Professional Documents
Culture Documents
The State Healthecare Security Privacy
The State Healthecare Security Privacy
THE STATE OF
HEALTHCARE
SECURITY & PRIVACY
Maturity Paradox:
New World, New Threats, New Focus
CynergisTek
2021 ABOUT
ANNUAL REPORT CYNERGISTEK
2020 NIST Conformance
I. About CynergisTek 3
Page 6 CynergisTek is a team of cybersecurity, privacy,
and compliance problem solvers and experts
dedicated to helping healthcare organizations
prepare, rehearse, and validate the effectiveness
II. Disruption Leads to Change 4 of their programs. CynergisTek’s Resilience
Validation™ method takes a unique coach-
Security Executive Takeaways
to-client partnership to ensure you achieve
III. 2020 NIST Conformance 6
your goals, build cyber resilience, and have an
Page 40
2021 ABOUT
ANNUAL REPORT CYNERGISTEK
2020 NIST Conformance
I. About CynergisTek 3
Page 6 CynergisTek is a team of cybersecurity, privacy,
and compliance problem solvers and experts
dedicated to helping healthcare organizations
prepare, rehearse, and validate the effectiveness
II. Disruption Leads to Change 4 of their programs. CynergisTek’s Resilience
Validation™ method takes a unique coach-
Security Executive Takeaways
to-client partnership to ensure you achieve
III. 2020 NIST Conformance 6
your goals, build cyber resilience, and have an
Page 40
DISRUPTION
LEADS TO CHANGE
64%
users. stops using technology, until bad guys decide to
leave healthcare alone. There is no stopping on
the security journey.
of the organizations
State of healthcare security are below the
passing grade
Data Privacy has become a top
70
area of responsibility for security
Ransomware attacks cost the In 2020,
professionals, with
healthcare industry
34%
560 healthcare
25
$20.8 billion
provider facilities fell
passing victim to ransomware.
grade (80%)
of survey respondents indicating Source: Emsisoft State of
privacy is one of their core in downtime in 2020, double the 35 Ransomware Report
45
Source: Cisco 2021 Data Privacy Benchmark Study Source: Comparitech Annual Report
Forged by the Pandemic: the Age of Privacy,
January 2021
DISRUPTION
LEADS TO CHANGE
64%
users. stops using technology, until bad guys decide to
leave healthcare alone. There is no stopping on
the security journey.
of the organizations
State of healthcare security are below the
passing grade
Data Privacy has become a top
70
area of responsibility for security
Ransomware attacks cost the In 2020,
professionals, with
healthcare industry
34%
560 healthcare
25
$20.8 billion
provider facilities fell
passing victim to ransomware.
grade (80%)
of survey respondents indicating Source: Emsisoft State of
privacy is one of their core in downtime in 2020, double the 35 Ransomware Report
45
Source: Cisco 2021 Data Privacy Benchmark Study Source: Comparitech Annual Report
Forged by the Pandemic: the Age of Privacy,
January 2021
2020
NIST CONFORMANCE
number of 5 10 15 20 25
organizations
2020
NIST CONFORMANCE
number of 5 10 15 20 25
organizations
SECURITY
EXECUTIVE TAKEAWAYS
2
industry trends
useful to provide big picture awareness, “they do
not reduce your risk or protect you. This is not
about the scores.” We decided to take our own
advice this year, so rather than diving into year-
we are seeing are:
over-year trends or NIST and HIPAA conformance,
Ransomware is a cyber weapon of
we are not focusing on scores.
choice.
Instead, we wanted to see what organizations are COVID-19 inspired hackers to pursue ransoms as
1
doing, the core functions of NIST that seemed to companies rushed to digitize without adequate security
drive long-term improvements, and what will drive measures, creating more extortion targets. While Help
the direction for Health IT Security over the next Net Security reported a 358% year-over-year increase in
twelve months, as threats and attacks grow worse malware overall, research from Deep Instinct found that
and more numerous. Our intent is to identify An ever-expanding ransomware specifically increased by 435% from 2019 to
opportunities for short- and long-term success. cyberattack surface. 2020, and Coveware reports that the average ransomware
payout has grown to nearly $234,000 per event.
Healthcare is facing new and augmented
challenges from multiple directions,
3
including an increasingly mobile
and remote workforce, telehealth,
telemedicine, IoT, consumer medicine
(as impacted by the 21st Century Cures
Act), and concerningly, the supply chain. Threats against critical
infrastructure.
Healthcare is one of the U.S. government’s 16 critical
infrastructure sectors. Threats have recently spread
past computers to include Industrial Control Systems
(ICS) -- everything from freezer sensors to badge
readers -- and converged Operational Technology/
Information Technology (OT/IT) networks, notably
including medical devices.
SECURITY
EXECUTIVE TAKEAWAYS
2
industry trends
useful to provide big picture awareness, “they do
not reduce your risk or protect you. This is not
about the scores.” We decided to take our own
advice this year, so rather than diving into year-
we are seeing are:
over-year trends or NIST and HIPAA conformance,
Ransomware is a cyber weapon of
we are not focusing on scores.
choice.
Instead, we wanted to see what organizations are COVID-19 inspired hackers to pursue ransoms as
1
doing, the core functions of NIST that seemed to companies rushed to digitize without adequate security
drive long-term improvements, and what will drive measures, creating more extortion targets. While Help
the direction for Health IT Security over the next Net Security reported a 358% year-over-year increase in
twelve months, as threats and attacks grow worse malware overall, research from Deep Instinct found that
and more numerous. Our intent is to identify An ever-expanding ransomware specifically increased by 435% from 2019 to
opportunities for short- and long-term success. cyberattack surface. 2020, and Coveware reports that the average ransomware
payout has grown to nearly $234,000 per event.
Healthcare is facing new and augmented
challenges from multiple directions,
3
including an increasingly mobile
and remote workforce, telehealth,
telemedicine, IoT, consumer medicine
(as impacted by the 21st Century Cures
Act), and concerningly, the supply chain. Threats against critical
infrastructure.
Healthcare is one of the U.S. government’s 16 critical
infrastructure sectors. Threats have recently spread
past computers to include Industrial Control Systems
(ICS) -- everything from freezer sensors to badge
readers -- and converged Operational Technology/
Information Technology (OT/IT) networks, notably
including medical devices.
BY FUNCTION
2.9
1.9
1 2 3 4
Governance
Identify
With 73% of this sector falling into low
The Identify function is the first of the five performers is not a good starting point and 3.5
Framework functions. As such, it provides the Asset Management should be a key focus area 2.7
foundation for the rest of the functions to be built to reduce risk by prioritizing and classifying
1 2 3 4
upon. This function centers around pinpointing all your resources, evaluating all assets including
organizational systems and platforms, including the data that flows through the devices
data, included in its infrastructure. including medical devices, and lastly ensuring Overall, the Governance category is either
roles and responsibilities are established not on its way or is well established however
just written down on paper. where did find three key areas that need to
be addressed
BY FUNCTION
2.9
1.9
1 2 3 4
Governance
Identify
With 73% of this sector falling into low
The Identify function is the first of the five performers is not a good starting point and 3.5
Framework functions. As such, it provides the Asset Management should be a key focus area 2.7
foundation for the rest of the functions to be built to reduce risk by prioritizing and classifying
1 2 3 4
upon. This function centers around pinpointing all your resources, evaluating all assets including
organizational systems and platforms, including the data that flows through the devices
data, included in its infrastructure. including medical devices, and lastly ensuring Overall, the Governance category is either
roles and responsibilities are established not on its way or is well established however
just written down on paper. where did find three key areas that need to
be addressed
1.9
3.3
1 2 3 4
2.4
1 2 3 4
Supply chain overall was the lowest category
Risk Management Strategy across the board. Supply Chain is clearly a
In the Risk Analysis category, the High Performers latecomer even among organizations that have
truly stand out against the Low Performers with significant improvement over a 4-year period.
over 90% conformance across the board. You CynergisTek started assessing against NIST
3.3
cannot protect what you have not identified, CSF 1.1 in 2017 but some organizations delayed
nor can you track the controls and mitigations 2.3
adoption because they were in a cycle on their
you have implemented. Areas for Low Performers 1 2 3 4 POAM (Plan of Action and Milestones). It will be
to focus their efforts need to be in the following interesting to see the curve in this category over
areas: the next few years.
The Risk Management category ties in closely with
the earlier Risk Analysis category. If organizations
1. Collecting and sharing threat intel, identifying Both the High Performers (50%) and Low
are unable to identify risk, then it will be difficult
documenting both internal and external Performers (30%) have low conformance
to determine your risk tolerance. The healthcare
threats. with taking the appropriate measures to help
industry will continue to lag in this category if the
the organization meet the security and risk
previous areas including the lack of understanding
2. Identifying and understanding the impacts management plan objectives of contracts
of the organization’s role in critical infrastructure,
4
and likelihoods of a cyber event occurring is with third parties and suppliers. In addition,
threat intelligence, clear risk analysis, and risk
the heart of risk management. organizations lack routinely assessing or other
tolerance are not made a priority.
3.5 forms of evaluations to confirm third parties and Supply Chain was the second
3. Once threats & vulnerabilities are identified 3.3 3.3
3.2 suppliers are meeting the obligations that should lowest-scoring and least
Cybersecurity is about sharing, about
3 we,2.9
as a sector, have not moved to using have been set form in the contract. mature category across the
transparency, and we are all part of a much bigger
likelihoods and impacts to determine risk. 2.7 board with an average score of
2.7
2.7
cyber world than our own because we connect
2.4 1.9 Most notably, given the events of 2019 and
and share so much with 2.3
so many organizations
4. Not prioritizing risks and responses may well 2020 with the attacks on critical third parties
2 and individuals.
indicate 1.9
that resources are
2.0being applied and suppliers, from Solar Winds to the Colonial
The main issue was the failure
to lower risk issues and, worse, high-risk Pipeline, it is clear that response and recover
to confirm that third parties are
issues are not getting timely and appropriate planning and testing scored low and is a critical
meeting contractual security
attention. area to focus on going forward.
1 obligations.
asset business governance risk risk supply chain
management environment assessment management risk management
strategy
1.9
3.3
1 2 3 4
2.4
1 2 3 4
Supply chain overall was the lowest category
Risk Management Strategy across the board. Supply Chain is clearly a
In the Risk Analysis category, the High Performers latecomer even among organizations that have
truly stand out against the Low Performers with significant improvement over a 4-year period.
over 90% conformance across the board. You CynergisTek started assessing against NIST
3.3
cannot protect what you have not identified, CSF 1.1 in 2017 but some organizations delayed
nor can you track the controls and mitigations 2.3
adoption because they were in a cycle on their
you have implemented. Areas for Low Performers 1 2 3 4 POAM (Plan of Action and Milestones). It will be
to focus their efforts need to be in the following interesting to see the curve in this category over
areas: the next few years.
The Risk Management category ties in closely with
the earlier Risk Analysis category. If organizations
1. Collecting and sharing threat intel, identifying Both the High Performers (50%) and Low
are unable to identify risk, then it will be difficult
documenting both internal and external Performers (30%) have low conformance
to determine your risk tolerance. The healthcare
threats. with taking the appropriate measures to help
industry will continue to lag in this category if the
the organization meet the security and risk
previous areas including the lack of understanding
2. Identifying and understanding the impacts management plan objectives of contracts
of the organization’s role in critical infrastructure,
4
and likelihoods of a cyber event occurring is with third parties and suppliers. In addition,
threat intelligence, clear risk analysis, and risk
the heart of risk management. organizations lack routinely assessing or other
tolerance are not made a priority.
3.5 forms of evaluations to confirm third parties and Supply Chain was the second
3. Once threats & vulnerabilities are identified 3.3 3.3
3.2 suppliers are meeting the obligations that should lowest-scoring and least
Cybersecurity is about sharing, about
3 we,2.9
as a sector, have not moved to using have been set form in the contract. mature category across the
transparency, and we are all part of a much bigger
likelihoods and impacts to determine risk. 2.7 board with an average score of
2.7
2.7
cyber world than our own because we connect
2.4 1.9 Most notably, given the events of 2019 and
and share so much with 2.3
so many organizations
4. Not prioritizing risks and responses may well 2020 with the attacks on critical third parties
2 and individuals.
indicate 1.9
that resources are
2.0being applied and suppliers, from Solar Winds to the Colonial
The main issue was the failure
to lower risk issues and, worse, high-risk Pipeline, it is clear that response and recover
to confirm that third parties are
issues are not getting timely and appropriate planning and testing scored low and is a critical
meeting contractual security
attention. area to focus on going forward.
1 obligations.
asset business governance risk risk supply chain
management environment assessment management risk management
strategy
56%
of healthcare organizations believe a
cyber attack will occur as a result of a
medical device, and only
1
accounts with elevated privileges coupled road map, it is not already completed.
with the amount and types of remote access,
access control awareness and data security information pro- maintenance protective
training tection processes technology protecting identities, credentials for users, and Since the sector does not do a decent job of
and procedures
devices and processes need to be stepped up evaluating or determining risk or risk tolerance,
high performing low performing across the sector. it will be interesting to how it responds to new
organizations (>80%) organization(<80%)
attacks in terms of authenticating users, devices,
Network segmentation and micro-segmentation and other assets - - let us just say that multi-
is not only a management tool for isolation in factor is better, in most cases - - commensurate
the event of an attack but it can also be used in with the risk of the access and/or transaction.
56%
of healthcare organizations believe a
cyber attack will occur as a result of a
medical device, and only
1
accounts with elevated privileges coupled road map, it is not already completed.
with the amount and types of remote access,
access control awareness and data security information pro- maintenance protective
training tection processes technology protecting identities, credentials for users, and Since the sector does not do a decent job of
and procedures
devices and processes need to be stepped up evaluating or determining risk or risk tolerance,
high performing low performing across the sector. it will be interesting to how it responds to new
organizations (>80%) organization(<80%)
attacks in terms of authenticating users, devices,
Network segmentation and micro-segmentation and other assets - - let us just say that multi-
is not only a management tool for isolation in factor is better, in most cases - - commensurate
the event of an attack but it can also be used in with the risk of the access and/or transaction.
3.2 Data-at-Rest
(PR-DS-1) while the rest of the
2.3
sector was in the low
1 2 3 4 Data Security 30th percentile.
Awareness and Training should be the easiest One of the worst sub-categories is Awareness
and least costly category to address. Please note, and Training and, frankly, a critical one. Senior
2.6
I said should, the data does not appear to support executives (including the Board) understand
this proposition, however. People are your first their roles and responsibilities. Enough said. 1.9
and last line of defense. This Category under Except that IT (Information Technology) and
1 2 3 4
Protect (PR) is clearly neglected. We see it daily Security is not about IT and Security - - it
in the number of successful attacks of all kinds should be about patient care and clinical and
against the sector. business operations. The Board has ultimate
As we move into Data Security (data at rest and The sector lags in fully implementing Data Loss
responsibility for funding and providing strategic
in transit), some interesting and disturbing Prevention (DLP). DLP is not simply a tool. DLP
The bulk of our assessments attained 50% - - goals, guidance, and authorizing funding. That
anomalies begin to emerge. Encryption, in the is an enterprise program. It is ongoing and
think about the fact that only 50% of the sector is is not IT and Security. Senior executives and the
early days of HIPAA, (Health Insurance Portability since the data you are preventing the loss of
training and informing users on an ongoing basis Board have special obligations and fiduciary
and Accountability) was hailed as a “get out of is used by many, many departments it is no
about security. Many have not even gotten to the responsivities. Train and educate them.
jail free card” in terms of breach notification. An more an IT project than is putting in an EMR. It
one-half level. Same song, different verse with organization’s default for storing protected data is not surprising that this sector has struggled
4
privileged users understanding their roles and of any kind and transmitting it should include with implementing enterprise-wide DLP. It is
responsibilities. The theme continues with 3rd encryption - - it clearly does not. not uncommon to see it in use on specific data
3.5
party stakeholders and assuring they understand 3.3 3.3 elements or systems (email).
3.2
their roles and responsibilities through initial On a happier note, most organizations have
3 2.9
training and ongoing awareness. fully implemented controls to assure there is Maintaining development and testing
2.7 2.7
2.4 adequate capacity to ensure availability to data is environments that are separate from production
2.3 1.9
maintained. is considered a best practice in all sectors. A
2 1.9 2.0 best practice in which healthcare lags. A more
arcane sub-category but one that will also likely
grow in importance is integrity checking to verify
hardware integrity. During 2020 we found that
1 the High performers hit 80% across the sector of
asset business governance risk risk supply chain “largely” or “fully” implemented.
management environment assessment management risk management
strategy
3.2 Data-at-Rest
(PR-DS-1) while the rest of the
2.3
sector was in the low
1 2 3 4 Data Security 30th percentile.
Awareness and Training should be the easiest One of the worst sub-categories is Awareness
and least costly category to address. Please note, and Training and, frankly, a critical one. Senior
2.6
I said should, the data does not appear to support executives (including the Board) understand
this proposition, however. People are your first their roles and responsibilities. Enough said. 1.9
and last line of defense. This Category under Except that IT (Information Technology) and
1 2 3 4
Protect (PR) is clearly neglected. We see it daily Security is not about IT and Security - - it
in the number of successful attacks of all kinds should be about patient care and clinical and
against the sector. business operations. The Board has ultimate
As we move into Data Security (data at rest and The sector lags in fully implementing Data Loss
responsibility for funding and providing strategic
in transit), some interesting and disturbing Prevention (DLP). DLP is not simply a tool. DLP
The bulk of our assessments attained 50% - - goals, guidance, and authorizing funding. That
anomalies begin to emerge. Encryption, in the is an enterprise program. It is ongoing and
think about the fact that only 50% of the sector is is not IT and Security. Senior executives and the
early days of HIPAA, (Health Insurance Portability since the data you are preventing the loss of
training and informing users on an ongoing basis Board have special obligations and fiduciary
and Accountability) was hailed as a “get out of is used by many, many departments it is no
about security. Many have not even gotten to the responsivities. Train and educate them.
jail free card” in terms of breach notification. An more an IT project than is putting in an EMR. It
one-half level. Same song, different verse with organization’s default for storing protected data is not surprising that this sector has struggled
4
privileged users understanding their roles and of any kind and transmitting it should include with implementing enterprise-wide DLP. It is
responsibilities. The theme continues with 3rd encryption - - it clearly does not. not uncommon to see it in use on specific data
3.5
party stakeholders and assuring they understand 3.3 3.3 elements or systems (email).
3.2
their roles and responsibilities through initial On a happier note, most organizations have
3 2.9
training and ongoing awareness. fully implemented controls to assure there is Maintaining development and testing
2.7 2.7
2.4 adequate capacity to ensure availability to data is environments that are separate from production
2.3 1.9
maintained. is considered a best practice in all sectors. A
2 1.9 2.0 best practice in which healthcare lags. A more
arcane sub-category but one that will also likely
grow in importance is integrity checking to verify
hardware integrity. During 2020 we found that
1 the High performers hit 80% across the sector of
asset business governance risk risk supply chain “largely” or “fully” implemented.
management environment assessment management risk management
strategy
Information Protection
Processes and Procedures
2.8
One of the foundational requirements of any
1.9
security framework, but certainly NIST CSF, is Protective Technology
1 2 3 4 continuous improvement using closed-loop
systems and regular feedback and incorporation
of changes or new data, capabilities. There is
Overall, the sub-category creating and 3.0
room for improvement. Looking at what you are
maintaining baseline configurations of IT and 2.0
not doing or not doing well and building those
Internal Control (IC) systems that incorporate
fixes or corrections into newly updated plans, 1 2 3 4
core security principles (e.g., least functionality)
should be a focus area across the sector.
regularly is continuous improvement. Maintenance
While High Performers got to a 3.0 in the category
No surprises here. Response and recovery plans
A System Development Life Cycle (SDLC) to - - they did it the hard way. Audit/log records and
are not tested in terms of Information Protection
manage systems is basic IT operations. We were if they are defined, documented, collected, and
Processes and Procedures. Only the top High 3.1
surprised to see the overall low implementation reviewed in accordance with policy is a critical
Performers were substantially implemented. It 2.6
level here. Change control is also a core function function of cybersecurity, it is not, however, a
dropped off sharply after that.
of IT operations. Outside of the top of the High 1 2 3 4 glamorous function. Consequently, we were not
Performers there is little in formal and functional surprised to see a comprehensive lack around this
Echoing back to Awareness and Training we
SDLC. sub-category.
do not see that cybersecurity is included in HR On an upbeat note, maintenance and repair of
(Human Resources) practices (de-provisioning, organizational assets are performed and logged
4
Repeated warnings around best practices for Removable media protections and restrictions,
personnel screening, etc.). with approved and controlled tools which is
ransomware attacks always include backups of which should be documented in policy were
3.5 what PR.MA-1 measures. Remote maintenance,
information - - they are conducted, maintained, implemented feebly across all assessments.
3.3 though Microsoft’s
Even 3.3 “Patch Tuesday” started
3.2those warnings and
and tested. Considering however, is not at the same level.
3 in October of 2003, we still see that having
2.9 in ransomware and in healthcare
the uptick One high point is that the protection of
2.7 a developed and implemented vulnerability
2.7
specifically, this may be telling in terms of why so communications and control networks looks is
management
2.4 plan is a concern for the entire
much ransom is paid. As a sector, we do better at 2.3 1.9 also a “win”.
sector. This may not mean that organizations are
protecting the physical operating environment for
2 1.9 2.0 not correcting or controlling vulnerabilities but
organizational assets than we do with data. Part of Protective Technology is about the
without a formal plan, followed regularly and
mechanisms to increase resiliency in normal and
timely, it creates opportunities for vulnerabilities
adverse situations. Given the threat environment,
to escape detection and mitigation. In worst-
1 anything less than substantial implementation
case scenarios these known vulnerabilities may
could spell disaster in the event of a major attack
asset business governance be
risk perpetuated across
risk the organization and
supply even
chain
management environment assessment management risk management or system failure.
to other organizations that have any kind of data,
strategy
Information Protection
Processes and Procedures
2.8
One of the foundational requirements of any
1.9
security framework, but certainly NIST CSF, is Protective Technology
1 2 3 4 continuous improvement using closed-loop
systems and regular feedback and incorporation
of changes or new data, capabilities. There is
Overall, the sub-category creating and 3.0
room for improvement. Looking at what you are
maintaining baseline configurations of IT and 2.0
not doing or not doing well and building those
Internal Control (IC) systems that incorporate
fixes or corrections into newly updated plans, 1 2 3 4
core security principles (e.g., least functionality)
should be a focus area across the sector.
regularly is continuous improvement. Maintenance
While High Performers got to a 3.0 in the category
No surprises here. Response and recovery plans
A System Development Life Cycle (SDLC) to - - they did it the hard way. Audit/log records and
are not tested in terms of Information Protection
manage systems is basic IT operations. We were if they are defined, documented, collected, and
Processes and Procedures. Only the top High 3.1
surprised to see the overall low implementation reviewed in accordance with policy is a critical
Performers were substantially implemented. It 2.6
level here. Change control is also a core function function of cybersecurity, it is not, however, a
dropped off sharply after that.
of IT operations. Outside of the top of the High 1 2 3 4 glamorous function. Consequently, we were not
Performers there is little in formal and functional surprised to see a comprehensive lack around this
Echoing back to Awareness and Training we
SDLC. sub-category.
do not see that cybersecurity is included in HR On an upbeat note, maintenance and repair of
(Human Resources) practices (de-provisioning, organizational assets are performed and logged
4
Repeated warnings around best practices for Removable media protections and restrictions,
personnel screening, etc.). with approved and controlled tools which is
ransomware attacks always include backups of which should be documented in policy were
3.5 what PR.MA-1 measures. Remote maintenance,
information - - they are conducted, maintained, implemented feebly across all assessments.
3.3 though Microsoft’s
Even 3.3 “Patch Tuesday” started
3.2those warnings and
and tested. Considering however, is not at the same level.
3 in October of 2003, we still see that having
2.9 in ransomware and in healthcare
the uptick One high point is that the protection of
2.7 a developed and implemented vulnerability
2.7
specifically, this may be telling in terms of why so communications and control networks looks is
management
2.4 plan is a concern for the entire
much ransom is paid. As a sector, we do better at 2.3 1.9 also a “win”.
sector. This may not mean that organizations are
protecting the physical operating environment for
2 1.9 2.0 not correcting or controlling vulnerabilities but
organizational assets than we do with data. Part of Protective Technology is about the
without a formal plan, followed regularly and
mechanisms to increase resiliency in normal and
timely, it creates opportunities for vulnerabilities
adverse situations. Given the threat environment,
to escape detection and mitigation. In worst-
1 anything less than substantial implementation
case scenarios these known vulnerabilities may
could spell disaster in the event of a major attack
asset business governance be
risk perpetuated across
risk the organization and
supply even
chain
management environment assessment management risk management or system failure.
to other organizations that have any kind of data,
strategy
Detect
3.2
Moving into the Detect Function, we have seen 2.3
not only significant levels of implementation
1 2 3 4
across all of our assessments but this an area
where High Performers are at consistently
elevated levels of substantial implementation with Across the entire sub-category of Anomalies
the single sub-category exception of detection and Events under the Detect Function, the High
of malicious code. This is as much a reflection of Performers were all “substantially implemented”
the rapidly changing threat environment and the with an average of 3.2 across the sub-category.
ability of current technologies to detect malicious This function is where the organization defines
code as it is about the implementation of best important detection roles, responsibilities, and
practices. processes and where they are conscientiously
implemented within the organization. The
message here is clear: if you want to be a High
4 Performer, get your Detect Function substantially
implemented.
Information security continuous monitoring
3.2 Data collection and correlation from multiple (ISCM) is defined as maintaining ongoing
3.0 3.1
3 sources/sensors will need some improvement awareness of information security,
across all organizations. Also needing vulnerabilities, and threats to support
improvement: analysis of detected events to organizational risk management decisions.
2.3 2.2 understand attacks and methods. Continuous monitoring was one of the early
2.1
2 drivers underlying NIST CSF, it is also core to
Determination of the impact of events seems the HIPAA (Health Insurance Portability and
like it should be straightforward, but it is not Accountability) Security Rule’s concept of
being assessed or documented outside of High “ongoing risk management” - - which is the goal
1
Performers. Without a documented impact of regular risk assessments. From a technical
anomalies and security perspective, however, there are too many
events continuous
detection of events, organizations may be focusing on
process
monitoring
minimal impact events and not focused on the things happening too quickly to rely on human
bigger risks. This kind of documentation can also observation and intervention thus continuous
high performing low performing
organizations (>80%) organizations (<80%) assist in reporting cybersecurity effectiveness as monitoring of security processes will need to
well as needs to senior leadership and Boards. become more automated.
Detect
3.2
Moving into the Detect Function, we have seen 2.3
not only significant levels of implementation
1 2 3 4
across all of our assessments but this an area
where High Performers are at consistently
elevated levels of substantial implementation with Across the entire sub-category of Anomalies
the single sub-category exception of detection and Events under the Detect Function, the High
of malicious code. This is as much a reflection of Performers were all “substantially implemented”
the rapidly changing threat environment and the with an average of 3.2 across the sub-category.
ability of current technologies to detect malicious This function is where the organization defines
code as it is about the implementation of best important detection roles, responsibilities, and
practices. processes and where they are conscientiously
implemented within the organization. The
message here is clear: if you want to be a High
4 Performer, get your Detect Function substantially
implemented.
Information security continuous monitoring
3.2 Data collection and correlation from multiple (ISCM) is defined as maintaining ongoing
3.0 3.1
3 sources/sensors will need some improvement awareness of information security,
across all organizations. Also needing vulnerabilities, and threats to support
improvement: analysis of detected events to organizational risk management decisions.
2.3 2.2 understand attacks and methods. Continuous monitoring was one of the early
2.1
2 drivers underlying NIST CSF, it is also core to
Determination of the impact of events seems the HIPAA (Health Insurance Portability and
like it should be straightforward, but it is not Accountability) Security Rule’s concept of
being assessed or documented outside of High “ongoing risk management” - - which is the goal
1
Performers. Without a documented impact of regular risk assessments. From a technical
anomalies and security perspective, however, there are too many
events continuous
detection of events, organizations may be focusing on
process
monitoring
minimal impact events and not focused on the things happening too quickly to rely on human
bigger risks. This kind of documentation can also observation and intervention thus continuous
high performing low performing
organizations (>80%) organizations (<80%) assist in reporting cybersecurity effectiveness as monitoring of security processes will need to
well as needs to senior leadership and Boards. become more automated.
Detection Processes
3.1
Related to Supply Chain, where all industries Detection does not count if no one knows who is
3.0 and sectors lag is DE.CM-6 monitoring of doing it, who they should report it to, and who is
2.1 external service providers for potential security accountable for what actions related to detecting
events. This is one area where the effort of the potential cyber events. Again, in terms of the
1 2 3 4
High Performers may help the other cohorts, Detection Processes category, High performers
assuming any findings are shared by the external are at 100% substantial implementation across all
As previously stated the healthcare industry lags service provider when events are detected and sub-categories. Across High and Low Performers,
in network architecture (lack of segmentation, particularly sharing across the sector when a High however, the industry average is 2.4.
micro-segmentation) and we also see this in Performer detects an actual cyber event at one of
network monitoring for potential cyber events. As these providers. We find that detection processes themselves
a sector, we fare better at monitoring the physical are not often tested. This is validating that the
environment for cyber events. Given the spoofing and elevating of credentials as controls you have implemented are alerting
well as more remote devices from more locations on the identified events, that the right people
User behavior analytics will grow increasingly and the use of personal software on managed are being notified and that the processes
critical with work-from-home and remote care, devices; monitoring for unauthorized personnel, delineated in the controls are working as
but we do not watch our people as closely as our connections, devices, and software will need to intended. Detection processes that are not
own physical environment. be an area of some focus moving forward. working are no longer detection processes. The
4
failure of these detection processes may make
The area of malicious code detection is the
3.5 Detect, DE.CM-8, requires that vulnerability scans things worse. If you do not have tools, you do
lowest scoring area for even High Performers in 3.3performed - - not
be 3.3 just planned. Again, given not expect messages/warnings from them. If you
3.2
the
3 Detect Function. the growing number of devices on the network have installed them but do not get anything or
2.9
2.7 and the growing number of vulnerabilities
2.7 being the alerts go to the wrong place you are working
Use of unauthorized Mobile code/systems has reported
2.4 particularly around medical devices, under a false sense of security.
2.3 1.9
been an area that is often knowingly neglected this is not a bright spot. Even High Performers
in
2 healthcare
1.9or regularly deferred
2.0 due to higher only achieved an average of 3.0. We do seem to be able to do an adequate job of
priority issues. Mobile will become more communicating events when we do detect them.
prevalent, this is an underperforming area across
the sector and will need to be addressed. One of the fundamental intents of implementing
1
a security program is continuous improvement.
asset business governance risk risk supply chain What is the point of doing all this monitoring,
management environment assessment management risk management
strategy alerting, and analysis if we are not using it to
get better? High Performers are doing alright, all
high performing low performing
organizations (>80%) organizations (<80%) others will require focus.
Detection Processes
3.1
Related to Supply Chain, where all industries Detection does not count if no one knows who is
3.0 and sectors lag is DE.CM-6 monitoring of doing it, who they should report it to, and who is
2.1 external service providers for potential security accountable for what actions related to detecting
events. This is one area where the effort of the potential cyber events. Again, in terms of the
1 2 3 4
High Performers may help the other cohorts, Detection Processes category, High performers
assuming any findings are shared by the external are at 100% substantial implementation across all
As previously stated the healthcare industry lags service provider when events are detected and sub-categories. Across High and Low Performers,
in network architecture (lack of segmentation, particularly sharing across the sector when a High however, the industry average is 2.4.
micro-segmentation) and we also see this in Performer detects an actual cyber event at one of
network monitoring for potential cyber events. As these providers. We find that detection processes themselves
a sector, we fare better at monitoring the physical are not often tested. This is validating that the
environment for cyber events. Given the spoofing and elevating of credentials as controls you have implemented are alerting
well as more remote devices from more locations on the identified events, that the right people
User behavior analytics will grow increasingly and the use of personal software on managed are being notified and that the processes
critical with work-from-home and remote care, devices; monitoring for unauthorized personnel, delineated in the controls are working as
but we do not watch our people as closely as our connections, devices, and software will need to intended. Detection processes that are not
own physical environment. be an area of some focus moving forward. working are no longer detection processes. The
4
failure of these detection processes may make
The area of malicious code detection is the
3.5 Detect, DE.CM-8, requires that vulnerability scans things worse. If you do not have tools, you do
lowest scoring area for even High Performers in 3.3performed - - not
be 3.3 just planned. Again, given not expect messages/warnings from them. If you
3.2
the
3 Detect Function. the growing number of devices on the network have installed them but do not get anything or
2.9
2.7 and the growing number of vulnerabilities
2.7 being the alerts go to the wrong place you are working
Use of unauthorized Mobile code/systems has reported
2.4 particularly around medical devices, under a false sense of security.
2.3 1.9
been an area that is often knowingly neglected this is not a bright spot. Even High Performers
in
2 healthcare
1.9or regularly deferred
2.0 due to higher only achieved an average of 3.0. We do seem to be able to do an adequate job of
priority issues. Mobile will become more communicating events when we do detect them.
prevalent, this is an underperforming area across
the sector and will need to be addressed. One of the fundamental intents of implementing
1
a security program is continuous improvement.
asset business governance risk risk supply chain What is the point of doing all this monitoring,
management environment assessment management risk management
strategy alerting, and analysis if we are not using it to
get better? High Performers are doing alright, all
high performing low performing
organizations (>80%) organizations (<80%) others will require focus.
77%
Response Planning of companies don’t have a
consistent cybersecurity
response plan.
1.9
Cyber resilience is the ability of an organization cyber resilience focuses more on making sure 1 2 3 4
to prepare and respond when cyberattacks the business is delivered. Its intended outcome
happen. An organization has cyber resilience if it is business delivery, keeping business goals
can defend itself against these attacks, limit the intact rather than the IT (Information Technology)
Having a response plan allows you to proactively
effects of a security incident, and guarantee the systems. The Respond Function is where the
intervene and prevent or reduce issues that may Communications
continuity of its operation during and after the organization demonstrates and maintains
occur in the event of a cyber incident. An incident
attacks. Organizations today are beginning to the development and implementation of
response (IR) plan is something that every
complement their cybersecurity strategies with appropriate activities to act regarding a detected
organization should have in place. It only works
cyber resilience. While cybersecurity’s main aim is cybersecurity event. 3.2
if you execute on it during or after an event and
to protect information technology and systems, 2.3
unfortunately, that is not what we found.
1 2 3 4
4
An IR plan is only as effective as the people and
departments that have a role are prepared to
3.2 execute on the plan. This is a marked improvement
3.1
3 2.9 over executing a response.
2.8
2.6
$2M
1 sharing of information with external stakeholders
response communications analysis mitigation improvements with the intent of expanding cybersecurity
planning
situational awareness was overall okay among
during a data breach
High Performers but needs work in Lower
high performing low performing Source: IBM Ponemon Cost of a Data Performing organizations.
organizations (>80%) organizations (<80%) breach Study, 2020
77%
Response Planning of companies don’t have a
consistent cybersecurity
response plan.
1.9
Cyber resilience is the ability of an organization cyber resilience focuses more on making sure 1 2 3 4
to prepare and respond when cyberattacks the business is delivered. Its intended outcome
happen. An organization has cyber resilience if it is business delivery, keeping business goals
can defend itself against these attacks, limit the intact rather than the IT (Information Technology)
Having a response plan allows you to proactively
effects of a security incident, and guarantee the systems. The Respond Function is where the
intervene and prevent or reduce issues that may Communications
continuity of its operation during and after the organization demonstrates and maintains
occur in the event of a cyber incident. An incident
attacks. Organizations today are beginning to the development and implementation of
response (IR) plan is something that every
complement their cybersecurity strategies with appropriate activities to act regarding a detected
organization should have in place. It only works
cyber resilience. While cybersecurity’s main aim is cybersecurity event. 3.2
if you execute on it during or after an event and
to protect information technology and systems, 2.3
unfortunately, that is not what we found.
1 2 3 4
4
An IR plan is only as effective as the people and
departments that have a role are prepared to
3.2 execute on the plan. This is a marked improvement
3.1
3 2.9 over executing a response.
2.8
2.6
$2M
1 sharing of information with external stakeholders
response communications analysis mitigation improvements with the intent of expanding cybersecurity
planning
situational awareness was overall okay among
during a data breach
High Performers but needs work in Lower
high performing low performing Source: IBM Ponemon Cost of a Data Performing organizations.
organizations (>80%) organizations (<80%) breach Study, 2020
Analysis Improvements
2.6 3.1
1.9 2.6
Mitigation
1 2 3 4 1 2 3 4
Only the top of the High Performing group is 2.8 We have already mentioned that the point of all
actively investigating notifications from detection this effort is to keep getting better . . . continuous
1.9
systems. Fortunately, impacts of an incident are improvement using closed-loop systems and
well understood across the sector. While there is 1 2 3 4 regular feedback and incorporation of changes
room for improvement, the sector is effective at or new data and capabilities. This category is
categorizing incidents consistent with response This category speaks to the heart of the Respond improvement - - response activities are improved
plans. The sector is not as effective as it needs to Function - - Mitigation. That is to assure that by incorporating lessons learned from current and
be at using shared information from both internal activities are performed to prevent expansion previous detection/response activities.
and external sources. The sector needs to improve of an event, mitigate its effects, and resolve the
in this area, although we have seen some growth incident. If you are not changing and/or updating the
over the past few years. response strategies after an incident or even an
In terms of containing an incident through the exercise you are missing the best opportunity to
4
This category speaks to the heart of the Respond response, only the top of the High Performers are improve. There is room for improvement, based
Function - - Mitigation. That is to assure that
3.5 doing this consistently and substantially. In terms on our assessments.
activities are performed to prevent the expansion 3.3 3.3
3.2 of being able to mitigate an incident through
of
3 an event, mitigate its effects, and resolve the the response, this is the most troublesome, all
2.9 All Low Performers came in
incident. organizations are less effective at mitigation
2.7 2.7 at or below
50%
2.4
than containment. The sector needs to also1.9
2.3
improve its ability to mitigate and document new
2 1.9 2.0 vulnerabilities as an acceptable risk.
conformance for having
an implemented Incident
Response Plan.
1
Analysis Improvements
2.6 3.1
1.9 2.6
Mitigation
1 2 3 4 1 2 3 4
Only the top of the High Performing group is 2.8 We have already mentioned that the point of all
actively investigating notifications from detection this effort is to keep getting better . . . continuous
1.9
systems. Fortunately, impacts of an incident are improvement using closed-loop systems and
well understood across the sector. While there is 1 2 3 4 regular feedback and incorporation of changes
room for improvement, the sector is effective at or new data and capabilities. This category is
categorizing incidents consistent with response This category speaks to the heart of the Respond improvement - - response activities are improved
plans. The sector is not as effective as it needs to Function - - Mitigation. That is to assure that by incorporating lessons learned from current and
be at using shared information from both internal activities are performed to prevent expansion previous detection/response activities.
and external sources. The sector needs to improve of an event, mitigate its effects, and resolve the
in this area, although we have seen some growth incident. If you are not changing and/or updating the
over the past few years. response strategies after an incident or even an
In terms of containing an incident through the exercise you are missing the best opportunity to
4
This category speaks to the heart of the Respond response, only the top of the High Performers are improve. There is room for improvement, based
Function - - Mitigation. That is to assure that
3.5 doing this consistently and substantially. In terms on our assessments.
activities are performed to prevent the expansion 3.3 3.3
3.2 of being able to mitigate an incident through
of
3 an event, mitigate its effects, and resolve the the response, this is the most troublesome, all
2.9 All Low Performers came in
incident. organizations are less effective at mitigation
2.7 2.7 at or below
50%
2.4
than containment. The sector needs to also1.9
2.3
improve its ability to mitigate and document new
2 1.9 2.0 vulnerabilities as an acceptable risk.
conformance for having
an implemented Incident
Response Plan.
1
Recovery Planning
Nearly
Recover
2.5
3.4
2/3
Most Boards of Directors and non-IT/Security of the organizations are
executives would call Recover the most 1 2 3 4 under performing in
important NIST CSF function. The Recover recovery planning.
Function identifies appropriate activities to
Recovery procedures exist to ensure the timely
maintain resilience plans and rapidly restore
restoration of systems or assets affected by
any capabilities or services impaired by a
cybersecurity events. Failure to execute the
cybersecurity incident, returning to a state of
Recovery plan means nothing will happen; you
normal operations. Despite significant gaps
will not recover. Since 3 represents the minimum
among high performers, we found that they
level of performance, nearly two-thirds of the
Improvement
collectively did not disappoint in this category,
organizations in the sector are underperforming
while low performers are not where they need to
in recovery planning.
be.
3.5
2.5
4
1 2 3 4
Communications
3.4 3.5
3.3 Improvement is critical in the Recover Function.
3 Externally, threats, and attacks change while
internally, your own systems and personnel
3.3 change. Improvement means incorporating
2.5 2.5 2.6
previously learned lessons into the Recovery plan.
2.6
2 Most organizations do not start with Respond or
1 2 3 4 Recover, so if you are arriving late to the dance,
or if you simply lagging in those two functions,
they’re good targets for increasing your focus and
Healthcare is improving across the board in
1 investment. Faced with the reality that a cyber
communications. This covers managing public
recovery improvements incident will happen, if you cannot do all the
communications relations, repairing reputation after incidents,
planning Identify, Protect, and Detect functions, you should
and communications with all stakeholders,
at least have Response and Recovery plans, and
internal and external, as well as executive and
high performing low performing work to improve them over time.
organizations (>80%) organizations (<80%) management teams.
Recovery Planning
Nearly
Recover
2.5
3.4
2/3
Most Boards of Directors and non-IT/Security of the organizations are
executives would call Recover the most 1 2 3 4 under performing in
important NIST CSF function. The Recover recovery planning.
Function identifies appropriate activities to
Recovery procedures exist to ensure the timely
maintain resilience plans and rapidly restore
restoration of systems or assets affected by
any capabilities or services impaired by a
cybersecurity events. Failure to execute the
cybersecurity incident, returning to a state of
Recovery plan means nothing will happen; you
normal operations. Despite significant gaps
will not recover. Since 3 represents the minimum
among high performers, we found that they
level of performance, nearly two-thirds of the
Improvement
collectively did not disappoint in this category,
organizations in the sector are underperforming
while low performers are not where they need to
in recovery planning.
be.
3.5
2.5
4
1 2 3 4
Communications
3.4 3.5
3.3 Improvement is critical in the Recover Function.
3 Externally, threats, and attacks change while
internally, your own systems and personnel
3.3 change. Improvement means incorporating
2.5 2.5 2.6
previously learned lessons into the Recovery plan.
2.6
2 Most organizations do not start with Respond or
1 2 3 4 Recover, so if you are arriving late to the dance,
or if you simply lagging in those two functions,
they’re good targets for increasing your focus and
Healthcare is improving across the board in
1 investment. Faced with the reality that a cyber
communications. This covers managing public
recovery improvements incident will happen, if you cannot do all the
communications relations, repairing reputation after incidents,
planning Identify, Protect, and Detect functions, you should
and communications with all stakeholders,
at least have Response and Recovery plans, and
internal and external, as well as executive and
high performing low performing work to improve them over time.
organizations (>80%) organizations (<80%) management teams.
DATA PRIVACY
IN 2020
Additional information about OCR’s enforcement discretion and COVID-19 guidance may be found here. BE READY. BE RESILIENT. VALIDATE.
2021 ANNUAL REPORT
DATA PRIVACY
IN 2020
Additional information about OCR’s enforcement discretion and COVID-19 guidance may be found here. BE READY. BE RESILIENT. VALIDATE.
2021 ANNUAL REPORT
Update
failed to address OCR compliance assistance and York, and Oregon introduced and referred data
guidance botched implementations of privacy are reporting privacy metrics (e.g., privacy legislation to committees. Thirty states,
policies, and failures to cooperate with an OCR privacy program audit findings, (including Florida, Illinois, and Washington),
investigation. privacy impact assessments, and data State Data Privacy Laws tried and failed to pass data privacy legislation.
breaches) to their Boards. California’s Consumer Privacy Act (CCPA) is Texas and Connecticut established task forces
Finally, among other initiatives, OCR issued probably the most widely known state privacy law, to examine data privacy practices in businesses
Cisco 2021 Data Privacy Benchmark Study Forged by
proposed changes to the HIPAA Privacy Rule the Pandemic: the Age of Privacy, January 2021 becoming effective in January 2020 - around the and make legislative recommendations. Although
in 2020 that would revise the Notice of Privacy same time the first COVID-19 cases were reported these states failed in passing data privacy laws, it
Practices acknowledgment requirements and in the United States. Initial CCPA regulations is only a matter of time before other states follow
update the response time to access requests. were approved in August 2020 - and nearly one California’s lead. Eleven states have introduced
Although covered entities have some time before year later, compliance remains challenging for data privacy laws in the first few months of 2021.
these changes are finalized, they will add covered businesses. California residents now have
additional demands to already full plates of certain CCPA rights in their personal information, Despite other states’ struggles to pass data
priorities. and certain businesses must meet obligations privacy laws, Virginia enacted the Virginia
regarding collection of California residents’ Consumer Data Protection Act (VCPDA) in
State Attorneys General may bring actions against personal information. Additionally, the California March 2021. VCPDA goes into effect on January 1,
HIPAA - covered entities and their Consumer Privacy Rights Act (CPRA) was 2023, applying to certain businesses
business associates for HIPPA Rule violations with approved in November 2020, further expanding collecting personal information from Virginia
damages ranging from $100 per HIPAA consumer privacy protections for California residents, and grants Virginians certain rights
violation up to a maximum of $25,000 per residents. Many of the CPRA’s provisions become similar to the CCPA and CPRA.
violation category, per year. There were effective on January 2, 2023.
no reported fines or actions in 2020, but
organizations should be prepared for increased
enforcement activity as states begin to effectively
control the spread of
COVID-19.
Enforcement details and agreements may be found here. Additional information about the CCPA requirements may be found here. BE READY. BE RESILIENT. VALIDATE.
More information about the proposed modifications may be found here. Read more about the VCPDA’s requirements here.
2021 ANNUAL REPORT
Update
failed to address OCR compliance assistance and York, and Oregon introduced and referred data
guidance botched implementations of privacy are reporting privacy metrics (e.g., privacy legislation to committees. Thirty states,
policies, and failures to cooperate with an OCR privacy program audit findings, (including Florida, Illinois, and Washington),
investigation. privacy impact assessments, and data State Data Privacy Laws tried and failed to pass data privacy legislation.
breaches) to their Boards. California’s Consumer Privacy Act (CCPA) is Texas and Connecticut established task forces
Finally, among other initiatives, OCR issued probably the most widely known state privacy law, to examine data privacy practices in businesses
Cisco 2021 Data Privacy Benchmark Study Forged by
proposed changes to the HIPAA Privacy Rule the Pandemic: the Age of Privacy, January 2021 becoming effective in January 2020 - around the and make legislative recommendations. Although
in 2020 that would revise the Notice of Privacy same time the first COVID-19 cases were reported these states failed in passing data privacy laws, it
Practices acknowledgment requirements and in the United States. Initial CCPA regulations is only a matter of time before other states follow
update the response time to access requests. were approved in August 2020 - and nearly one California’s lead. Eleven states have introduced
Although covered entities have some time before year later, compliance remains challenging for data privacy laws in the first few months of 2021.
these changes are finalized, they will add covered businesses. California residents now have
additional demands to already full plates of certain CCPA rights in their personal information, Despite other states’ struggles to pass data
priorities. and certain businesses must meet obligations privacy laws, Virginia enacted the Virginia
regarding collection of California residents’ Consumer Data Protection Act (VCPDA) in
State Attorneys General may bring actions against personal information. Additionally, the California March 2021. VCPDA goes into effect on January 1,
HIPAA - covered entities and their Consumer Privacy Rights Act (CPRA) was 2023, applying to certain businesses
business associates for HIPPA Rule violations with approved in November 2020, further expanding collecting personal information from Virginia
damages ranging from $100 per HIPAA consumer privacy protections for California residents, and grants Virginians certain rights
violation up to a maximum of $25,000 per residents. Many of the CPRA’s provisions become similar to the CCPA and CPRA.
violation category, per year. There were effective on January 2, 2023.
no reported fines or actions in 2020, but
organizations should be prepared for increased
enforcement activity as states begin to effectively
control the spread of
COVID-19.
Enforcement details and agreements may be found here. Additional information about the CCPA requirements may be found here. BE READY. BE RESILIENT. VALIDATE.
More information about the proposed modifications may be found here. Read more about the VCPDA’s requirements here.
2021 ANNUAL REPORT
Violations of the Minimum Ne- Define criteria to limit the PHI disclosed and request the
Although passing federal privacy legislation cessary Rule amount necessary to achieve the purpose of the disclosure
Violations of the Minimum Ne- Define criteria to limit the PHI disclosed and request the
Although passing federal privacy legislation cessary Rule amount necessary to achieve the purpose of the disclosure
CynergisTek’s Patient Privacy Monitoring Service Escalations and Violations User Self-access Data
(PPMS) analysts analyzed approximately two • Escalated less than 5% of accesses reviewed, PPMS analyzed approximately 122,100 audit rows
million lines of data and hundreds of thousands which allowed privacy and compliance offices and identified approximately 2,865 users
of user/patient accesses within a variety to focus on other vital privacy initiatives. who accessed their own records. If a policy was
of user access monitoring tools. Using present to restrict self-access, there would have
CynergisTek’s PPMS, organizations connected • Routinely reviewed co-worker, same address, been 2,865 incidents to investigate and may have
with a same street, same unit, self-access, VIP, and resulted in sanctions.
team of expert privacy analysts, who reviewed other reports/violations
all escalations and violations via tools, as well as
Types of Unauthorized Access
upon request. • The highest rates of applied sanctions in
Types of events monitored to detect and identify
2020 involved same household, user self-
suspicious activity:
access, and same last name case types.
9% 9%
neighbor neighbor
19% 19%
29% 29% 27% 27%
same household
same household
22% 22%
8% 8%
VIP confidential
VIP confidential
3% 3%
10% 10% 6% 6%
2% 2% user self access
user self access
CynergisTek’s Patient Privacy Monitoring Service Escalations and Violations User Self-access Data
(PPMS) analysts analyzed approximately two • Escalated less than 5% of accesses reviewed, PPMS analyzed approximately 122,100 audit rows
million lines of data and hundreds of thousands which allowed privacy and compliance offices and identified approximately 2,865 users
of user/patient accesses within a variety to focus on other vital privacy initiatives. who accessed their own records. If a policy was
of user access monitoring tools. Using present to restrict self-access, there would have
CynergisTek’s PPMS, organizations connected • Routinely reviewed co-worker, same address, been 2,865 incidents to investigate and may have
with a same street, same unit, self-access, VIP, and resulted in sanctions.
team of expert privacy analysts, who reviewed other reports/violations
all escalations and violations via tools, as well as
Types of Unauthorized Access
upon request. • The highest rates of applied sanctions in
Types of events monitored to detect and identify
2020 involved same household, user self-
suspicious activity:
access, and same last name case types.
9% 9%
neighbor neighbor
19% 19%
29% 29% 27% 27%
same household
same household
22% 22%
8% 8%
VIP confidential
VIP confidential
3% 3%
10% 10% 6% 6%
2% 2% user self access
user self access
PRIVACY
EXECUTIVE TAKEAWAYS
1 State-by-State Privacy
Legislation.
While breach notification laws can be found
in every state, privacy legislation continues
2
Right of Access.
PRIVACY
EXECUTIVE TAKEAWAYS
1 State-by-State Privacy
Legislation.
While breach notification laws can be found
in every state, privacy legislation continues
2
Right of Access.
ACTION
DRIVES CHANGE
4
As our report shifted from scores to data-based guidance, our top organizational recommendation this
year is to continuously reduce cyber risks while adapting to business, technology, and regulatory changes.
Security remains a journey, rather than a destination, and there is no stopping until threat actors decide to Secure the supply chain.
leave healthcare alone. If that didn’t happen during the COVID-19 pandemic, it’s not going to happen.
As the Cybersecurity Infrastructure & Security
3
Agency puts it, the “supply chain is only as strong
Given current trends, healthcare organizations as its weakest link… Constant, targeted, and
1 2
government and industry alike by way of their
Perform exercises and drills contractors, subcontractors, and suppliers at
at the enterprise level, all tiers of the supply chain.” As you dive into
testing all components of this report, you will find that the supply chain
Automate security functions. Validate technical controls for the business. was the weakest category across the board;
whether suppliers became targets themselves,
Security automation can detect, investigate,
people and processes. If you want to have an effective response when
or served as tools for bad guys to exploit
the “boom” happens, do what the military and
and even remediate cyber events and threats Several years ago, testing for organizational enterprise organizations, supply chain issues
hospitals do: Practice, on a large scale, before
in near-real-time, with or without human system and network weaknesses was a new exploded during COVID-19. This area must be
you’re faced with an actual crisis. After you have
intervention. While you will need tools with concept; now there are multiple tools to validate addressed quickly and effectively: The healthcare
practiced, build all the lessons you learned into
artificial intelligence and machine learning, you a layered security infrastructure’s overall sector is already lagging in overall security
the next rehearsal. Sometimes it really is that
can have too many tools, including ones that effectiveness, finding gaps and flaws that people investment, and lagging even further in the most
simple – do it, do it again, then repeat.
overlap, and others that claim to integrate with or automated processes missed. Unfortunately, rapidly growing threat category is profoundly
one another, but actually don’t. So tread carefully: technology validation usually begins with dangerous.
5
Anything that says it will solve everything will not, technologies rather than threats, so as time
and acquiring enough individual tools to actually passes and threats change, both technologies and
solve everything may well destroy your budget the people who use them may not be as effective
and leave you understaffed. The wise move is to as when they were originally deployed. Validating
prioritize, focusing on automations that can be technical controls for people and processes Privacy must look to and beyond regulatory
manually diagrammed, then adopt automation means that when an alert fires, it goes to the right requirements.
gradually, and invest in training to be sure your people, and they follow current procedures on
As privacy, security, and compliance professionals continue to further enhance their
chosen tools and automation is being used what to do when they get that alert. This technical
organizations’ risk and compliance posture in 2021 and beyond, it will be imperative to
properly. control validation process ensures that everything
look beyond regulatory requirements as they seek to evaluate potential consequences
works as you want it to, now.
for consumer privacy. Failure to properly identify data received, maintained, or
transmitted, (and to also consider whether all data collected is necessary) can
As Aristotle said, “we are what we repeatedly have adverse consequences for both an individual’s privacy and the organization’s
do. Excellence, then, is not an act but a habit.” ability to maintain trust and growth. Organizations should consider implementing
American golfer Sam Snead put it another structures, such as individuals and groups responsible for data governance, as well
way: “Practice puts brains in your muscles.” as mechanisms to appropriately respond to requests from consumers, patients, and
The same lessons apply to security, especially others seeking to exercise certain rights related to data about them.
cybersecurity.
BE READY. BE RESILIENT. VALIDATE.
2021 ANNUAL REPORT
ACTION
DRIVES CHANGE
4
As our report shifted from scores to data-based guidance, our top organizational recommendation this
year is to continuously reduce cyber risks while adapting to business, technology, and regulatory changes.
Security remains a journey, rather than a destination, and there is no stopping until threat actors decide to Secure the supply chain.
leave healthcare alone. If that didn’t happen during the COVID-19 pandemic, it’s not going to happen.
As the Cybersecurity Infrastructure & Security
3
Agency puts it, the “supply chain is only as strong
Given current trends, healthcare organizations as its weakest link… Constant, targeted, and
1 2
government and industry alike by way of their
Perform exercises and drills contractors, subcontractors, and suppliers at
at the enterprise level, all tiers of the supply chain.” As you dive into
testing all components of this report, you will find that the supply chain
Automate security functions. Validate technical controls for the business. was the weakest category across the board;
whether suppliers became targets themselves,
Security automation can detect, investigate,
people and processes. If you want to have an effective response when
or served as tools for bad guys to exploit
the “boom” happens, do what the military and
and even remediate cyber events and threats Several years ago, testing for organizational enterprise organizations, supply chain issues
hospitals do: Practice, on a large scale, before
in near-real-time, with or without human system and network weaknesses was a new exploded during COVID-19. This area must be
you’re faced with an actual crisis. After you have
intervention. While you will need tools with concept; now there are multiple tools to validate addressed quickly and effectively: The healthcare
practiced, build all the lessons you learned into
artificial intelligence and machine learning, you a layered security infrastructure’s overall sector is already lagging in overall security
the next rehearsal. Sometimes it really is that
can have too many tools, including ones that effectiveness, finding gaps and flaws that people investment, and lagging even further in the most
simple – do it, do it again, then repeat.
overlap, and others that claim to integrate with or automated processes missed. Unfortunately, rapidly growing threat category is profoundly
one another, but actually don’t. So tread carefully: technology validation usually begins with dangerous.
5
Anything that says it will solve everything will not, technologies rather than threats, so as time
and acquiring enough individual tools to actually passes and threats change, both technologies and
solve everything may well destroy your budget the people who use them may not be as effective
and leave you understaffed. The wise move is to as when they were originally deployed. Validating
prioritize, focusing on automations that can be technical controls for people and processes Privacy must look to and beyond regulatory
manually diagrammed, then adopt automation means that when an alert fires, it goes to the right requirements.
gradually, and invest in training to be sure your people, and they follow current procedures on
As privacy, security, and compliance professionals continue to further enhance their
chosen tools and automation is being used what to do when they get that alert. This technical
organizations’ risk and compliance posture in 2021 and beyond, it will be imperative to
properly. control validation process ensures that everything
look beyond regulatory requirements as they seek to evaluate potential consequences
works as you want it to, now.
for consumer privacy. Failure to properly identify data received, maintained, or
transmitted, (and to also consider whether all data collected is necessary) can
As Aristotle said, “we are what we repeatedly have adverse consequences for both an individual’s privacy and the organization’s
do. Excellence, then, is not an act but a habit.” ability to maintain trust and growth. Organizations should consider implementing
American golfer Sam Snead put it another structures, such as individuals and groups responsible for data governance, as well
way: “Practice puts brains in your muscles.” as mechanisms to appropriately respond to requests from consumers, patients, and
The same lessons apply to security, especially others seeking to exercise certain rights related to data about them.
cybersecurity.
BE READY. BE RESILIENT. VALIDATE.
2021 ANNUAL REPORT
Conclusion
The advice we issued in our 2020 annual report Going forward, it’s clear that this isn’t the right
was sound at that time and held through the time to cut back on cybersecurity, and that
year, though there’s one phrase we would have smart spending will be necessary to secure
changed in retrospect: “economic downturn organizations against a rising tide of ransomware
following COVID-19” would more accurately have threats against critical infrastructure generally,
read “economic impacts.” While the pandemic and healthcare specifically. As we ride out the
impacted every organization’s cybersecurity remainder of 2021, it’s within your power to
budget and spending, those numbers varied ensure that the economic impacts of the digital
based on multiple reasons, including (and in some transformation on your organization are net
cases despite) the organization’s own overall positive – assuming you make the right, proactive
financial standing. decisions to protect your assets and environment
now.
CynergisTek’s Resilience Validation™ methodology helps organizations prepare, rehearse and validate
their security, privacy, and compliance programs are working and responding effectively to risk every
day. At CynergisTek, we understand strong, mature programs aren’t developed overnight. We provide
customized service offerings categorized under the four pillars of Asses, Build, Manage, and Validate that
align with your organization’s immediate, and long-term goals. Our experts evaluate your unique needs and
provide your team and organization guidance on your journey to ensuring your programs have a security,
privacy, and compliance approach that is resilient against threats.
Assess Build
Start with an expert, Build cyber resilience
thorough assessment. into your organization.
Validate Manage
Validate and verify Effectively meet and
rogram effectiveness. manage your security needs.
Contact us Today
BE READY. BE RESILIENT. VALIDATE.
2021 ANNUAL REPORT
Conclusion
The advice we issued in our 2020 annual report Going forward, it’s clear that this isn’t the right
was sound at that time and held through the time to cut back on cybersecurity, and that
year, though there’s one phrase we would have smart spending will be necessary to secure
changed in retrospect: “economic downturn organizations against a rising tide of ransomware
following COVID-19” would more accurately have threats against critical infrastructure generally,
read “economic impacts.” While the pandemic and healthcare specifically. As we ride out the
impacted every organization’s cybersecurity remainder of 2021, it’s within your power to
budget and spending, those numbers varied ensure that the economic impacts of the digital
based on multiple reasons, including (and in some transformation on your organization are net
cases despite) the organization’s own overall positive – assuming you make the right, proactive
financial standing. decisions to protect your assets and environment
now.
CynergisTek’s Resilience Validation™ methodology helps organizations prepare, rehearse and validate
their security, privacy, and compliance programs are working and responding effectively to risk every
day. At CynergisTek, we understand strong, mature programs aren’t developed overnight. We provide
customized service offerings categorized under the four pillars of Asses, Build, Manage, and Validate that
align with your organization’s immediate, and long-term goals. Our experts evaluate your unique needs and
provide your team and organization guidance on your journey to ensuring your programs have a security,
privacy, and compliance approach that is resilient against threats.
Assess Build
Start with an expert, Build cyber resilience
thorough assessment. into your organization.
Validate Manage
Validate and verify Effectively meet and
rogram effectiveness. manage your security needs.
Contact us Today
BE READY. BE RESILIENT. VALIDATE.