I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).
Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.
The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments. (In other words, the following stats are interesting, but keep your bias alert on.)
Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.
What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.
To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.
So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.
That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.
Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.