HSCC’s 5-Year Strategic Program for Strengthening Healthcare Cybersecurity
Healthcare cyberattacks are increasing in number and intensity every year. In 2023, around 740 healthcare data breach reports were submitted to the HHS’ Office for Civil Rights, and those breaches, including HIPAA violations, affected over 136 million people, surpassing old records for the number of data breaches and the persons impacted. Cybersecurity in medical care is in a crucial state and in case nothing changes, more undesirable data will be compromised in 2024.
The Health Sector Coordinating Council (HSCC), a public-private alliance that makes up 425 healthcare market entities and federal institutions, recently launched a 5-year strategic program for the healthcare and public health sector during the ViVE 2024 conference. HSCC stated that cyberattacks and data breaches are taking place as a result of the increased connection and remote usage of digital health solutions, largely distributed mobility of health information and lack of experienced healthcare cybersecurity specialists. The sprawling and growing intricacy of the connected healthcare ecosystem generates challenges like unanticipated interdependencies; unheard-of inherited security flaws; overreliance on seller tools; systems that do not adequately account for human factors associated with cybersecurity settings; and variance between applications and equipment lifecycles, and threat actors are finding it too simple to exploit the vulnerabilities.
The Health Industry Cybersecurity Strategic Plan (HIC-SP) seeks to enhance healthcare cybersecurity from the present critical condition by 2029. HSCC revealed that the cybersecurity condition of the healthcare industry was rated critical in 2017 when the Health Care Industry Cybersecurity Task Force published a report on increasing cybersecurity in the healthcare sector. The HIC-SP builds on the advice offered in the report and strives to strengthen healthcare cybersecurity using foundational cybersecurity services that deal with the operational, technical, and governance problems presented by important healthcare market trends in the following five years.
HSCC has worked to build existing industry developments that are possible to go on in the subsequent 5 years, identified their possible effect on healthcare cybersecurity, and given suggestions for proactively dealing with those trends. The industry will probably proceed to combine appearing technologies, is not likely to handle current staff and management difficulties, and there is probably to be continuing insecurity in the healthcare supply chain. The HIC-SP determines how these and other trends may offer constant or appearing cybersecurity issues, and suggestions are given regarding how the healthcare market and government must plan for those variations with cybersecurity guidelines and precise measures.
The goal is to give C-Suite executives useful and measurable threat reduction exercises using the present cybersecurity landscape and estimated industry developments. Decision-makers in healthcare security could utilize the HIC-SP to make decisions regarding cybersecurity investments and the setup of distinct cybersecurity procedures, and considering that the HIC-SP is modular, establishments can utilize it to discover high-level goals and use objectives to tackle the places that require the most consideration.
The HSCC claims the HIC-SP matches other attempts to boost healthcare cybersecurity, for example, the HHS’ Healthcare Sector Cybersecurity Strategy that was released in December 2023 and the voluntary healthcare cybersecurity performance targets launched by the HHS in January, and along with its government associates, the HSCC Cybersecurity Working Group shall be working to realize the targets of the plan via education and policy rewards and plans to launch a set of measurable results and metrics for achievement at the end of 2024. By 2029, it is anticipated that healthcare cybersecurity will become embedded as a public wellness and patient safety requirement.
Increased NIST CSF and HCIP Protection Plan Connected with Lesser Cyber Insurance Premium Increase
The use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) expands toughness to cyberattacks and the minimized risk is shown in cyber insurance rates. According to a new Healthcare Cybersecurity Benchmarking Study, healthcare providers that have implemented the NIST CSF had lesser yearly increases in their cyber insurance premium prices than healthcare companies that haven’t used the NIST CSF.
The study was a joint venture between KLAS Research, the American Hospital Association Censinet, the Healthcare and Public Health Sector Coordinating Council, and Health-ISAC. It was done on 54 payer and provider organizations and 4 healthcare suppliers in quarter 4 of 2023. Implementation of the NIST CSF shows a higher degree of readiness and resiliency and as a result lesser risk for insurance companies. Healthcare providers that employ the NIST CSF as their principal cybersecurity framework state that premium price increases of one-third (6%) of the percentage noted by companies that have not followed the NIST CSF (18%).
The report analyzes cybersecurity coverage, mainly coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and uncovers not much has changed in the last year with average NIST CSF insurance coverage rising from 69% in 2023 to 72% in 2024, and average HICP coverage growing from 71% (2023) to 73% (2024). The range of average insurance across the 5 NIST CSF main functions – identify, protect, detect, respond, recover – is 65% to 75%. The minimum insurance coverage is in the identify function while the largest is in the respond function. This signifies the majority of healthcare providers who participated in the study were normally more reactive than proactive with their tactics in cybersecurity. Of all the categorizations in the NIST CSF, supply chain risk management (identity) acquired the least coverage, which is worrisome considering the frequency of third-party data breaches in medical care. The study showed that this is an important factor for insurance providers whenever setting premium increases. Bigger supply chain risk management coverage was linked to little increases in cyber insurance premium rates.
Average HCIP coverage was better, with the majority of companies that have email protection systems (84%) available and cybersecurity oversight and governance (83%), however, there was merely 50% coverage of medical device security and 60% coverage of data loss/protection prevention. 25 healthcare delivery providers also took part in last year’s benchmarking research and their average NIST CSF and HCIP insurance was larger than other payer and provider companies. Those repeat organizations likewise had reduced increases in their cyber insurance premium prices compared to other healthcare companies, on average.
The benchmarking research has affirmed that high program ownership by information security frontrunners leads to increased cybersecurity coverage. In all institutions, average NIST CSF and HICP insurance coverage was 71% to 72%, although companies that give data security leaders higher percentages of program ownership reached above-average cybersecurity insurance, specifically in the HCIP areas of endpoint protection systems and data loss and loss deterrence.