Cyber Readiness of U.S. Healthcare Services
On March 30, 2022, legislation seeking to improve the cyber readiness of the U.S. healthcare sector cleared the Senate Homeland Security Committee. Introduced as the ”Healthcare Cybersecurity Act”, S. 3904 calls on U.S. Cybersecurity and Infrastructure Security Agency (CISA) to “collaborate with the Department of Health and Human Services to improve cybersecurity in the Healthcare and Public Health Sector.
Such legislation is appropriate given cybersecurity advocates have been calling for the nation’s healthcare entities to be considered critical infrastructure providers (CIPs) for many years. The recurrence of ransomware attacks on hospitals during the COVID-19 pandemic significantly elevated this issue as a very real life and death matter in the minds of cybersecurity professionals, policy makers and even ordinary people.
This blog focuses on the findings of a new report released today by Trellix, Path to Cyber Readiness – Preparation, Perception and Partnership, specifically on the cyber readiness of the U.S. healthcare sector, which traditionally lags many of its peers due to under investment and simple neglect due to the legacy nature of its operational systems.
The report gauges the adoption of advanced cyber defense technologies and practices, perceptions of public-private partnerships and the role of national government leadership overall among public and private enterprises traditionally and more recently considered as CIPs.
The State of Cyber Defense Implementation
As many as 84 percent of U.S. CIPs have “developed, implemented and deployed” some degree of EDR and XDR capabilities within their enterprises, but only 35 percent of those respondents report having full capabilities deployed. In healthcare services, however, only 21 percent claim to have achieved full implementation.
Forty-four percent of respondents reported “tender and bidding process challenges” among the top barriers to new cyber defense adoption, followed by “lack of implementation expertise” (42 percent), “lack of leadership recognition of the need to invest” (39 percent), and a “lack of in-house staffing” resources, trusted vendor partners, and budget (30 percent).
Software Supply Chain Risk Management
Eighty-three percent of healthcare services respondents claimed they have implemented some degree of software supply chain risk management policies and processes, but only 26 percent report having fully implemented these measures. This compares to 37 percent of U.S. CIP peers overall and 31 percent regional government services respondents.
Ninety-two percent of healthcare respondents cite software supply chain risk management policies and processes as a difficult cybersecurity measure to implement.
Sixty-eight percent of respondents somewhat to strongly agree that there has historically been little oversight on how cybersecurity products themselves were developed and where.
Eighty-three percent of respondents believe that if the U.S. federal government demands higher software cybersecurity standards within government agencies, this would play a role in raising standards for software developers across the software industry. Eighty-eight percent of sector respondents believe cybersecurity standards for software development should be mandated by government.
That said, 51 percent of respondents believe government cybersecurity standards for software could be too complex to implement. Forty-five percent worry about the costs of implementing such suggested standards and around 40 percent also worry about the workability of any mandated implementation timelines.
COVID-19 Impact & Legacy
Eighty-eight percent of respondents report that the need to secure remote access to their enterprise resources became a more important issue in maintaining their cybersecurity posture during the COVID-19.
Forty-two percent of sector respondents believe the hybrid remote work model is permanent, with 34 percent taking a wait and see position, and 25 percent believing it will fade.
U.S. Cybersecurity Safety Board
Eighty-eight percent of healthcare services respondents see value in the Biden Administration’s proposed establishment of a US Cybersecurity Safety Board similar to the US National Transportation Safety Board.
Sixty-one percent of healthcare respondents believe the Cybersecurity Safety Board should focus on both public and private infrastructure outside of as well as within the federal government. This position contrasts dramatically with the only 48 percent of US CIPs in favor of this expanded role overall.
Partnering with U.S. Government
Eighty-one percent of healthcare services respondents believe there is at least moderate room for improvement when it comes to the level of partnership between the US government and organizations in their sectors within the context of working together to overcome cybercrime issues such as ransomware. Thirty-five percent believe there is vast room for improvement.
The sector respondents had a variety of ideas on how the US government could take more action as a cybersecurity partner to the sector. Forty-four percent favored greater consequences for perpetrators of cybercrime, 42 percent tighter cooperation on cyber incident management while attacks are in progress, and 39 percent a combination of incident notification and liability protection to facilitate sharing of attack data between impacted organizations, government partners and industry audiences.
Seventy percent of respondents believe there is no real consistency to how organizations respond to cyber incidents, and 38 percent favored improved Federal guidance on best practices.
The sector’s cybersecurity has undoubtedly suffered from underinvestment in technology for decades. It should come as no surprise that 38 percent favor improved Federal funding for cybersecurity improvement in the sector.
Seventy-nine percent of respondents said there was room for improvement in the cyber threat data shared by the US government with organizations in their sector.