Medical cybersecurity execs may have priorities misplaced, study

News by Robert Abel

Majority of the security leaders have listed compliance instead of cyber-security as their biggest concern

A recent study sought out how the healthcare industry is dealing with the increasing number of cyberattacks targeting patient data found those charged with securing the data may have their priorities misplaced.

Carbon Black surveyed 20 leading CISOs from the healthcare industry and found 83 percent of surveyed healthcare organisations said they’ve seen an increase in cyberattacks over the past year with 66 percent of saying cyberattacks have become more sophisticated over the past year.

When asked what was their biggest concern, these security leaders didn’t answer "cybersecurity" or how confident they are in their cybersecurity programs were, but instead their top answer was compliance for 33 percent of respondents. 

Researchers pointed out that  "compliance does not equal security" and that too many healthcare organisations that were "compliant" ended up becoming breach victims. 

Instead, organisations should focus on building a security program that meet the specific needs of an organisation rather than attempt to check boxes to meet the bare minimum security standards. 

Other top concerns included 22 percent of respondents listing budget and resource restriction, 16 percent saying  loss of patient data, 16 percent saying vulnerable devices, and 13 percent saying the inability to access patient data.

In addition, 45 percent of surveyed healthcare organisations said they’ve encountered attacks where the primary motivation was destruction of data over the past year and 66 percent said their organisation was targeted by a ransomware attack during the same time frame.

When asked to self-grade their organisation’s cybersecurity posture, 33 percent gave themselves a C, 25 percent a B, and 16 percent a B-.

One-third of surveyed healthcare organisations said they’ve encountered instances of island hopping, which consists of network attacks, watering-hole attacks, and reverse business email compromise (BEC) attacks,  on their enterprises over the past year.

The study also fong 84 percent of respondents said they train their employees on cybersecurity best practices at least once per year and 45 percent said they conduct training multiple times per year for employees

Researchers were also able to uncover what happens to data stolen from medical organisations by monitoring the dark web market place. The most common listings were for provider data, forgeries, and hacked health insurance company login information which among other malicious things, could allow cybercriminals to impersonate doctors. 

Other uses for the stolen data were to commit insurance fraud, forge prescriptions to carry drugs through airports and other checkpoints, and for extortion. 

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews