to supporting and educating the industry by contributing to relevant industry associations. The company has been recognized by KLAS as a top-performing firm in healthcare cybersecurity and was awarded the 2019 Top Healthcare Cybersecurity Consultants in Black Book IT Advisory Outcomes Survey.


Media Contact:
Allison + Partners
Jaime Tero

September 17th, 2020|

About the Author: