- A recent survey indicates that varying priorities could potentially lead to data breaches, including possible healthcare data breaches.
Not only is there a significant gap between organizations’ IT and security teams, but one of the leading causes of data breaches stem from known vulnerabilities, according to a recent BMC and Forbes Insights survey.
This could have significant impact for the healthcare industry as well, explained BMC VP of Product Management David Cramer.
“What we’ve seen from not just a healthcare perspective, but across a lot of different industries and verticals, is what we’re describing as a security and operations gap,” Cramer told HealthITSecurity.com. “There’s an issue that teams struggle with, from the identification of a vulnerability or a threat, to the remediation of that threat.”
Cramer added that there’s often a lack of automation and a lack of visibility that a lot of teams struggle with, and it is very similar on the compliance side.
“The same thing exists when you run a compliance assessment, and maybe identify where specific rules are being violated or tests are being failed,” he explained. “The time to remediate and get into compliance or get out of that vulnerable exposed state, it’s just too long. That’s the focus of the research we did. We wanted to explore that problem and see where customers are struggling and where they think the solution was.”
BMC Director of Solution Marketing Allison Cramer pointed out the survey statistic that 52 percent of company leaders said they equate regulatory compliance with tighter security.
“The fact that a lot of folks are equating being in compliance with the regulatory issues, and with providing tighter security and being able to protect patients’ really sensitive information, it’s a notable statistic,” she said. “Just to see that people are really able to make that bridge.”
She added that the average time that a vulnerability stayed open at a large enterprise was for 193 days, which is not encouraging.
The survey also showed that 44 percent of security breaches occur even when vulnerabilities and their remediations have previously been identified, while 33 percent of executives said it was challenging to prioritize which systems to fix first. This is because their security and operations teams could have different priorities.
Automation is one of the key things when it comes to addressing that security and operations gap, according to David Cramer.
“The number of devices and the number of issues that pop up, for most organizations they’re at a scale that you can’t handle without having some way to automatically fix and roll out patches and make configuration changes to the system,” he explained. “They just can’t keep up.”
What it comes down to is that people need to be more focused on making the decisions and not focused on executing the repetitive tasks.
Being able to properly map out how fixes can be properly implemented to an infrastructure is also essential, he said.
“There’s a logistics and information mapping problem that a lot of companies are struggling with,” he maintained. “You need to get a good plan in place for how you’re going to take the compliance and vulnerability assessment data and then map it back against your infrastructure so you can prioritize those fixes.”
Finally, the people aspect to any healthcare organization is also important. He concluded that while cliché, the security and operations teams need to be better aligned. It cannot just be a security staff member finding the threat, and then passing it off to operations to fix the threat. There can be competing priorities so collaboration is truly key.
Allison Cramer agreed, adding that it’s not that teams aren’t collaborating enough, but often that they’re not collaborating at all.
“It’s more than collaboration, it’s really just culturally making security the priority,” she urged.
Addressing the gap issue, looking ahead to 2016
The BMC report recommended the following actions to help company leaders address the security and operations gap:
- Create cross-functional working groups to share security, compliance, and operational concerns while implementing regular meetings to build loyalty and trust.
- Develop collaborative workflow processes that smooth interactions of security, IT operations and compliance personnel.
- Replace error-prone manual processes with intelligent compliance and security platforms that automate the testing and rollout of security patches and provide centralized information management tools.
David Cramer added that in addition to compliance issues, cloud environments and increasing cybersecurity threats are key areas for healthcare organizations.
“We’re seeing more and more companies using platform-as-a-service and cloud environments,” he stated. “Being able to understand the compliance and security of an application, or of your data, that’s being run in a third party hosted environment is essential.”
For other cybersecurity threats, he called back to the fact that the average time that a vulnerability is open and available on a large enterprise IT network is almost 200 days. Being able to fix that “is such low hanging fruit,” he explained, and IT organizations have to be able to focus on basic things, such as patching policies and creating continued automated solutions.
According to Allison Cramer, it is “very hard to swallow” the fact that 44 percent of senior executives said that breaches occur even when the vulnerabilities and remediations have been identified.
Even so, the majority of respondents also said they wanted tools for 2016 that could help them with automation and gaining a centralized view into vulnerabilities and remediation actions, which could potentially prove beneficial for the New Year.