Healthcare Information Security


How External Threats May Impact Health Data Security Measures

A recent Ponemon report shows security leaders believe they lack necessary tools to mitigate external threats, which might not bode well for health data security needs.

By Elizabeth Snell

Ransomware threats and other recent cybersecurity threats show that health data security measures must be comprehensive and current. However, a recent study shows that organizations might be lacking the necessary resources to mitigate potential external threats.

Health data security measures for external risk may need improvement

The Ponemon report, Security Beyond the Traditional Perimeter, found that 64 percent of surveyed security leaders (directors or higher) feel that they lack the tools and resources they need to monitor external threats, while 62 percent said they lack the tools and resources they need to analyze and understand external threats.

The report was sponsored by BrandProtect, and consisted of interviews from 591 IT and IT security practitioners in the US. Sixty-five percent of respondents were either CISOs or IT security operations, and were in sectors such as financial services, industrial and manufacturing, and health and pharma.

“The majority of security leaders understand that these external internet threats imperil business continuity,” Ponemon Research Institute President Larry Ponemon said in a statement. “The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises.”

External threats are outside of a company’s traditional firewall/security perimeter, Ponemon explained, and use channels such as email, social media, or mobile apps to infiltrate an organization.

Surveyed organizations were found to experience more than one cyber attack per month, incurring annual costs of approximately $3.5 million from the attacks.

Reputational damage was the top concern listed by respondents, with 51 percent reporting it as a key worry. Branded exploits (40 percent), compliance/regulatory incidents (33 percent), and hacktivism/activism (31 percent) were the next top concerns listed.

Insufficient risk awareness was listed as the main barrier to having an effective monitoring approach, according to the report, with 50 percent of respondents listing it as their top hindrance.

The second top barrier was a lack of knowledgeable staff (45 percent), while 43 percent of those surveyed said a lack of technologies and tools were the main barrier to having an effective monitoring approach.

Ponemon graph of barriers to effective monitoring process  

For healthcare specifically, just 34 percent of respondents in the health and pharma industry stated that their organization had the tools and resources necessary to monitor external threats. Furthermore, only 26 percent said their entity had the tools and resources necessary to analyze and understand external threats, while 29 percent reported the necessary tools were in place to mitigate those threats.

Ponemon graph of industry ability to monitor external risk threats

The financial services industry was most likely to have a formal monitoring process in place for monitoring the internet and social media, the report found. Industrial and manufacturing is least likely to have the same type of monitoring process in place.

Health and pharma was in the middle, with 16 percent of those respondents either strongly agreeing or agreeing that their organization had such a process in place.

Ponemon graph of organizations having a formal monitoring process

With healthcare data breach costs being the most expensive among other sectors, covered entities need to ensure that they are utilizing all available resources to keep sensitive data secure. Finding the right third-party for healthcare cybersecurity needs could be beneficial, but research from earlier this year shows it is also an area that numerous industries need to improve upon.

A survey from Raytheon and Ponemon published last month found that two thirds of businesses said that their organizations only engage a cybersecurity vendor after a significant data breach occurs.

For healthcare specifically, the report found that 60 percent of respondents said improving healthcare data security policies was the primary motivator for engaging a data security vendor, while 45 percent said they engaged with an outside company to help manage IT staffing.

“Cybersecurity is not a waiting game, and organizations without the expertise and tools required to identify and respond to skilled adversaries need to understand that,” Raytheon Vice President of Cybersecurity and Special Missions Jack Harrington said in a statement. “The old approach waited for technology to flag known threats.”

Image credit: Ponemon, BrandProtect

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...