Adoption of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) improves resilience to cyberattacks and the reduced risk is reflected in cyber insurance premiums. A recent Healthcare Cybersecurity Benchmarking Study has confirmed that healthcare organizations that have adopted the NIST CSF had lower annual increases in their cyber insurance premiums than healthcare organizations that have not adopted the NIST CSF.

The study was the result of a collaboration between Censinet, KLAS Research, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council and was conducted on 54 payer and provider organizations and 4 healthcare vendors in Q4, 2023. Adoption of the NIST CSF indicates a higher level of preparedness and resiliency and therefore lower risk for insurers. Healthcare organizations that use the NIST CSF as their primary cybersecurity framework report premium increases of one-third (6%) of the percentage reported by organizations that have not adopted the NIST CSF (18%).

The report assesses cybersecurity coverage, specifically coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and reveals little has changed in the past 12 months with average NIST CSF coverage increasing from 69% in 2023 to 72% in 2024, and average HICP coverage increasing from 71% in 2023 to 73% in 2024. Average coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – ranged from 65% to 75%, with the lowest coverage in the identify function and the highest in the respond function. This indicates most healthcare organizations that participated in the study were generally more reactive than proactive in their approach to cybersecurity. Out of all categories within the NIST CSF, supply chain risk management (identity) had the lowest coverage, which is concerning given the number of third-party data breaches in healthcare. The study revealed this to be a key consideration for insurers when setting premium increases. Higher coverage of supply chain risk management was associated with smaller increases in cyber insurance premiums.

Average HCIP coverage was better, with most organizations having email protection systems (84%) in place and cybersecurity oversight and governance (83%), but there was only 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery organizations also participated in last year’s benchmarking study and their average NIST CSF and HCIP coverage was higher than other provider and payer organizations. Those repeat organizations also had lower increases in their cyber insurance premiums than other healthcare organizations, on average.

The benchmarking studies have confirmed that high program ownership by information security leaders leads to higher cybersecurity coverage. Across all organizations, average NIST CSF and HICP coverage was between 71% and 72%, but organizations that assign information security leaders higher percentages of program ownership achieved above-average cybersecurity coverage, especially in the HCIP areas of endpoint protection systems and data loss and loss prevention.

“For the second year in a row, the Benchmarking Study sets the highest standard for collaborative, impartial, and transparent insight into the current state of the health sector’s cyber maturity, and, more importantly, enables providers and payers to make more informed investment decisions to close critical gaps in controls and elevate overall cybersecurity program preparedness,” said Steve Low, President of KLAS Research.

“With comprehensive benchmarks across ‘recognized security practices’ like NIST CSF and HICP, the Benchmarking Study will drive greater, more enduring cybersecurity maturity and resilience across both our Health-ISAC member community and the broader health sector,” said Errol Weiss, Chief Security Officer of Health-ISAC.

The post Higher NIST CSF and HCIP Coverage Linked with Lower Cyber Insurance Premium Growth appeared first on HIPAA Journal.

Healthcare cyberattacks are increasing each year in number and severity. In 2023, almost 740 healthcare data breaches were reported to the HHS’ Office for Civil Rights, and those breaches affected more than 136 million individuals, breaking previous records for both the number of data breaches and the individuals affected. It is clear that cybersecurity in healthcare is in a critical state and if nothing changes, more unwanted records will be broken in 2024.

The Health Sector Coordinating Council (HSCC), a public-private coalition that represents 425 healthcare industry entities and government agencies, recently unveiled a 5-year strategic plan for the healthcare and public health sector at the ViVE 2024 conference. HSCC explained that cyberattacks and data breaches are occurring due to increasingly connected and remote use of digital health technology, widely distributed portability of health data, and shortages of qualified healthcare cybersecurity professionals. The sprawling and increased complexity of the connected healthcare ecosystem creates risks such as unanticipated and poorly understood interdependencies; unknown inherited security weaknesses; overreliance on vendor solutions; systems that fail to adequately account for human factors related to cybersecurity controls; and inconsistencies between software and equipment lifecycles, and hackers are finding it far to too easy to exploit the vulnerabilities.

The Health Industry Cybersecurity Strategic Plan (HIC-SP) aims to improve healthcare cybersecurity from the current critical status to stable by 2029. HSCC explained that the cybersecurity status of the healthcare industry was rated critical in 2017 when the Health Care Industry Cybersecurity Task Force issued a report on improving cybersecurity in the healthcare industry. The HIC-SP builds on the recommendations made in the report and aims to improve healthcare cybersecurity through the implementation of foundational cybersecurity programs that address the operational, technological, and governance challenges posed by significant healthcare industry trends over the next five years.

HSCC has worked to establish current industry trends that are likely to continue over the next 5 years, determined their likely impact on healthcare cybersecurity, and made recommendations for proactively addressing those trends. The sector is likely to continue to incorporate emerging technologies, is unlikely to address current workforce and management challenges, and there is likely to be continued instability in the healthcare supply chain. The HIC-SP assesses how these and other trends may present continuous or emerging cybersecurity challenges, and recommendations are made on how the healthcare sector and government should prepare for those changes with broad cybersecurity principles and specific actions.

The aim is to provide C-Suite executives with actionable and measurable risk reduction activities based on the current cybersecurity landscape and projected industry trends. Healthcare security decision-makers can use the HIC-SP to inform decisions about cybersecurity investments and the implementation of specific cybersecurity measures, and since the HIC-SP is modular, organizations can use it to identify high-level goals and implement objectives to address the areas in most need of attention.

The HSCC says the HIC-SP complements other efforts to improve healthcare cybersecurity, such as the HHS’ Healthcare Sector Cybersecurity Strategy that was published in December 2023 and the voluntary healthcare cybersecurity performance goals announced by the HHS in January, and together with its government partners, the HSCC Cybersecurity Working Group will be working to achieve the goals of the plan through education and policy incentives and plans to release a set of measurable outcomes and metrics for success by the end of the year. By 2029, it is hoped that healthcare cybersecurity will have become as ingrained as a public health and patient safety standard.

The post HSCC Releases 5-Year Strategic Plan for Improving Healthcare Cybersecurity appeared first on HIPAA Journal.