Adoption of the NIST CSF was correlated with lower cyber insurance premium increases, KLAS and partners found in the latest edition of the Healthcare Cybersecurity Benchmarking Study.
Surveyed healthcare organizations that used the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as their primary framework saw lower cyber insurance premium increases compared to those that had not adopted the NIST CSF, the 2024 edition of the Healthcare Cybersecurity Benchmarking Study revealed.
The study is the result of an ongoing collaboration between healthcare risk management solutions company Censinet, KLAS Research, the American Hospital Association (AHA), and the Healthcare and Public Health Sector Coordinating Council (HSCC). These groups interviewed 54 payer and provider organizations and 4 healthcare vendors between September and December 2023 to gather data for the study.
In their examination of NIST CSF and Health Industry Cybersecurity Practices (HICP) adoption, Censinet, KLAS, and their partners found that healthcare provider and payer cybersecurity preparedness was at a similar level compared to the 2023 benchmarking study.
Once again, supply chain risk management remained the NIST CSF category with the lowest coverage, despite the prevalence of third-party data breaches in healthcare. What’s more, the study noted that higher coverage of supply chain risk management is associated with smaller increases in cyber insurance premiums.
Surveyed organizations that used the NIST CSF as their primary security framework saw a 6 percent increase in cyber insurance premiums, compared to an 18 percent increase among organizations that did not use the NIST CSF as their primary framework.
“Higher coverage within the NIST CSF categories related to cyber resiliency is especially correlated with lower increases in cybersecurity premiums,” the study stated.
“Focusing on these areas helps organizations mitigate the impact of breaches on patient care and safety and maintain business continuity.”
Though the survey responses were limited, the study made a compelling case for adopting leading industry frameworks like the NIST CSF and HICP. Adopting the practices championed in these frameworks can not only bolster an organization’s security posture, but also help them to save money in insurance premiums.
Year over year, repeat respondents saw improved coverage across all NIST CSF functions and HICP best practices. However, healthcare organizations still have lots of room for improvement, especially when it comes to best practices around medical device security and data protection and loss prevention.
“Average coverage across the five NIST CSF functions shows that organizations are generally more reactive than proactive in their approach to cybersecurity, with the Identify function having the lowest coverage and the Respond function having the highest,” the study noted.
Additionally, the study observed a correlation between information security leaders having greater ownership of cybersecurity and higher coverage across the board. For example, despite the industry average coverage for the NIST CSF and HICP sitting at 70 to 71 percent, organizations that assigned information security leaders a higher percentage of program ownership saw above-average coverage levels.
“For the second year in a row, the Benchmarking Study sets the highest standard for collaborative, impartial, and transparent insight into the current state of the health sector’s cyber maturity, and, more importantly, enables providers and payers to make more informed investment decisions to close critical gaps in controls and elevate overall cybersecurity program preparedness,” said Steve Low, president of KLAS Research, in an accompanying press release.
This year’s study and future iterations of it will ideally continue to shed light on the healthcare sector’s security strengths and weaknesses.
“We deeply thank the 120+ organizations combined that have participated in the 2023 and 2024 Benchmarking Studies, and we applaud their dedication to our shared mission to protect patient care from escalating cyber threats – we are truly ‘stronger together’ in this fight, and the Benchmarking Study is a testament to the industry’s collaboration and commitment to strengthening cyber maturity and resiliency,” added Ed Gaudet, CEO and founder of Censinet.