- The healthcare industry is one of the worst when it comes to data security knowledge, according to data from Wombat Security’s learning management system.
Customers in the healthcare industry answered 23 percent of IT security best practice questions wrong on average, second only to the hospitality industry, which posted a 24 percent incorrect answer score.
Wombat, a security awareness training provider, collected the data from its CyberStrength knowledge assessments and interactive training modules.
Healthcare tied with manufacturing and professional services industries at the 23 percent wrong answer mark. The best (lowest) score went to government and technology sectors, with an average of 20 percent of the security questions answered wrong.
The questions covered the following security knowledge categories: avoiding ransomware attacks, building safe passwords, identifying common security issues, identifying phishing threats, protecting against physical risks, protecting and disposing of data securely, protecting confidential information, protecting mobile devices and information, defending against scams, using the internet and social media safely, and working remotely safely.
By category, healthcare customers performed worse on questions involving protecting and disposing of data securely, with an average of 28 percent incorrect answers. They were also lacking in their understanding of how to protect mobile devices and information, with a 27 percent incorrect answer score.
This might be one reason why healthcare IT professionals are concerned about mobile device security. In fact, mobile device security was a top concern of IT decision makers recently surveyed by Vanson Bourne on behalf of mobile device management provider Jamf.
Healthcare was also bad at identifying phishing threats, getting 24 percent of the questions about phishing wrong.
In its recent Data Breach Investigations Report (DBIR), Verizon found that phishing and pretexting represented an astounding 98 percent of social incidents and 93 percent of breaches. So, knowledge of phishing threats is vital to an industry that handles a lot of sensitive data.
And phishing emails are the favorite delivery mechanism of ransomware, the most popular form of malware, found in 39 percent of malware-related data breaches.The DBIR found that ransomware accounts for 85 percent of all malware targeting the healthcare industry.
“Due to the ease of the attack, the low risk for the criminal, and the potential for high monetary yields, [ransomware] is likely here for a lengthy stay,” the report observed.
While healthcare professionals are bad at identifying phishing threats, they are best at avoiding ransomware attacks, answering only 10 percent of the questions on that topic incorrectly. This might reflect greater awareness of ransomware given the recent attacks against healthcare providers. Healthcare also performed well in building safe passwords, with a 12 percent incorrect answer score.
While not one of the Wombat categories, cloud security is top of mind of healthcare IT professionals as they move sensitive data to the cloud. Yet visibility into who is accessing that data is lacking for many.
Another survey of 853 organizations by Netwrix, a provider of a visibility platform for data security and risk mitigation in hybrid environments, found that the top cloud security concern for healthcare was unauthorized access and malware infiltration.
A majority of respondents identified employees as the biggest risk to sensitive data stored in the cloud, while 13 percent identified third parties with legitimate access as the biggest risk. Only 14 percent of respondents have visibility into the activity of business users, and 21 percent have visibility into the activity of IT staff.
For 50 percent of respondents, increasing employee training and tightening security policies are the key steps to improve cloud security.
Despite the risks, 69 percent of organizations plan to transfer more sensitive data to the cloud in the near future.
One-quarter of respondents said that cloud adoption would worsen the overall security of IT infrastructures and 39 percent were not sure what the impact would be. Yet a similar percentage said that their organization plans to more their entire infrastructures to the cloud within the next five years.
So, the bottom line is that the healthcare industry has a lot of work to do in improving their security posture and educating their workers about security threats and how to avoid them. Or face HIPAA fines and patient lawsuits if they don’t.