Skip to content
CIO CHIME
Login
  • About
    • AEHIS, AEHIA & AEHIT
    • Board & Staff
    • Careers with CHIME
    • Contact
    • Mission, Vision & History
    • News, Press & Stories
    • Public Policy
    • Opioid Action Center
    • CHIME Innovation
    • Scholarships
  • Membership
    • Join CHIME
    • Awards & Honors
    • CHIME International
    • Committees
    • FAQs
    • Member Spotlights
  • Education
    • Health & Safety
    • CHIME University Programs
    • Certified Digital Health Prog.
    • ViVE Event 2023
    • Boot Camps
      • CIO Boot Camp™ 23
      • CISO Boot Camp 23
    • Cybersecurity Summit 23
    • CHIME23 Fall Forum
    • Online Learning
    • Webinars
    • Speaking Opportunities
    • Scholarships
  • Certification
    • CEUs
    • CDH Program
    • CHCIO
    • CHCIO International
    • CHISL
  • Digital Health Most Wired
  • Foundation
    • About
    • Board & Staff
    • Partner Education – 2022
    • Foundation Membership
      • Benefits
      • Application
      • AEHIS, AEHIA & AEHIT
    • Foundation Partners
    • Sponsorship Opportunities
    • Education Foundation
      • About
      • Board and Staff
      • Donate
      • Scholarships
    • Awards
    • Terms of Use Policies
    • CHIME Tech
      • About
      • Board & Staff
      • Advisory Services
      • Cooperative Member Services
      • Leadership Academy
      • Speakers Bureau
  • 30th Anniversary
  • Media
    • CHIME Media
    • Digital Health Leaders

Media

Home » Media » Three Cybersecurity Considerations for Healthcare in 2020

Three Cybersecurity Considerations for Healthcare in 2020

12.12.19 | Blog, Featured, Industry Best Practices

By David Finn, CISA, CISM, CRISC
EVP, Strategic Innovation

At the end of the year, we all certainly want to look ahead, hopefully, to what we hope will be a better one. 2019 has certainly been a rough one in terms of cybersecurity in healthcare. In July alone, the federal government reported that more than 22 million people had data exposed in healthcare breaches. At an annualized rate, that would be almost the entire population of the United States. Who could blame anyone for wanting to look ahead to a better year?

Third-party Vendor Risks

Peter Drucker once said, “You can’t manage what you can’t measure,” which will directly apply to security in 2020. Last year, the newest version of the NIST CSF (v 1.1) was released and for the first time it addresses supply chain and third-party risk. Based on assessments done in 2019, that appears to be true. However, even organizations that were fairly mature on the NIST CSF scoring are still lagging in the supply chain area, which is not anything new. This should have gotten everyone’s attention with the 2014 Target breach, but apparently not.  At least we are measuring it now, so hopefully we will be able to manage and improve our third party vendor risks.

Looking forward sometimes requires looking back, so how bad was this issue in 2019?

According to a report issued by Ponemon and Censinet this summer, the costs of third-party vendor risk management are about $3.8 million per provider annually, given the sector’s struggles to properly assess and remediate vendor risk.  Unfortunately, measuring where it occurs does not always lead to better management of the risk.  The report discovered that among organizations doing assessments of vendors, security gaps found were not addressed after the process. When respondents were asked what they would do if their vendor’s actions would put the organization at risk, only one-third of respondents said they would mitigate or remediate the vulnerability, and just 28 percent would terminate their relationship with the vendor.  

Medical Devices Vulnerabilities

Another big issue that will continue to be a concern is security around medical devices.  Medical device security was thrust into the spotlight in 2018, as the Food and Drug Administration (FDA) continued to enhance and expand its cybersecurity program.  Prior to the FDA’s publication of Postmarket Management of Cybersecurity in Medical Devices in December of 2016, advisories were issued at a rate of 0.95 vulnerabilities per month.  After the guidance was released, the rate increased by 475 percentto 4.52 vulnerabilities per month!

An additional study sponsored by Synopsis and conducted independently by Ponemon Institute in 2017 indicated that 67 percent of medical device makers believed that their devices were likely to be attacked in the next 12 months, but only 17 percent were taking any significant steps to prevent attacks. 

If the increased reporting of vulnerabilities is an indicator that progress is being made, and if telling people about your issues is a positive in security, then you have to put this in perspective for the industry.  The overall number of hospital beds in the U.S. in 2017 was about 931,000.  There are between 10 to 15 connected devices to each of those 931,000 beds.  That is a lot of vulnerabilities.  Happy New Year!

The Growing Threat of Ransomware

Ransomware has certainly taken a significant uptick in 2019, particularly in the healthcare industry. In the first 10 months of 2019, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks.  In September a California provider was forced to close as they could no longer access medical records, and three hospitals in Alabama had to turn away patients due to ransomware in October – sadly, the industry should not expect any decline in ransomware in 2020.

While healthcare has managed to maintain the status quo in security for several years, IT security budgets have remained level since 2016. As a percentage of IT health systems and hospital organizational budgets, cybersecurity has increased to about 6 percent of the total annual IT spend for calendar year 2020.  This remains far below the average for other regulated industries, like finance, which run around 15 percent.  Physician organizations and groups, on the other hand, report a decrease in actual cybersecurity expense allocated, with less than one percent of their IT budgets earmarked for cybersecurity in 2020.

We have seen a dramatic rise in successful attacks by a variety of attackers over time – ranging from criminals to hackers backed by nation-states.  This is just a further indicator of how attractive and how vulnerable healthcare is as a target.  Sadly, the sector remains highly susceptible to continuing breaches.  That is not likely to change next year.

Making matters worse, budget constraints will limit staffing and the ability to replace legacy software and devices.  This will leave organizations even more susceptible to attacks and it will become more challenging for hospitals and health systems to invest in areas that do not actively produce revenue in the coming year.

Looking Ahead

2020 still offers the hope and promise of re-doubling our efforts and getting focused on our organizations’ prioritized risks.  What if you started doing vendor assessments pre-acquisition instead of just after the product or service was paid for and deployed?  What if you did the same with medical devices and built “security terms” into the contract? What if you trained and retrained the workforce on ransom and other current threats?  The old saying goes, “time is money”, but what if you had more time than money?  Let us make the most of the currency we have and move the dial in the year ahead by better planning, more purposeful contractual arrangements, and comprehensive training. After all, hindsight is 20/20 – especially when it comes to cybersecurity.


This article originally appeared in healthcarebusinesstoday.com.

David Finn, CISA, CISM, CRISC

EVP, Strategic Innovation
CynergisTek, Inc.

David Finn is the Executive Vice President of Strategic Innovation at CynergisTek. He has been involved in leading the planning, management, and control of enterprise-wide, mission-critical information technology and business processes for more than 30 years. His unique experience in risk management and control objectives of technology (including audit, security, and privacy) allows him a distinctive perspective in the design and implementation of business applications and the processes that the technology must support. David is focused on using technology as an enabler of operating efficiency and deriving business value through the optimization and control of technology. He is known for creatively engaging all types of audiences, conveying messages that even change-resistant users listen to and remember. He serves on the Editorial Advisory Board for Health Management Technology.



RETURN TO CHIME MEDIA

Follow Us on Social

Listen Now!

Pick a Topic

5G 30th anniversary audio Awards Best Practices Boot Camp CHIME18 CHIME19 CHIME Innovation CHIME Tech CHIME Time CMIO Leadership Academy Coffee with CHIME Cooperative 101 Coronavirus COVID Covid-19 CPES Cybersecurity Data Digital Health Leaders Digital Transformation Events Gallery healthcare Innovation Inside CHIME Interoperability Interview IoT IT Leader 2 Leader Leadership Leader to Leader Most Wired Photos Podcast Policy Remote work Russ Branzell Security Talent War Technology washington Women

News, Press & Stories

  • Press Releases & Statements
  • Inside CHIME
  • In the News
  • CHIME Foundation Insight
  • Foundation Press Releases

MEMBERSHIP

LEARN MORE & APPLY LOG IN
  • SITE
    • About
    • Membership
    • Education
    • Certification
    • Digital Health Most Wired
    • Foundation
    • 30th Anniversary
    • Media
  • MEMBERSHIP
    • Login
    • Become a Member
    • Become a Foundation Partner
  • SOCIAL
    •            
  • CONTACT US

    455 E. Eisenhower Parkway Suite 300
    Ann Arbor, MI 48108
    Phone: (734) 665-0000

    MAP & DIRECTIONS

  • Logo
  • About
    • AEHIS, AEHIA & AEHIT
    • Board & Staff
    • Careers with CHIME
    • Contact
    • Mission, Vision & History
    • News, Press & Stories
    • Public Policy
    • Opioid Action Center
    • CHIME Innovation
    • Scholarships
  • Membership
    • Join CHIME
    • Awards & Honors
    • CHIME International
    • Committees
    • FAQs
    • Member Spotlights
  • Education
    • Health & Safety
    • CHIME University Programs
    • Certified Digital Health Prog.
    • ViVE Event 2023
    • Boot Camps
      • CIO Boot Camp™ 23
      • CISO Boot Camp 23
    • Cybersecurity Summit 23
    • CHIME23 Fall Forum
    • Online Learning
    • Webinars
    • Speaking Opportunities
    • Scholarships
  • Certification
    • CEUs
    • CDH Program
    • CHCIO
    • CHCIO International
    • CHISL
  • Digital Health Most Wired
  • Foundation
    • About
    • Board & Staff
    • Partner Education – 2022
    • Foundation Membership
      • Benefits
      • Application
      • AEHIS, AEHIA & AEHIT
    • Foundation Partners
    • Sponsorship Opportunities
    • Education Foundation
      • About
      • Board and Staff
      • Donate
      • Scholarships
    • Awards
    • Terms of Use Policies
    • CHIME Tech
      • About
      • Board & Staff
      • Advisory Services
      • Cooperative Member Services
      • Leadership Academy
      • Speakers Bureau
  • 30th Anniversary
  • Media
    • CHIME Media
    • Digital Health Leaders
Copyright 2023 CHIME College of Healthcare Information Management Executives
Sponsors
Privacy Policy     Terms of Use    Web Design by build/create
By using our website you agree to our updated Privacy Policy and Terms of Use. I Accept