Over 75% of healthcare providers have failed to adequately protect their supply chains against cybersecurity attacks
Supply chain security low across 76% of healthcare systems: survey
August 05, 2021
by John R. Fischer, Senior Reporter
More than 75% of healthcare systems lack appropriate security measures for protecting their supply chains.
That’s what CynergisTek found in its fourth annual report, Maturity Paradox: New World, New Threats, New Focus, which looked at close to 100 assessments for security and privacy issues among hospitals, physician practices, accountable care organizations and business associates.
Each organization’s security measures were evaluated against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), published in 2014 to protect American critical infrastructure. High performers had NIST conformance scores over 80%, while low performers had scores under 80%. For cybersecurity preparedness, 64% were below 80%. While the report found that 75% continued to improve in planning and preparedness, investing in security was low, despite it being the most cost-effective measure for avoiding exorbitant ransoms.
"Financial pressures impact organizations' ability to apply the appropriate resources to assess, manage, and accept the risk of a third party that will process or store their Protected Health Information. In some cases, hospitals and health systems have hundreds, if not thousands of third parties to assess. The majority must look to a managed services provider to augment the process or fill in the gaps," David Bailey, VP of healthcare services at CynergisTek, told HCB News.
Supply chain management was the second lowest-scoring metric and the least mature category assessed, with even high performers scoring 2.7 out of five. This indicates a universal challenge among companies in identifying and addressing supply chain risks. Only 23% passed, barely, on supply chain security, with an acceptable score above three. In addition, about half of organizations are not training and informing end users regarding security on an ongoing basis.
The responsibility of ensuring patient care is protected against cyberattacks falls on the shoulders of stakeholders, C-suite, IT managers and anyone involved in protecting the healthcare system, according to CynergisTek. It says that healthcare organizations are finding it challenging to validate whether third-party partners are meeting contractual security obligations and need to dedicate more time and resources to supply chain security. To do this, it recommends:
"Lack of third-party security risk acceptance can create critical operational and financial impacts to a hospital in the event of a cyber incident or ransomware attack," said Bailey. "The ability of the third party to respond to and recover from the incident and return the hospital to normal operations may be limited, based on the size of the vendor, contractual service level agreements and impact to larger multi-customer outages. Lastly, hospitals may bear a financial burden due to a breach or incident caused by the third-party from regulatory fines or reputational loss, to patient confidence, and even potential litigation based on the cause and impact of the incident."
That’s what CynergisTek found in its fourth annual report, Maturity Paradox: New World, New Threats, New Focus, which looked at close to 100 assessments for security and privacy issues among hospitals, physician practices, accountable care organizations and business associates.
Each organization’s security measures were evaluated against the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF), published in 2014 to protect American critical infrastructure. High performers had NIST conformance scores over 80%, while low performers had scores under 80%. For cybersecurity preparedness, 64% were below 80%. While the report found that 75% continued to improve in planning and preparedness, investing in security was low, despite it being the most cost-effective measure for avoiding exorbitant ransoms.
"Financial pressures impact organizations' ability to apply the appropriate resources to assess, manage, and accept the risk of a third party that will process or store their Protected Health Information. In some cases, hospitals and health systems have hundreds, if not thousands of third parties to assess. The majority must look to a managed services provider to augment the process or fill in the gaps," David Bailey, VP of healthcare services at CynergisTek, told HCB News.
Supply chain management was the second lowest-scoring metric and the least mature category assessed, with even high performers scoring 2.7 out of five. This indicates a universal challenge among companies in identifying and addressing supply chain risks. Only 23% passed, barely, on supply chain security, with an acceptable score above three. In addition, about half of organizations are not training and informing end users regarding security on an ongoing basis.
The responsibility of ensuring patient care is protected against cyberattacks falls on the shoulders of stakeholders, C-suite, IT managers and anyone involved in protecting the healthcare system, according to CynergisTek. It says that healthcare organizations are finding it challenging to validate whether third-party partners are meeting contractual security obligations and need to dedicate more time and resources to supply chain security. To do this, it recommends:
- Performing exercises and drills at the enterprise level and testing all business components to build out a playbook for such incidents
- Assess current investments and come up with a plan of action to quickly decrease the vulnerabilities posed by supply chains
- Automate security functions and validate technical controls for people and processes crucial to security
- Train end users, C-Suite executives, board members, third-party vendors and partners about their roles in cybersecurity preparedness
"Lack of third-party security risk acceptance can create critical operational and financial impacts to a hospital in the event of a cyber incident or ransomware attack," said Bailey. "The ability of the third party to respond to and recover from the incident and return the hospital to normal operations may be limited, based on the size of the vendor, contractual service level agreements and impact to larger multi-customer outages. Lastly, hospitals may bear a financial burden due to a breach or incident caused by the third-party from regulatory fines or reputational loss, to patient confidence, and even potential litigation based on the cause and impact of the incident."