HSCC’s 5-Year Strategic Plan for Healthcare Cybersecurity and Greater NIST CSF and HCIP Coverage Plan

HSCC’s 5-Year Strategic Program for Enhancing Healthcare Cybersecurity

The number and severity of healthcare cyberattacks are growing each year. In 2023, about 740 healthcare data breach reports were submitted to the HHS’ Office for Civil Rights, and those breaches affected about 136 million persons, exceeding past records for the number of data breaches and the people impacted. It is obvious that cybersecurity in healthcare is in a critical state and when nothing changes, more unwanted data will be exposed in 2024.

The Health Sector Coordinating Council (HSCC), a public-private association representing 425 medical care sector entities and government organizations, recently revealed a 5-year strategic plan for the healthcare and public health sector at the ViVE 2024 conference. HSCC mentioned that cyberattacks and data breaches are happening because of the increased connection and remote use of digital health systems, the greatly distributed portability of health data, and the deficiency of competent healthcare cybersecurity experts. The sprawling and elevated difficulty of the connected healthcare ecosystem produces problems like unanticipated and poorly understood interdependencies; overreliance on vendor solutions; unidentified inherited security weaknesses; systems that fail to account for human factors that affect cybersecurity controls; and disparity between software programs and equipment lifecycles, and attackers are finding it way too easy to take advantage of the vulnerabilities.

The Health Industry Cybersecurity Strategic Plan (HIC-SP) seeks to enhance healthcare cybersecurity from the present critical condition to steady by 2029. HSCC mentioned that the cybersecurity standing of the healthcare industry was ranked critical in 2017 when the Health Care Industry Cybersecurity Task Force released a report on enhancing cybersecurity in the healthcare market. The HIC-SP builds on the suggestions given in the report and strives to enhance healthcare cybersecurity by enforcing foundational cybersecurity programs that deal with the operational, technological, and governance problems posed by substantial healthcare sector trends in the following five years.

HSCC has worked to set up existing industry trends that are probable to keep on over the subsequent 5 years, determined their probable impact on healthcare cybersecurity, and given tips for proactively handling those trends. The industry will likely go on to integrate rising technologies, is unlikely to handle current employees and management issues, and there is possibly to be continued instability in the healthcare supply chain. The HIC-SP analyzes how these and other developments may provide steady or surfacing cybersecurity issues, and recommendations are given about how the healthcare market and government ought to get ready for those improvements with cybersecurity principles and particular steps.

The purpose is to present C-Suite executives with actionable and measurable risk reduction actions in line with the present cybersecurity landscape and expected industry trends. Decision-makers in healthcare security can utilize the HIC-SP to advise decisions concerning cybersecurity investments and the implementation of particular cybersecurity steps, and given that the HIC-SP is modular, companies can use it to determine high-level goals and carry out objectives to deal with the areas that need the most attention.

The HSCC states the HIC-SP complements other endeavors to boost healthcare cybersecurity, for example, the HHS’ Healthcare Sector Cybersecurity Strategy that was announced in December 2023 and the voluntary healthcare cybersecurity performance targets published by the HHS in January, and together with its government contacts, the HSCC Cybersecurity Working Group is going to be working to attain the objectives of the plan using education and policy incentives and plans to introduce a set of measurable outcomes and metrics for accomplishment by the end of the year. By 2029, healthcare cybersecurity is expected to become ingrained as a public health and patient safety requirement, just like HIPAA compliance.

Increased NIST CSF and HCIP Protection Plan Associated with Reduced Cyber Insurance Premium Growth

Usage of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) enhances resilience to cyberattacks and the diminished risk is reflected in cyber insurance rates. According to a Healthcare Cybersecurity Benchmarking Study, healthcare providers that used the NIST CSF had lesser annual increases in their cyber insurance premium prices than healthcare companies that have not implemented the NIST CSF.

The study was a collaboration between KLAS Research, Censinet, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council. It involved 54 payer and provider organizations and 4 healthcare vendors in Q4 of 2023. Implementation of the NIST CSF signifies a higher level of preparedness and resiliency and consequently reduced risk for insurance companies. Healthcare providers that employ the NIST CSF as their main cybersecurity framework report that premium rate increases of one-third (6%) of the percentage reported by companies that have not adopted the NIST CSF (18%).

The report evaluates cybersecurity coverage, particularly coverage of the NIST CSF and Health Industry Cybersecurity Practices (HICP), and shows little has changed in the past 12 months with average NIST CSF insurance rising from 69% in 2023 to 72% in 2024, and average HICP coverage growing from 71% (2023) to 73% (2024). The range of average insurance coverage across the 5 NIST CSF core functions – identify, protect, detect, respond, recover – is from 65% to 75%. The minimum insurance is in the identify function and the maximum is in the respond function. This shows most healthcare providers that participated in the study were typically more reactive than proactive in their strategy for cybersecurity. Among all categories within the NIST CSF, supply chain risk management (identity) got the least coverage. This is a concern given the rate of third-party data breaches in healthcare. The study revealed that this is a major concern for insurance providers in setting higher premiums. Increased supply chain risk management coverage was related to lower increases in cyber insurance premium rates.

Average HCIP coverage was better, with many companies with email protection systems (84%) set up and cybersecurity oversight and governance (83%), however, there was just 50% coverage of medical device security and 60% coverage of data protection/loss prevention. 25 healthcare delivery providers also took part in 2023’s benchmarking study and their average NIST CSF and HCIP insurance coverage was bigger than other provider and payer companies. Those repeat organizations likewise had lesser increases in their cyber insurance premium prices compared to other healthcare companies, on average.

Benchmarking studies have confirmed that high program ownership by information security leaders leads to greater cybersecurity coverage. In all companies, average NIST CSF and HICP insurance was between 71% and 72%, although companies that designate data security leaders higher percentages of program ownership attained above-average cybersecurity insurance coverage, particularly in the HCIP areas of endpoint protection systems and data loss and loss protection.