- Patching vulnerabilities in your systems and applications is one of the most important steps you can take to prevent a healthcare data breach at your organization.
Yet, a majority of security professionals in the healthcare and pharmaceutical industries admit that they have had a data breach because of an unpatched vulnerability for which a patch was available.
This was one startling finding of a survey of nearly 3,000 security professionals across industries and countries by the Ponemon Institute on behalf of ServiceNow. The survey results are contained in a report entitled “Today’s State of Vulnerability Response: Patch Work Demands Attention.”
What’s worse, only one-third of respondents in the healthcare and pharmaceutical industries were aware that their organization was vulnerable before the data breach.
Disturbingly, 28 percent of security pros in healthcare and pharmaceuticals do not scan for vulnerabilities in their systems and applications at all. A majority of respondents said they take eight weeks or more to patch a medium- to low-priority vulnerability.
A full 77 percent of respondents said that their organizations do not have enough staff to patch vulnerabilities in a timely manner, while 60 percent said they would hire more staff to help with patching in the next 12 months.
Asked what they would do if new laws were passed holding companies accountable for data breaches, 58 percent of respondents in those industries said they would increase patching automation and 48 percent said they would increase security staff.
Across industries, respondents said that they plan to hire more staff for vulnerability response—prioritizing and remediating flaws in software that could serve as attack vectors—but this might not improve their security posture if they do not fix broken patching processes, according to the report.
“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said ServiceNow Security and Risk Vice President and General Manager Sean Convery. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”
The survey found that organizations spend 321 hours a week on average—about eight full-time employees—managing the vulnerability response process. Close to two-thirds of respondents said they plan to hire more dedicated resources for patching over the next 12 months.
On average, the respondents surveyed plan to hire about four people dedicated to vulnerability response, a jump of 50 percent over current staffing levels.
However, adding cybersecurity staff may not always be possible. There is a well-documented shortage of qualified cybersecurity staff available to organizations. According to nonprofit IT advocacy group ISACA, the global shortage of cybersecurity professionals will reach 2 million by 2019.
The ISACA survey of 633 cybersecurity professionals discovered that the cybersecurity skills gap leaves 25 percent of organizations at risk for six months or longer. More than one-third of respondents reported that fewer than 1 in 4 candidates have the qualifications employers need to keep them secure.
Even if skilled staff can be found, hiring them will not necessarily solve the patching challenges facing organizations.
Many respondents to the Ponemon survey said that they spend more time navigating manual processes than responding to vulnerabilities. Security teams lost an average of 12 days manually coordinating patching activities across teams.
Close to two-third of respondents said they find it hard to prioritize their patching process. A full 61 percent believe that manual processes put them at a disadvantage when patching vulnerabilities.
A majority said that hackers can keep one step ahead of security teams by employing technologies such as machine learning and artificial intelligence.
“Most data breaches occur because of a failure to patch, yet many organizations struggle with the basic hygiene of patching,” said Convery. “Attackers are armed with the most innovative technologies, and security teams will remain at a disadvantage if they don’t change their approach.”
The Ponemon/ServiceNow report offered five recommendations to improve the patching process: 1) take an inventory of vulnerability response capabilities, 2) tackle low-hanging fruit first, 3) break down data barriers between security and IT, 4) optimize end-to-end vulnerability response processes and automate as much as you can, and 5) retain talent by focusing on culture and environment.
The bottom line is that organizations can significantly lessen their chances of being breached by practicing basic security hygiene, like timely patching of vulnerabilities.