- Only 44% of healthcare institutions met national cybersecurity standards in 2019, according to an annual report from consulting firm CynergisTek. That's a slight drop from 45% compliance in 2017 and 47% in 2018.
- Looking at historical client data, CynergisTek found declines in four of the five core functions outlined in the National Institute of Standards and Technology's framework for companies to protect themselves against cyber attacks: identify, protect, respond and recover. The last core function, detect, remained flat across three years.
- CynergisTek said cybersecurity is more important than ever as telehealth and remote work have become the norm. "It has already been made crystal clear that due to COVID-19, care delivery and IT delivery models are transforming drastically," according to the report.
The COVID-19 pandemic forced providers and patients to rapidly move care to virtual settings this year. Providers had just weeks to convert visits online and adopt the technology needed to do so, though temporarily loosened restrictions from CMS helped.
But the report shows even before the public health crisis, healthcare institutions' compliance with cybersecurity standards were sliding.
"In cybersecurity, if you are not improving, you are falling behind in managing your risks," the report's authors said. "The bad guys keep getting better, the technology more complex, and more of it is being deployed."
Among the healthcare organization clients CynergisTek analyzed, assisted living facilities had the highest NIST compliance at 96%, though it noted they don't typically have highly automated systems, frequently don't have EMRs, and only have minimal, "core systems."
Insurers and accountable care organizations had the next highest compliance, then business associates and hospitals and health systems. Physicians groups had the lowest compliance at 20%.
Looking at hospital type, academic medical centers had the highest compliance, followed by critical access hospitals, health systems and short-term acute care hospitals.
Surprisingly, critical access hospitals, typically underfunded and understaffed, improved their compliance significantly over the years, from 18% in 2017 to 47% in 2019.
Going forward, CynergisTek said remote work and telehealth will likely persist, requiring added technologies and an enhanced focus on existing ones. Organizations may have to invest in more endpoint protection tools, such as multi-factor authentication, virtual private networks, identity access management and data loss prevention, the report said.
And while COVID-19 put interoperability, information blocking and state privacy laws on the backburner, "it is coming and it won't be as simple as it seems," according to the report.
Lax cybersecurity can result in breaches that risk patients' personal health information and federal fines for providers.
And in a recent report from cybersecurity ratings firm SecurityScorecard and dark web research company DarkOwl, security alerts at telehealth vendors during COVID-19 jumped 30% compared to pre-pandemic levels.