Hospital Cyber Resiliency Initiative Landscape Analysis

Executive Summary

The Landscape Analysis’ charge was to highlight findings and issues affecting the cybersecurity resiliency of U.S. hospitals. National Institute of Standards and Technology (NIST) defines cyber resiliency as, the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. For the purposes of this study, the scope was narrowed to those activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data, although equally important, are not the focus of this study - unless the breach has a direct impact on patient care and safety.

The study’s two objectives were:

  • To develop a clear understanding of the current cybersecurity capabilities and preparedness across participating U.S. hospitals, as well as their ability to combat cyber threats
  • To share the analysis and findings with the HSCC CWG for consideration as one of several inputs for informing prioritized cybersecurity practices for U.S. hospitals, as well as other considerations the U.S. government might undertake to improve U.S hospitals’ cybersecurity resiliency

This was accomplished by evaluating the current cyber threats faced by hospitals and the entire HPH sector, as well as conducting an analysis of hospital cybersecurity capabilities and resources benchmarked against the Health Industry Cybersecurity Practices (HICP)2 Publication. To complete these objectives, the analysis leveraged multiple sources of data within three categories:

  1. Threat data from the U.S. government, cybersecurity vendors, and open-source intelligence, threat reports from CrowdStrike and Verizon, and over 30 joint reports outlining the highest impact of hacking and ransomware groups from Cybersecurity and Infrastructure Security Agency (CISA)/ FBI advisory reports, National Security Agency, Health Sector Cybersecurity Coordination Center (HC3) reports, and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports
  2. Quantitative analysis of two (2) major survey instruments to determine cybersecurity capabilities3: ¡ CHIME’s Most Wired Survey (n=377), sponsored by First Health Advisory, and ¡ A survey conducted in partnership with Censinet, the American Hospital Association (AHA) and KLAS (n=59)
  3. Twenty (20) conversations conducted with geographically and demographically diverse hospitals. A full list of contributing sources can be found in the Data Sources section of this document. The individual key results (by study source) are located in Studies.

View the detailed report below. 

Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

 

Key Resources

Related Resources

Letter/Comment
AHA Responds to CISA Proposed Rule on Cyber Incident Reporting Requirements
Public
Advisory
HHS Issues Alert on Critical Vulnerability in ‘MOVEit,’ File Transfer Platform Used by Health Care Sector
Public
Special Bulletin
AHA Helps Secure New Cybersecurity Resources from Microsoft and Google to Assist Rural Hospitals
Public
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part Two
Public
Special Bulletin
HHS Authorizes UnitedHealth Group to Make Breach Notifications on Behalf of Providers
Member
Advancing Health Podcast
How to Survive a Cyberattack with Scripps Health: Part One
Public