Despite the cyber threats facing healthcare organizations, 95 percent of IT specialists working at medical organizations around the world report that their organizations do not use any software for information security governance or risk management, according to the results of a 2017 IT Risks Survey.
Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, released the results of its Netwrix 2017 IT Risks report, which provides a look into IT security practices, pains, successful experiences and plans in the healthcare industry. The IT risks are divided into three areas: security, compliance and operations.
In a blog about the survey results, Jeff Melnick with Netwrix commented on the survey finding that most organizations do not use any software for security governance or risk management: “There may be two possible explanations for this: organizations either haven’t faced any threats yet, think of security as a “set and forget” thing, which does not require more investment, or they simply do not have enough financial resources.”
What’s more, the survey found that 79 percent of IT operations are at least partially responsible for security, and 68 percent of healthcare providers do not have a separate cybersecurity function, which means the responsibility for security-related tasks will most likely fall on the IT operations teams.
Only 31 percent of healthcare organizations claim to be well prepared to beat IT risks, and more than half (56 percent) of healthcare organizations plan to invest in security solutions to protect against data breaches, the survey found.
Looking at the obstacles to combat cybersecurity, the majority of healthcare organizations indicated lack of budget (75 percent), time (75 percent) and appropriate participation of senior management (44 percent) as the main obstacles to taking a more efficient approach towards management of cyber risks.
When IT specialists at healthcare organizations were asked who they perceive as the biggest threat to their data and system security, more than half (56 percent) reported that they perceive employees to be the biggest threat, compared to 38 percent who cited hackers from the outside as the more serious threat.
Examining the most typical incidents that have happened to healthcare organizations during 2016, overall 59 percent of healthcare organizations had to deal with malware, which is often spread through social engineering attacks and penetrates organizations’ networks mainly due to employees’ negligence.
The second most common cause of security incidents was human error, which encompasses accidental disclosure of sensitive data, loss of critical information stored on mobile devices and other scenarios. As for the system downtime, the main causes of system outages were malicious activities (41 percent) and accidental or incorrect user activity (29 percent).
The survey also looked how organizations prioritize certain areas of security, and the findings indicate that most healthcare organizations focus most of their attention on endpoint security (61 percent) and security of databases (56 percent). Forty-seven percent of organizations said they focus on virtual infrastructure.
The survey respondents also were asked about which areas are the most neglected as far as IT security. Thirty-eight percent reported that unstructured data stored in third-party data centers was the most neglected area, followed by bring-your-own-device data (29 percent) and shadow IT (21 percent).
Healthcare organizations made comply with a wide range of industry standards to ensure that basic security controls are in place and sufficient. Unfortunately, as the study authors point out, the survey results demonstrate that organizations’ readiness to meet compliance requirements leaves much to be desired, as 36 percent of organizations had compliance issues or experienced problems with passing audits. “Interestingly, for many healthcare organizations, the main problem is not the inability to provide a complete audit trail of user activity (which, according to HIPAA requirements, they always do), but rather the inability to retrieve relevant evidence in time,” Netwrix’ Melnick wrote.
Survey respondents also were asked where visibility into user activity is most needed, and 55 percent cited bring-your-own device programs, followed by on-premise systems (47 percent), cloud systems (43 percent) and mobile devices (40 percent).
Melnick wrote that the survey results “found several inconsistencies in the healthcare organizations’ attitudes towards security.” “On one hand, organizations realize the necessity of data protection and control over their complex IT environments. On the other hand, many of them still fail to implement basic cybersecurity controls and experience difficulties in passing compliance audits. Despite following the requirements of HIPAA and other compliance standards, medical organizations are likely to focus on certain areas of IT environment instead of having visibility across all critical systems, which increases their vulnerability to cyber threats,” he wrote.
He also concluded, “Most organizations perceive visibility as being a critical measure in protecting patient data against cyber threats, and, despite all the difficulties, they are ready to invest in data protection and take more proactive approaches to security.”