Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
Health systems are increasingly reactive—rather than proactive—when it comes to cybersecurity threats, an April study from Censinet, KLAS Research, and the American Hospital Association (AHA) found.
The study, which analyzed responses from 48 healthcare organizations ranging in size, assessed how well the industry aligned with National Institute of Standards and Technology (NIST) and Health Industry Cybersecurity Practices (HICP) guidelines.
Some of these metrics include identifying, responding to, and recovering from cybersecurity incidents.
While healthcare organizations showed strong email systems protections, they lagged behind when it came to medical device cybersecurity safeguards, per the study. There have been at least 123 data breaches at healthcare providers in 2023 so far, according to data from the Department of Health and Human Services.
“The Healthcare Cybersecurity Benchmarking Study initiative provides critical intelligence to help guide our fight against those who directly threaten hospital operations and patient care,” AHA National Advisor for Cybersecurity and Risk John Riggi said in a statement.
More than half of the organizations surveyed reported 100% coverage on most of the HCIP metrics falling under email system protections, according to the study.
Email phishing scams are one of the common ways that “bad actors” get past a health system’s security in a ransomware attack, cyber-risk monitoring platform Black Kite Chief Security Officer Bob Maley told Healthcare Brew in March.
Average cybersecurity coverage on medical devices, on the other hand, was just 54%, representing an “industry-wide vulnerability,” according to the study. The FDA released guidance in March requiring manufacturers of all new medical devices to “monitor, identify, and address” cybersecurity vulnerabilities.
Preventing a cybersecurity attack, which can cost health systems an average of $10 million, can be easier than recovering from one, Maley said.
One of the best ways that healthcare organizations can be prepared is by having immutable backups available, Maley added. An immutable backup is a copy of an organization’s data that can’t be deleted or modified, so an organization can easily restore its data following an attack.
“If you’re not prepared for [a cyberattack], there really is no recovering from it,” Maley said.