Alex - stock.adobe.com
Risk management remains pain point for healthcare: Report
Healthcare is making strides in governance and response planning, but the sector has room to grow when it comes to risk management.
Risk management, maintenance security controls and supply chain risk management remain weak points in healthcare cybersecurity, even as the sector continues to make progress in other key areas, Fortified Health Security observed in its mid-year report.
The cybersecurity company analyzed rolling National Institute of Standards and Technology (NIST) cybersecurity framework data from 2023 to present, revealing areas of progress as well as critical gaps.
Healthcare makes strides in cybersecurity program maturity
Fortified Health Security's data showed signs of improvement and maturity in several NIST categories, including governance and response planning.
"Executive and board-level engagement in cybersecurity is at an all-time high. Leaders no longer treat cybersecurity as an afterthought; it's becoming a formal part of governance structures," the report stated.
"Across the industry, we've seen the establishment of dedicated committees focused on information security and privacy that include organizations previously disengaged. Even the most reluctant healthcare entities are launching their first governance bodies this year, signaling meaningful progress among longstanding holdouts."
In addition to improved governance, Fortified observed more organizations adopting NIST-based maturity assessments over HIPAA risk assessments. Healthcare organizations are also reportedly conducting additional tabletop exercises year-over-year, enabling better preparedness and response.
Identity and access management (IAM) is another area of significant improvement.
"While IAM remains a heavy lift, healthcare organizations are starting to make progress. Many are conducting discovery exercises to assess their readiness for comprehensive IAM solutions, uncovering common issues like outdated and overgrown Active Directory environments," the report noted.
"Despite the hurdles, many healthcare organizations are still actively discussing phased IAM strategies, a huge step forward for a historically neglected area."
Critical gaps remain
Despite noteworthy improvements, the healthcare sector remains vulnerable in several key security areas, Fortified suggested.
For example, the report found that most organizations still lack a unified approach to risk management. Decision-making challenges and unclear responsibilities make risk management inconsistent across many organizations.
Fortified identified supply chain risk management and asset management as two other areas for improvement. Organizations vary greatly in their third-party risk management program maturity, while asset management remains a "universal and foundational" challenge across the industry.
Maintaining foundational security controls should be prioritized to the same extent as new technology adoption, Fortified emphasized.
"Maintenance has shown improvement but remains a high-risk area. While cybersecurity investments are gaining more executive-level attention in the budget, funding often favors new technology over maintaining legacy systems," the report stated. "As a result, many organizations are left cobbling together outdated platforms on aging hardware."
Maintenance achieved "most improved" according to Fortified's data, but it remains one of the lowest overall scores.
“Healthcare cybersecurity has reached an inflection point,” said Dan L. Dodson, CEO at Fortified. “We're seeing clear momentum in areas that have long been stagnant -- but it’s not time to celebrate. The risks are still very real, and the consequences of inaction are becoming more severe.”
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
