Healthcare organizations are consistently lacking in their overall healthcare cybersecurity awareness, according to recent research from the Health Information Trust Alliance (HITRUST). Moreover, many facilities do not understand the effectiveness of deployed information security products. This was especially true when it came to emerging cyber threats.
HITRUST conducted a three-month review of its approach to healthcare cyber risk management, and found that this lack of cybersecurity awareness leads many facilities to “expend resources and rely heavily on indicators of compromise (IOCs) to determine if a breach or other suspicious cyber activity has already occurred while simultaneously updating rules and policies to block the IOCs.”
In order to create better overall awareness of the emerging healthcare cybersecurity threats, HITRUST explained that there needs to be better understanding of how these security risks will affect individual environments. One way to improve this is with layered information security products that are deployed with custom configurations. Moreover, industry-specific applications, such as electronic health records (EHRs), could be beneficial.
There must also be a more proactive model, rather than a reactive one, which is currently how many healthcare organizations react to cyber threats. If facilities can have real-time situational awareness and insights into the emerging cyber threats, they might be able to create better protections, according to HITRUST.
“Although we have made good progress in maturing our cyber risk management approach for industry, with significant improvements in information sharing, the real opportunity is to understand the emerging threats and model them against organization-specific defenses, configurations and applications,” HITRUST CEO Daniel Nutkis said in a statement.
HITRUST also established a set of eight requirements for healthcare organizations to follow in order to address the current cybersecurity needs. The requirements focus on proactive approaches to healthcare cybersecurity awareness, rather than reactive ones.
- There must be extensive visibility into current and emerging cyber threats, including previously unseen threats.
- The ability to evaluate the impact of these cyber threats against the actual security products installed in an organization’s environment will be beneficial.
- Organizations need the ability to implement multiple configurations per security product and evaluate against default and various tuned configurations.
- Facilities should be able to evaluate the effectiveness of various combinations of multiple security products and benchmark that over time.
- The ability to evaluate and assess the risks within minutes of identifying the cyber threat will be beneficial. Those affected should be notified, based on the deployed products and applications.
- Organizations need the ability to incorporate healthcare-specific applications, computer control applications for medical devices, and organization-specific applications into the evaluation.
- Facilities must be able to create best practices for product configurations.
- The ability to feed threat intelligence and knowledge about which threats are bypassing current countermeasures and security products into the HITRUST Cyber Threat Exchange will also be beneficial for prioritizing resources.
Greater collaboration is an increasingly common suggestion for improved healthcare cybersecurity awareness. Last month, the National Health Information Sharing & Analysis Center (NH-ISAC), and the Center for Internet Security (CIS) announced a strategic partnership to help create stronger healthcare cybersecurity measures.
Information sharing will be automated, Deborah Kobza, Founder and Executive Director/CEO of the NH-ISAC told HealthITSecurity.com. She added that industries will be able to analyze threats, how those threats are impacting a sector, what countermeasure solutions are in place, and what type of coordinated response needs to happen.
The post HITRUST Finds Lack of Healthcare Cybersecurity Awareness appeared first on HealthITSecurity.com.