Ransomware and cybercrime hacking have been two of the most common IT security threats in 2016, but many health care organizations aren’t ready to play defense: Only about 60 percent of surveyed organizations had the security capabilities in place to detect and remediate these attacks.
That’s problematic, of course, but is it surprising? After all, many health care organizations place more importance on HIPAA compliance than security, or they aren’t agile enough to protect themselves against the newest threat. Organizations tend to sink their energy into defending against the latest threat of the day, but lag on improving their entire security architecture.
Intel has conducted security assessments, which identify an organization’s relevant security capabilities for a wide range of threats, for health care providers and other related entities throughout the world. These capabilities, about 40 in total, run the gamut of an IT security posture: policy, malware prevention, email and web gateways, network segmentation, whitelisting, and incident response planning, just to name a few. These assessments also show participating health care organizations how their security capabilities compare to the rest of the industry.
Here’s what those assessments uncovered, and how an assessment can help your organization improve its threat readiness and security posture.
High priority, but readiness?
Many organizations know the risks of a cyber attack, but does that make them ready to defend against one or more? Not quite.
Intel’s assessments found that the average readiness score (the percentage of relevant capabilities of detecting and stopping a specific threat) for ransomware is just 59 percent. That means the average organization is failing to integrate many of the tools capable of either spotting or stopping an attack, or both. The lowest scoring organization scored a readiness of just 17 percent, while the most prepared organization had a score of 80.
For cybercrime hacking, including malware that mines critical data, the average readiness score sat at 61 percent. The lowest scoring organization had one-fourth of the necessary capabilities, while the most ready organization had 85 percent of those security measures in place.
What do these figures reveal? Many organizations are exposed to these threats, leaving plenty of room for improving their security posture.
What organizations do right and wrong
Many organizations tend to correct one security flaw, thinking they’ll be safe from attacks in general – but that’s hardly the case.
Here’s an example. When a ransomware attack hits, the best practice for remediation has been to restore data from a backup. About 80 percent of health care organizations can do so. But there’s an overdependence on it, often leading to organizations overlooking the root cause of ransomware – poor security – and focusing instead on a remedy. Not to mention, backup and restore doesn’t prevent cybercrime hacking or a DDoS attack.
Remember, cyber security is a moving target; ransomware was unknown to many organizations last year, and now it’s the most-discussed threat. So organizations have to prepare against the newest attacks and the threats that haven’t made headlines yet.
These readiness scores provide organizations with a benchmark against the industry. The assessment can provide useful information on IT’s priorities, where resources should be focused, and what security technologies should be invested in.
Health care organizations must focus on readiness and not individual threats. Building up a security posture – firewalls and gateways, whitelisting tools, response plans, and data recovery – will keep health care organizations flexible in their fight against the newest threats.
Remember, strong IT security revolves around the incremental steps IT can take to create a strong defense. Organizations that understand what security protocols they have in place will give IT and C-suite leaders more clarity into where they’re falling short. This clarity can help prioritize their security needs.
Intel and SHI are partnering to offer health care organizations a complimentary and confidential one-hour security breach assessment. This report benchmarks your security maturity, priorities, and capabilities against the HLS industry. Contact your SHI Account Executive to learn more.
About the author
David Houlding is the Director of Healthcare Privacy and Security at Intel Health and Life Sciences (HLS), and has more than 23 years of experience in healthcare, privacy and security, and enterprise architecture. His responsibilities include privacy and security leadership for the HLS industry globally. David is a CISSP (Certified Information Systems Security Professional) and a CIPP (Certified Information Privacy Professional).