By Elizabeth Snell

March 07, 2017 - Healthcare entities have several key cybersecurity frameworks to utilize when it comes to implementing necessary cybersecurity guidelines. However, not all organizations necessarily have access to the same type of guidance.

Nearly half – 47 percent – of surveyed Non-Profit and Non-Government Organizations (NGOs) said that they did not have a cybersecurity framework currently employed, according to an Institute for Critical Infrastructure Technology (ICIT) report.

ICIT interviewed Non-Profit and NGOs to determine what type of cybersecurity programs, staffing, controls, and assessments are being employed, planned, or considered. The results were discussed in the Cybersecurity in Non-Profit and Non-Governmental Organizations paper.

“Larger organizations, outside the Non-Profit sector, often have more resources, which may include specialized departments that focus on cybersecurity,” the report’s authors explained. “Organizations with Non-Profit budgets may not have the funding available to create information technology and/or controls assessment units to work towards better protection, and in many cases may not have staff in their IT unit who can provide some cybersecurity specialty functions.”

Fifty percent of survey respondents also said they had experienced a ransomware event in their organization. However, approximately half of those surveyed – 49 percent – also said that their organization did not have “a formal cyber security unit or staff member(s) responsible and assigned to protecting the computing environment from cyberattacks.”

Of the entities that did not have a formal cybersecurity unit or focus, 11 percent said they planned to incorporate one in the next six to 12 months. Eighty-six percent though reported that there was no such plan to implement a cybersecurity focus.

ICIT also found that 56 percent of the respondents are using an internally developed framework, while 32 percent are using NIST guidelines, such as the 800-53a. Approximately one-quarter of those surveyed are using another solution, with 20 percent stating that they utilized SANS Top 20 Critical Security Controls.

Another key takeaway was that 52 percent of respondents said that controls established in the employed cybersecurity framework were not routinely tested.

“The Non-Profit and non-governmental sectors do have the opportunity to put a focus on their cybersecurity approaches perhaps without much of a budget and limited spending,” report authors explained. “Cyber hygiene controls, which include a set of practices and behaviors designed to minimize the impact of possible breaches, such as segmentation of duties, segmentation of privileges, access policies, and the like are free to adopt.”

There are numerous ways for Non-Profit and NGOs to work toward improving their cybersecurity measures, according to ICIT.

For example, if organizations host web applications or publicly available websites in the cloud or on-premises, they can refer to the Open Web Application Security Project (OWASP).

It is also important for entities to ensure that their IT systems are regularly updated for operating system updates, and that the organization is employing adequate end-point protection software.

A cybersecurity awareness program should also let staff “be continually educated on steps they can take to contribute to securing their access to system.”

End-point device security is also essential, especially with the increasing threat of ransomware attacks.

“Many Non-Profits and NGOs may not be aware of what devices are on their network or what access to the devices is present,” the report authors warned. “An increase in cyber hygiene and improvements to endpoint security can be accomplished by mapping the network and controlling access based on need.”

Healthcare must adhere to federal regulations, including HIPAA Rules and HITECH. Additionally, cybersecurity frameworks are critical tools for both covered entities and business associates. Failing to carefully monitor networks and the devices connecting to those networks could lead to a data breach.

Ransomware attacks specifically could also create patient safety issues. That type of attack could prevent healthcare providers from operating normally as they work to gain control of their EHR.

Cybersecurity guidelines are necessary tools for all types of organizations utilizing new technologies and connected devices.