KLAS, Censinet Partnership to Simplify Provider Cyber-Risk Assessment Efforts

KLAS Cybersecurity Readiness Assessment ratings will start in April.

A new partnership promises to reduce the effort required for healthcare providers to perform security assessments and help technology vendors focus on dealing with new security issues through a common security preparedness rating system for their products and services.

KLAS Research, a healthcare research and insights firm, announced that product and service security risk assessments from Censinet will be the source of new quarterly KLAS ratings on those products and services. KLAS and Censinet will also collaborate in other ways, such as research, insight sharing, special report access, and cybersecurity best practices.

The prospect has energized CIOs who find the technology risk assessments they conduct annually or more frequently to be a mountain of work desperately in need of pooled provider efforts.

Already, these CIOs consult KLAS when considering the interoperability, pricing, product availability, and other aspects of more than 900 healthcare IT products and services. Starting in April 2021, KLAS will add its new Cybersecurity Readiness Assessment service, which it calls the first comprehensive security risk assessment purpose-built for healthcare and accessible on a network.

"Cybersecurity is not getting any easier," says Aaron Miri, MBA, CHCIO, chief information officer at the University of Texas at Austin, Dell Medical School and UT Health Austin. "We're being attacked more and more, particularly given COVID."

Aaron Miri MBA, CHCIO, chief information officer,  University of Texas at Austin, Dell Medical School and UT Austin Health

Censinet, a two-year-old company, has a large swath of giant healthcare systems already participating in its network. Censinet sends out a standardized questionnaire to 440 vendors of products and services, covering security practices as defined in the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.1.

"It allows me as a CIO to start having conversations with vendors in a very normalized conversational manner, even if I wasn't an expert in security," Miri says.

Centralizing Vendor Risk Assessment Creates Transparency for Providers

The new service also relieves pressure on vendors by creating a mechanism that centralizes their standardized security assessments for view by all Censinet customers, as well as simplified scores to be published by KLAS and viewable at no charge by any provider.

It also reduces the customary overhead of various providers comparing notes with each other, as each one performs their own cycle of security assessments, prompted by annual compliance needs, or reassessments when systems are upgraded.

"Providers have been doing this via email or calling each other or texting forever, and we're sick of it," Miri says. "So there's a lot here that's of value. For UT Austin specifically, we're growing so fast, as a city and what we're doing here to provide medical services, I can't take any risks anymore. I can't just wing it and say, I hope my small army of people catches X, Y, and Z in time."

The HHS Office for Civil Rights has put providers on notice that they face major penalties if they are found to be in violation of regulations requiring security assessments of their own systems and those of business associates, Miri says.

Miri advises those health systems just getting up to speed to break assessment work up into pieces, identifying the health IT vendors they work with, and prioritize so that those vendors who deal with protected health information are top priority.

"Every system has that one analyst with a giant Excel sheet on their computer" tracking security assessments, Miri says. "Why not take all that in there and just apply it to something like Censinet? That's where the value is. Now you're able to share best practices and learn from each other."

All this is in response to a vast increase in the number and sophistication of cyberattacks on healthcare systems in recent years. The COVID-19 pandemic only increased reliance on healthcare IT systems, boosting the incentive for attackers to target different technology components of digital health today.

Yet to be seen: How long it will take for efforts such as this to bend the curve on ransomware and other cyberattacks.

UT Austin's Miri likens it to the trajectory that adoption of interoperability technology has taken since 2015.

"In 2016, people didn't even know how to explain the issue with interoperability," Miri says. "Then laws got passed, and Congress got involved and started mandating certain things, because visibility was brought to the problem."

In the same way, Miri says, visibility will be brought to the security risk assessment problem "in a very conversational manner" through the KLAS ratings. Miri also expects "rigorous carrots and sticks, whatever is necessary, is going to be coming out from the various legislative bodies, both state and federal, that say, enough is enough, vendor X."

Censinet does not charge vendors for participating in its risk assessment service, says Taylor Davis, MBA, executive vice president of analysis and strategy at KLAS. "The goal is to have a complete catalog of cybersecurity preparedness across all major vendors and services firms in healthcare technology, and see high-level ratings around some of the core elements of the NIST 1.1 framework of cybersecurity preparedness."

Neither the KLAS ratings nor the deeper analysis available to Censinet customers take the place of the full cybersecurity due diligence process for healthcare organizations. But they offer the kind of higher-level view of vendor security preparedness that can be digested by more non-technical portions of healthcare C-suites.

"They're still going to have to do the risk assessments themselves, based on the data that's in the [Censinet] platform," says Ed Gaudet, CEO and founder of Censinet. "The vendor has complete control of that data, so the provider has to request it. the vendor gets to update their answers, and they get to provide supporting evidence, like data flow diagrams, certificates of insurance, SOC 2 or HITRUST audits. The nice thing is, vendors do it one time," but facilitate assessments with numerous providers through the Censinet platform.

When vendors do update their answers, KLAS ratings will reflect whatever changes those answers trigger as part of Censinet's analysis, Gaudet says.

On the provider side, the ratings will be provided at no charge to any provider who registers with KLAS and asks for them. For non-providers, KLAS makes the ratings and deeper analyses available for a fee. This information is requested by educational institutions, investment firms, and governments who are interested in the results of KLAS assessments. Vendors are also able to determine the frequency of reassessments by KLAS.

All healthcare providers who participate by meeting with KLAS and providing feedback about their vendors can view the preparedness of all healthcare vendors and service firms on the KLAS website. Those healthcare organizations that provide a list to KLAS of all their healthcare solutions in use will receive back a personalized report of their vendors' cybersecurity preparedness, KLAS says.