— This is a Health-ISAC Navigator whitepaper by Cynergis Tek —


2021 Annual Report


Maturity Paradox:
New World, New Threats, New Focus



Care Delivery


As CynergisTek delivers our 2021 annual report, it goes without saying that COVID-19 impacted virtually every organization and person across the globe over the past year – a peerlessly devastating pandemic that simultaneously reshaped industries, including ours. The world was forced to accelerate digital transformations that might otherwise have taken years, creating new cybersecurity challenges, particularly within the healthcare sector.


While providers focused on caring for patients during the pandemic, they also had to embrace new care and IT delivery models. Countless workers became remote, switching to devices that ranged from personal to corporate, managed or unmanaged, and sometimes shared with multiple users.


Faced with change, clinicians, administrators, and boards rapidly embraced IT as a strategically important component of care, even if security and privacy remained afterthoughts. At the same time, the 21st Century Cures Act introduced new electronic health record information and interoperability mandates designed to promote data sharing, notably without technical security requirements for APIs. To the extent that 2020 dramatically impacted the healthcare sector’s data and IT practices, it’s clear that those changes are only continuing – and increasing – in 2021, a trend that will continue for years to come.

IT Delivery

This year’s report focuses on how well the healthcare industry is progressing instead of simply reporting “scores” and conformance with The National Institute of Standards and Cybersecurity Framework (NIST CSF) and the HIPAA Security Rule. Today and in the future, it has become critical to actively work to reduce cyber risk to the business on a continuous basis – – as the business, technology, regulations and rules, and threats and attacks change. In 2020 we saw record ransomware attacks on healthcare, attacks that used our vendors and third party suppliers and that it’s continuing into 2021. Yet, still, over half of the sector (64%) is below what we would consider a passing score. Security will always be a journey, there is no stopping – – until technology stops advancing, until healthcare stops using technology, until bad guys decide to leave healthcare alone. There is no stopping on the security journey.

State of healthcare security

Security is a journey therefore we focused this year’s analysis on how the industry is improving overall, focusing on two cohorts from the 2020 data: high performers with a conformance score over 80%, and the remainder as low performers.

64% of the organizations are below the passing grade

In 2020, 560 healthcare provider facilities fell victim to ransomware.

(Source: Emsisoft State of Ransomware Report)


In 2020, the COVID-19 pandemic led to a delay in annual risk assessments leading to a smaller sample size of 100 assessments compared to data from previous years. Measuring progress alongside overall NIST
conformance provides a complete picture of the healthcare industry’s current state of security.

In this graph (download paper for graph), we analyze organizations that
have improved or declined by their NIST overall conformance. Even though 75% of the industry improved during COVID-19, most of these strides are small and are far from the accepted 80% NIST conformance.

With the bad guys continuously changing course and innovating, it is imperative that organizations must invest in improving their security posture to stay one step ahead of these bad guys. If organizations chose to do nothing, NIST CSF scores will not only decline but will put the organization at greater risk for cyberattacks and
less resilient than those organizations that have invested in security and privacy.


Last year, we noted that “the industry may be too focused on getting good grades rather than reducing risk,” and that while comparisons are useful to provide big picture awareness, “they do not reduce your risk or protect you. This is not about the scores.” We decided to take our own advice this year, so rather than diving into year-over-year trends or NIST and HIPAA conformance, we are not focusing on scores. Instead, we wanted to see what organizations are doing, the core functions of NIST that seemed to drive long-term improvements, and what will drive the direction for Health IT Security over the next twelve months, as threats and attacks grow worse and more numerous. Our intent is to identify opportunities for short- and long-term success.

The three

key industry

trends we are

seeing are:

1. An Ever-Expanding Attack Surface

Healthcare is facing new and augmented challenges from multiple directions, including an increasingly mobile
and remote workforce, telehealth, telemedicine, IoT, consumer medicine (as impacted by the 21st Century Cures Act), and concerningly, the supply chain.

2. Ransomware is a Cyber Weapon of Choice

COVID-19 inspired hackers to pursue ransoms as companies rushed to digitize without adequate security measures, creating more extortion targets. While Help Net Security reported a 358% year-over-year increase in malware overall, research from Deep Instinct found that ransomware specifically increased by 435% from 2019 to 2020, and Coveware reports that the average ransomware payout has grown to nearly $234,000 per event.

3. Threats Against Critical Infrastructure

Healthcare is one of the U.S. government’s 16 critical infrastructure sectors. Threats have recently spread past computers to include Industrial Control Systems (ICS) — everything from freezer sensors to badge readers — and converged Operational Technology/Information Technology (OT/IT) networks, notably including medical devices.

Download this Whitepaper

Above is just a snippet from this insightful report. Download the paper to read the full report with graphics.

H-ISAC is all about increasing cyber resilience in the healthcare sector. We are interested in disseminating actionable content that is in keeping with security thought leadership. In alignment with this statement, we do not require your email to download original content from our website.

Translate »