Healthcare IT Security Teams Struggle with Basic Hygiene of Patching, Survey Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Healthcare IT Security Teams Struggle with Basic Hygiene of Patching, Survey Finds

April 6, 2018
by Heather Landi
| Reprints

A recent survey of IT security leaders across a range of industries identified a security “patching paradox,” in which organizations plan to hire more resources for vulnerability response, yet most organizations are still using inefficient patching processes.

ServiceNow, a cloud computing company, released its research, “Today’s State of Vulnerability Response: Patch Work Demands Attention,” based on a survey conducted with the Ponemon Institute. ServiceNow commissioned the Ponemon Institute to survey nearly 3,000 IT security professionals, including chief information security officers (CISOs). The goal of the survey was to examine organizations’ vulnerability response tools and processes. Vulnerability response is the process companies use to prioritize and remediate flaws in software that could serve as attack vectors.

Survey respondents are based in Australia, France, Germany, Japan, the Netherlands, New Zealand, Singapore, the United Kingdom, and the United States, and represent organizations with more than 1,000 employees. Eleven percent of organizations, or 322, are in the health and pharmaceutical industries.

At a time when breaches continue to make headlines, the survey found that almost half of organizations have been breached in the past two years. And, a majority of breach victims (57 percent) said that they were breached because of a vulnerability for which a patch was already available. Organizations that avoided breaches rated themselves 41 percent higher on the ability to patch quickly than organizations that had been breached.

According to the survey, the biggest indicator of whether an organization was breached was its performance in vulnerability response. Data breaches often occur because businesses didn’t apply a patch—about a third of companies (34 percent) were actually aware they were vulnerable before the breach.

The survey found that cybersecurity teams already dedicate a sizable proportion of their resources to patching. Organizations spend 321 hours a week on average, or the equivalent of about eight full-time employees, managing the vulnerability response process. That number is set to rise as 64 percent of respondents say they plan to hire more dedicated resources for vulnerability response over the next 12 months. On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response—an increase of 50 percent over today’s staffing levels.

However, the report uncovered what it called security’s “patching paradox”—hiring more people does not equal better security. “While security teams plan to hire more staffing resources for vulnerability response—and may need to do so—they won’t improve their security posture if they don’t fix broken patching processes. Firms struggle with patching because they use manual processes and can’t prioritize what needs to be patched first,” the report states.

According to ISACA, a global non-profit IT advocacy group, the global shortage of cybersecurity professionals will reach 2 million by 2019. More than half (55 percent) of respondents said that they spend more time navigating manual processes than responding to vulnerabilities. What’s more, security teams lost an average of 12 days manually coordinating patching activities across teams.

Most IT professionals (65 percent) said they find it difficult to prioritize what needs to be patched first, and 61 percent indicated that manual processes put them at a disadvantage when patching vulnerabilities. And, many IT security leaders feel that hackers are outpacing organizations with technologies such as machine learning and artificial intelligence.

The study found that efficient vulnerability response processes are critical because timely patching is the most successful tactic companies employed in avoiding security breaches. Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.

“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” Sean Convery, vice president and general manager, ServiceNow Security and Risk., said in a statement. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”

The report also provides five key recommendations to improve security posture:

  • Take an unbiased inventory of vulnerability response capabilities
  • Accelerate time-to-benefit by tackling low-hanging fruit first
  • Regain time lost coordinating by breaking down data barriers between security and IT
  • Define and optimize end-to-end vulnerability response processes, and then automate as much as you can
  • Retain talent by focusing on culture and environment.





Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Mass. General, Eastern Maine Healthcare Systems Form Clinical Affiliation

Massachusetts General Hospital will form a clinical affiliation with Eastern Maine Healthcare Systems, in which the two provider organizations will collaborate on areas as telemedicine, research, and protocols for providing care, according to a report in the Boston Globe.

Humanitarian Data Exchange Wins Health Data Liberator Award

Sarah Telford and Ahmadou Dicko were named the winners of this year’s Health Data Liberator award at the Health Datapalooza conference in Washington, D.C., for their work on the Humanitarian Data Exchange.

Survey: Optimism for Health IT Startups in 2018, Skepticism for Amazon Healthcare Partnership

Despite all the buzz about new entrants disrupting healthcare, the majority of healthcare stakeholders are dubious about the impact of the Amazon/Berkshire Hathaway/JP Morgan healthcare partnership and believe the effort will face substantial challenges, according to a survey by venture capital firm Venrock.

NIH Awards $10M to Alabama-based Newborn Genome Sequencing Project

The National Institutes of Health (NIH) has awarded a four-year, $10 million grant to HudsonAlpha Institute for Biotechnology, a Huntsville, Ala.-based genomics and genetics research institute, in collaboration with the University of Alabama at Birmingham (UAB) School of Medicine and the University of Mississippi Medical Center, to investigate how genome sequencing can help with the diagnosis and care of babies with birth defects and genetic disorders.

Senate Committee Advances Opioid Bill that Includes Telehealth Provisions

The Senate Health, Education, Labor and Pensions (HELP) Committee voted Tuesday to advance a bipartisan opioid bill, called the Opioid Crisis Response Act of 2018, that includes provisions promoting the use of telemedicine in substance abuse treatment.

Florida Insurer Establishes Digital Health and Wellbeing Program for Members

Florida Blue, a health insurer based in Jacksonville, has announced a partnership with Welltok. The goal of the collaboration will be to provide Florida Blue members with access to a digital health and wellbeing program designed to help them become and stay healthy.