A research from information security provider CynergisTek revealed that only 44% of hospitals and health care providers are following the security protocols outlined by the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). The research “Moving Forward: Setting the Direction” highlighted that health care supply chain security is one of the lowest ranked areas for NIST CSF conformance.
According to the research, the main factors affecting health care security include poor security planning, lack of organizational focus, inadequate reporting structures and funding, confusion around priorities, lack of necessary staff, and no clear planning. In addition, large health care organizations with high security budgets did not perform well in maintaining cybersecurity posture, rather performed worse than smaller organizations that invested less on security.
“Health care is still behind the curve on security. While health care’s focus on information security has increased over the last 15 years, investment is still lagging. In the age of remote working and an attack surface that has exponentially grown, simply maintaining a security status quo will not cut it. The good news is that issues emerging in our assessments are largely addressable. The bad news is that it is going to require investment in an industry still struggling with financial losses from COVID-19,” said David Finn, EVP of Strategic Innovation at CynergisTek.
“Health care organizations continue to enhance and improve their programs year-over-year. The problem is they are not investing fast enough relative to an innovative and well-resourced adversary. Organizations — that have invested in their programs and had regular risk assessments, devised a plan, addressed prioritized issues stemming from the assessments and leveraged proven strategies like hiring the right staff and evidence-based tools — have seen significant improvements to their NIST CSF conformance scores,” said Caleb Barlow, president, and CEO of CynergisTek.
Health Care Devices at Risk
Most health care organizations in the U.S. are running their medical devices on outdated operating systems, leaving them vulnerable to cyberattacks. According to a research from Atlas VPN, 83% of health care providers in the U.S. are running on outdated software. Out of the 1.2 million IoT devices used in thousands of health care organizations across the U.S., 56% of devices were still running on the Windows 7 operating system, for which Microsoft discontinued support in January 2020.