Small healthcare providers are less likely to implement cybersecurity policies than larger healthcare organizations, a new CHIME and KLAS white paper found.
The June 27 report looks at responses from 600 healthcare providers to examine how providers have implemented top cybersecurity practices published in the Department of Health and Human Services’ Health Industry Cybersecurity Practices (HICP).
While the findings highlight that larger healthcare organizations have developed more robust and sophisticated cybersecurity practices – from application testing to vulnerability scanning – smaller providers tend to only implement penetration testing to find vulnerabilities.
Small organizations are also less likely to have “a dedicated chief information security officer (CISO), board-level committees and governance, risk management, and compliance (GRC) committees, and bring-your-own device (BYOD) management,” the report said.
Less than half of small provider respondents said their organizations use network segmentation to prevent the spread of network viruses, despite trends of prevalent network access control tool implementation among providers overall.
The report further found that most large and small organizations both have incident response plans and participate in information-sharing and analysis organization, but only half of those providers have annual tests of those plans at an enterprise-wide level.
Providers have also begun transitioning to cloud platforms, and while those organizations appear to have data-loss prevention tools, more organizations back up their data in physical locations rather than through cloud backup services.
Despite shortcomings, email and endpoint protection systems and programs are prevalent across all healthcare providers examined in the report, indicating at least a baseline level of cybersecurity awareness. Over 70 percent of providers have phishing simulations at least once a quarter, for instance.
Small businesses often lack the resources they need to implement sophisticated cybersecurity policies and programs, lawmakers have found, and the report’s conclusions show a continuation of that trend in the healthcare industry.
“Even in the most mature organizations, these best practices and tools are often not implemented for every system or device across the enterprise,” the report’s researchers wrote. “In today’s complex IT environment, with too few available resources and dollars for cybersecurity, how does an information security leader decide what to address first and how best to reduce risk?”