A recent KPMG report found that many healthcare organizations are not collecting data on attacks nor are they managing them effectively and might be underreporting the actual number of breaches.  These findings are of great concern when the number of cyber-attacks directed at healthcare organizations is increasing.

 

The KPMG study also found that 81% of hospitals and health insurance companies have had a breach in the past two years, even though it seems that only 13% of organizations have had an average of more than one cyber-attack attempt a day.

 

If healthcare organizations aren’t taking the right steps to mitigate attacks and are not collecting data to prevent attacks, it is no wonder successful healthcare breaches are taking place.  What’s even more astonishing is the fact that the surveyed healthcare organizations make over $500 million in annual revenues.  This indicates that a lack of budget is not the culprit for the lack of data security measures and implementations by these organizations.

 

One area that could be causing problems is staffing.

  • 55% of healthcare providers say they have a hard time staffing their organization.

 

 

Without the right security expertise it’s not realistic to expect the right steps to take place with incident response or learning from data collected following a breach to improve one’s network and rid it of vulnerabilities.  The security skills gap is a challenge for many businesses worldwide, which is why organizations turn to risk management companies who specialize in information security and have a team of experts readily available.

 

Further findings by the study that deserve attention:

 

  • Only 66% of insurance executives and 53% of hospital executives say they are prepared for an attack.
  • 16% of healthcare providers cannot detect an attack in real time.
  • 15% of healthcare organizations do not have a leader whose sole responsibility is information security.
  • 23% of healthcare organizations do not have a security operations center to identify and evaluate threats.

 

It’s very possible under these circumstances that healthcare executives don’t even know their organization has been compromised.  The problem isn’t only staffing, but also a disconnect among leadership and communicating about security issues.

 

  • 92% of CEOs think their companies are fully prepared to deal with cyberattacks.

 

Yet from the findings of this study and other reliable industry studies, healthcare organization’s information security preparedness is nowhere near prepared to protect and secure.

 

The solutions to the state of healthcare information security start from the heart of the executive team.  Instead of dismissing industry research and continuing to treat risk management as a side component of business, CEOs need to acknowledge how important it is to their business.

 

Information security can help organizations to increase their revenue, one of our clients won a $20 Billion contract thanks to information security.  Add to the revenue benefit, the fact that you are protecting your sensitive data (and your clients) from thieves who are targeting you as we speak.  Why choose to stay insecure?

 

Make sure your healthcare organization hasn’t been compromised and that your information security posture is where it needs to be so that you can know what’s going on in your network.

 

Photo courtesy of Sergey Nivens