Healthcare cybersecurity benchmarking can help health IT experts establish cybersecurity program goals and improve decision-making, a new survey from Censinet and Ponemon Institute suggests.
Healthcare cybersecurity benchmarking data can help health IT experts make data-driven decisions, evaluate program effectiveness, and improve their organization’s overall security posture, a new report commissioned by Censinet and conducted by Ponemon Institute suggested.
Ponemon Institute surveyed 579 IT and IT security professionals at healthcare organizations, asking them a series of questions about the value of cybersecurity benchmarking and their experiences with ransomware attacks.
As ransomware increasingly becomes recognized as a patient safety issue, healthcare organizations need to make informed, risk-based security decisions more than ever. The report suggests that peer benchmarking is a key step toward helping the sector mitigate risk effectively.
RANSOMWARE IS A PATIENT SAFETY ISSUE
Nearly half of respondents reported experiencing a ransomware attack in the past two years. The survey results supported existing data that show an increase in third-party data breaches and ransomware attacks, as well as a hike in ransomware payment demands.
The survey results also raised concerns surrounding the impact of ransomware attacks on patient care. It is difficult to quantify exactly how ransomware attacks impact patient care, but it is clear from the survey results that respondents believe that ransomware has direct impacts on patient outcomes.
For example, 53 percent of respondents whose organizations experienced a ransomware attack said that it resulted in a disruption to patient care.
It is clear that the sector is coming to terms with the fact that cyberattacks have the potential to lead to care disruptions and adverse patient outcomes, rather than just financial losses. In November 2022, Senate Select Committee on Intelligence Chairman Mark R. Warner (D-VA) released a policy options paper entitled “Cybersecurity is Patient Safety,” which brought significant national attention to healthcare cybersecurity.
As the healthcare sector continues to suffer the impacts of ransomware, patient safety must remain a top priority.
HOW BENCHMARKING CAN HELP
Benchmarking can provide valuable insights as healthcare organizations continue to strive to improve patient safety and reduce cyber risk.
When asked about the value of using benchmarks to determine the amount of resources and funds to allocate to cybersecurity, 60 percent of respondents said that they are “valuable” or “very valuable.”
In addition, 61 percent of respondents said that benchmarking was valuable when demonstrating cybersecurity framework compliance, and just over half of respondents championed benchmarking’s capability to improve cybersecurity programs.
What’s more, nearly 70 percent of respondents pointed to benchmarking as a useful tool in making a business case for hiring additional cybersecurity staff and purchasing new technologies. Respondents also reported the usefulness of benchmarking in establishing cybersecurity program goals and recovering from ransomware attacks.
Establishing security benchmarks is increasingly becoming a priority for the healthcare sector, as exemplified by some recent efforts. For example, Censinet, along with the American Hospital Association (AHA) and KLAS Research, recently announced plans to conduct “The Healthcare Cybersecurity Benchmarking Study.”
The study is enrolling hospital and health system participants and aims to assess key operational cyber metrics, cyber maturity, and coverage of the NIST Cybersecurity Framework (NIST CSF), and Health Industry Cybersecurity Practices (HICP).
The anonymized, aggregated datasets will ideally provide participating healthcare organizations with much-needed benchmarking data and insight into key cybersecurity metrics across the sector.
In October, the Medical Device Innovation Consortium (MDIC) released its first medical device security maturity benchmarking tool and report aimed at measuring medical device manufacturer (MDM) security maturity. MDIC plans to publish the report annually and MDMs can use the tool and report to measure their own maturity in the future.
Benchmarking data can be extremely valuable in helping healthcare organizations evaluate their security postures, compare themselves to peers, and improve the sector’s security efforts as a whole.
