- While healthcare cybersecurity is an increasing concern for covered entities, recent research shows that other industries should also potentially put a higher focus on cybersecurity threats.
Seventy-five percent of cybersecurity professionals expect their organizations to experience a cyberattack in 2016, according to State of Cybersecurity: Implications for 2016, an ISACA and RSA Conference survey.
The survey was conducted in November and December 2015 among 461 cybersecurity professionals from a variety of industries.
Six percent of the population surveyed was from the healthcare or medical field.
With an increase in data security breaches and sophistication of attacks, as the survey reports, executive leaders are emphasizing cybersecurity as a top priority because of its impact on an organization’s brand, reputation, and fiscal state.
According to the survey, many more executives are viewing cybersecurity as a technical concern rather than a business issue. However, data security breaches can harm, or even destroy, an organization’s reputation and brand.
For example, 82 percent of those surveyed reports that their board of directors is “concerned” or “very concerned” about cybersecurity.
“Executive support for cyber is essential…Many attacks target the weakest link, executives who do not follow good practices, and employees who are security unaware,” Ron Hal, PhD, CISM, ISACA Chief Knowledge Officer, wrote in an ISACA blog post.
On the other side, only 21 percent of chief information security officers report to the board and 63 percent report through the chief information officer. While executive leaders are prioritizing security, most still do not have a stable reporting structure for IT information.
Executive leaders can support IT security by enforcing security policy, providing funding, following best practices for security, and creating education and training tools. This can only occur with additional funding. Fortunately, 61 percent of those surveyed reported that their organizations are increasing cybersecurity budgets in 2016.
Despite budget increases, organizations are discovering a global shortage of highly skilled IT security workers. Fifty-nine percent of respondents stated that less than half of their IT security job candidates were considered “qualified upon hire.” The candidate pool mostly lacked work experience and certifications.
Internally, companies are not providing the training necessary to support employees. Most organizations surveyed relied upon on-the-job, vendor, and independent training as the top methods for educating their technical staff.
The skills gap in potential candidates and seasoned employees created a lack of confidence in cybersecurity management. Sixty percent of all participants do not believe that their IT security staff can manage sophisticated cybersecurity attacks.
Confidence in IT security staff may need to become a priority in the face of new attacks on organizations. The survey states that the majority of attacks were phishing, malware, and social engineering attacks.
Companies sometimes lack training for professionals on how to identify and resolve potential data security attacks. Only 53 percent of respondents believed that their awareness program was effective. Additionally, 24 percent of those surveyed reported that they did not know which threats exploited their organizations.
Despite a lack of awareness, 74 percent of the participants state that their organizations were “very likely” or “likely” to go through a cyberattack in 2016.
“We win some battles, but we are still plagued by attack types that have been long standing problems. We may not always be aware that we are being attacked, so we are too often late in responding,” Hale wrote.
The ever-growing realm of technology is posing a real threat to cybersecurity. The survey found that 53 percent of participants are “concerned” or “very concerned” with the Internet of Things increasing cybersecurity risk. Artificial intelligence and the Internet of Things are cited as top security concerns.
“We have all seen reports of advanced technologies, including medical devices and self-driving cars being hacked,” Hale stated in the blog post.
As the healthcare industry moves towards electronic health records, increased interoperability, and mHealth developments, cybersecurity becomes an organizational concern.
The healthcare industry is especially vulnerable because their databases contain PHI and other sensitive information. In a recent study, Ponemon reported that healthcare organizations are averaging one cyberattack per month.
A recent Experian survey also found that healthcare cybersecurity is a top concern going into 2016, especially with high profile health data security breaches, such as ones at Anthem and Premara Blue Cross.
With constant technological advancements, patient information becomes more vulnerable. Cybersecurity becomes a challenge for the whole organization, not just the IT professionals.
“But [board members] don’t care about security until there’s a headline in the newspaper,” Symantec Health IT Officer David Finn, CISA, CISM, CRISC, recently told HealthITSecurity.com. “And then they call the CIO and the CISO to come to the board meeting. We’ve got to change the focus in healthcare on security.”
Image credit: ISACA, RSA