No CISO? Healthcare Orgs Stall on Best Practices

2 min read

Lacking a CISO on staff is one of the top barriers holding back small and medium healthcare providers from adopting best practices for their cybersecurity programs. A recent survey found that small and medium healthcare providers reported they are four times as likely to lack a full-time CISO compared to their larger healthcare counterparts. The report also noted small and medium-sized providers are lagging behind on protective controls, risk management, and governance, among other cybersecurity priorities. 

The KLAS CHIME white paper analyzed responses from the 600+ healthcare organizations that responded to the 2018 Healthcare’s Most Wired survey. Their white paper summarized survey responses relating to the “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients” recommendations that were published in Fall 2018 by the HHS Cybersecurity Act Task Group. 

Providers Lag on Prevention and Governance

While many of the HICP recommendations are being implemented by all sizes of healthcare organizations, smaller and mid-sized providers reported slower progress on the recommendations related to governance, risk management, and other cybersecurity priorities. 

Key findings showed a slower adoption rate from smaller and medium-sized healthcare organizations in the following areas:

  • Email Security: “Email is the most common attack vector through which healthcare organizations are put at risk,” stated the report. Respondents at smaller organizations indicated they are not conducting phishing simulations at the same rate as their larger counterparts. Smaller providers are also not using digital signatures to verify emails are coming from trusted sources and have not been manipulated in transmission.

  • Endpoint Security: According to the survey responses, most providers implemented intrusion prevention and intrusion detection systems; however, 20% of small organizations still lack these protective controls.

  • Identity Access Management: Smaller organizations reported that only half have a multi-factor authentication solution in place today.

  • Network Management: Less than half of small organizations reported they are segmenting their networks today.

  • CISO: Another stat from the report demonstrated governance issues begin with executive leadership: “Small and medium organizations are nearly four times as likely to lack a CISO at their organization compared to large organizations.”

  • Board-level Committee Oversight: Small organizations are less likely to have a board-level committee providing oversight of the cybersecurity program. 

  • BYOD Policy: Small organizations are also less likely than medium or large organizations to have implemented a Bring-Your-Own-Device (BYOD) policy at their organization.

  • SIEMs: While the survey did not ask respondents about their security operations for detection and response solutions, respondents from large and small providers did report their overwhelming usage of Security Information and Event Management (SIEM) systems. Considering the amount of priorities noted above, a SIEM needs expert administration and a strong security program to adequately defend a healthcare network.

Budget and Executive Talent Barriers

The survey results indicated that the industry's overall adoption of the Task Group’s recommendations is trending in the right direction. However, the size of the healthcare organization may influence the rate of progress achieved. As noted in the report summary, “opportunities for improvement exist, especially among smaller organizations, where budget constraints and a lack of qualified talent are more likely to hinder progress.” These results can be accelerated with when an expert CISO can lead the IT and cross-functional teams to adopt the recommendations.