A recent survey conducted by risk management software vendor Netwrix has revealed only 5% of healthcare organizations are using software for risk management and security governance. Additionally, only 32% of healthcare organizations said they had a separate cybersecurity function.
Stolen healthcare records are being sold for big bucks on darknet marketplaces and there is high demand for data. Hackers are increasingly attacking healthcare organizations due to the high potential returns. The risk of healthcare cyberattacks and data breaches is now greater than ever before.
Even though hackers are extensively targeting the healthcare industry, the greatest threat comes from within. As the Protenus Breach Barometer healthcare data breach reports show, negligent and malicious insiders cause the most data breaches. As Netwrix co-founder and CEO Michael Fimin explained, “Even though most employees do not have malicious intent, organizations need to gain visibility into user activity across the IT infrastructure.”
He also pointed out that many HIPAA covered entities do not know what is happening in their environment. That means it is not possible to effectively mitigate human error, data breach detection is slow, and the response time to incidents is too long. Insider data breaches often take many months – or even years – to discover.
Respondents to the survey rated employees as the biggest security threat. Malware was rated as the biggest cause of security breaches by 59% of respondents. Malware is often installed as a result of employees responding to phishing emails. 47% of respondents said human error was the main root cause of breaches.
The main security focus for organizations was endpoint security (61%), database security (56%) and virtual infrastructure security (47%).
When asked about their compliance programs, 36% of respondents said they had experienced problems passing an audit or were having difficulty with HIPAA compliance, which Netwrix notes, involves maintaining proper audit trails.
The biggest data security problem areas were unstructured data in third-party data centers, BYOD, and employees installing unauthorized software (Shadow IT).
The main obstacles preventing enhancements to cybersecurity defenses were a lack of budget and time, both were rated as major obstacles by 75% of respondents. 44% of respondents said insufficient participation from senior management was an issue.
56% of respondents said they will be investing in information security in the next 12 months, with the main areas being data breach prevention technology, intellectual property theft prevention, and technology to prevent cyber sabotage.