Did your Healthcare Organization Get Better at Cybersecurity Yesterday?
Episode 1513rd August 2021 • This Week Health: Newsroom • This Week Health
00:00:00 00:08:28

Transcripts

 This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

  Today in Health It, A new report indicates that 78% of healthcare systems failed in securing their supply chains. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current. And engaged. I want to thank our sponsor for today's Sirius Healthcare.

They reached out about this time last year and said, we love what you're doing. Really appreciate your mission to develop the next generation of health leaders. The rest is history, as they say. If you believe in our mission and wanna support the show as they do, please shoot me a note at partner at this week in health it.com.

All right. Here is today's story. Today's story comes from the healthcare innovation group. Site and they do a story on Synergistics Annual report finds two thirds of health systems failing at cybersecurity preparation. Let me give you a couple of excerpts here. US hospitals and health systems are woefully unprepared for intensifying cybersecurity threats facing them.

The annual report. Of the Austin, Texas based synergistic consulting firm has found in their fourth annual report on the state of US Health system cybersecurity preparedness, entitled Maturity Paradox, new World, new Threats, new Focus. Found in their analysis that fully I. 64% of organizations were below an 80% level of preparedness.

A press release published to the company's website on July 27th stated that most hospitals critically lack the ability to secure their supply chain systems for the report. Synergistic professionals reviewed just under 100 assessments of healthcare providers across . The healthcare system, including hospitals, physician practices, accountable care organizations, and business associate organizations.

These assessments measure organization's security posture against the National Institute of Standards and Technology Cybersecurity Framework, otherwise known as nist, CSF. Further noted assessments were categorized into two cohorts, high performers with N conformance scores above 80%. And low performers with conformance below 80%.

Synergistics:

Even then, only slightly. While that is progress, it isn't the progress the industry needs to shore up defenses. Investing in security in the long run is often ultimately more cost effective than paying the recent exorbitant ransoms. I'm gonna keep going in this story. I. , but keep in mind that it's done by a cybersecurity consulting firm.

So it's partially annual report, partially a marketing piece. The reason I cover it is it's not wrong. So this is an important topic and this is their findings. So I'm gonna go ahead and cover it, even though it is a marketing survey. So always keep that in mind. David Finn is their EVP at Synergist sec.

He ended up . Talking with Mark Haglund, who is the editor in chief of the Healthcare Innovation Group Journal, and here's some of the back and forth. David Finn says, the issues I would call out would include asset management. If you don't know what you have, where it is, you're not going to do well. It's the first step in this framework to know that 73% of our customers are failing to meet.

That is not a good start, and because of what happened last year, NIST added supply chain risk management about three years ago, and we've been doing supply chain risk assessments for a while. So 11 of our 78 customers achieved a score of 3.0. Out of five, meaning that they're actually beginning to do it.

It's kind of like a C grade and only 11 of the 78 achieve that. Everyone else got a D or F grade on that. He asked the question, what are the key things from the report? And it gives a couple things. First here is that security is something that needs to be taken seriously. I think we all know that, but that is one of the first things.

And the second is the bad guys are moving faster and smarter, and he goes on to note that healthcare organizations don't have excess money and they have one of the most complicated supply chains anywhere. And organizations need to start uncomplicating their supply chains. People need to think about the supply chain, not as an adjunct to their business, but as an integral part of the business.

I'm gonna go over to their actual press release. He has a handful of recommendations. Treat security as a journey, not a destination. Cybersecurity preparedness is a long-term initiative that requires consistent attention and proactive action. To match the latest threats, given the current trends as well as the data revealed in the report.

Healthcare organizations need to focus on the following. Number one, perform exercises and drills at the enterprise level, testing all components of the business. Okay. Number two, prioritize securing the supply chain. cssa puts it, the supply chain is only as strong as the weakest link. As demonstrated in this year's findings, supply chains present a potential vulnerability.

Number three, the key words are automate and validate. Automating security functions and validating technical controls for people. And processes are foundational in any solid security. Security automation can detect, investigate, and even. Remediate cyber events and threats in near real time. And number four, double down on organizational awareness and training.

People are organizing first and last lines of defense, and despite the industry's overall year over year improvement in cybersecurity, posture, awareness and training remain an alarmingly unaddressed portion of the company's strategy. All right, so that is the story for today. So let's get to the So what on this?

My so what is essentially, he's not wrong. The findings show what they show. If we can't identify what equipment we have in our environment, we are going to fail every time. If we don't. Uh, recognize the breadth of the area that we need to secure. We're going to fail. And my, so what is really pretty simple on this, you either know what to do or you don't know what to do, and you know what your posture is as an organization.

So there's five key elements. Identify, protect, detect, respond, and recover. We've talked about this several times on the show with professionals. Now is not the time to skimp on cybersecurity. If you . Are sitting there and you're saying, okay, you're not telling me anything I don't already know. I just don't know what to do.

Contact someone who does, could be synergistic, could be serious computer, could be CrowdStrike, could be any number of organizations, but if you are sitting there and you are sort of stuck and don't know what to do. Get outside help. There are consulting organizations. There are your peers, contact your peers and say, Hey, we, we would love to hear what you're doing around cybersecurity.

We are struggling. Get your organization together with another organization. I've actually facilitated some of these sessions where we get cybersecurity professionals from two or three organizations together. They share what they're doing. They learn from each other and they grow in that way. There's a lot of ways to do this that aren't gonna break the bank.

And depending on what your posture is today, you know where you're at. Identify a way to get better, better every day, because the bad guys are moving faster and smarter. They're getting better every day, so we must get better every day. All right, that's all for today. If you know of someone that might benefit from our channel, please forward them a note.

They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google Overcast, Spotify, Stitcher. You get the picture. We are everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks.

Thanks for listening. That's all for now.

Chapters

Video

More from YouTube