Health care should invest in security
AFTER MAJOR CYBER ATTACKS IN 2017, EXPERT SAYS BUDGETS TO COUNTER THE THREATS ARE NOT MATERIALISING
Expert says budgets to counter the threats are not materialising |
It has been a rough few years for the health care sector on the cybersecurity front. There is seemingly a new large-scale breach, ransomware attack or other cybersecurity event impacting multiple fields of the industry — from insurance to health care delivery.
With 2017 in the books and major cyber events such as the Wannacry ransomware attacks that took down much of the National Health Service (NHS) operations in the UK, board members, IT professionals and cybersecurity leaders are all equally on the edge with regard to potential cyber impacts in 2018.
It could be surmised that the industry as a whole is being targeted due to a multitude of reasons, with opinions ranging from soft targets to being the custodians of reams of private and sensitive information that is of great value to potential hackers.
The number of cyber incidents is certainly on the rise, with 65 per cent of respondents to a global survey by Ernst & Young (EY) indicating that they had a cybersecurity incident in the past 12 months, eight per cent higher than all other sectors.
As incidents increase further, Wayne Loveless, cybersecurity and advisory partner at EY, said that many in the health care sector believe that the corresponding increases in budgets to counter the threats are not materialising. While more than a quarter of all respondents feel that a 26-50 per cent increase in funding for cybersecurity was needed in their organisations, 10 per cent of the respondents say that a full 100 per cent increase was warranted.
Even as cybersecurity spending is increasing across industry verticals, he said the increases in the health care sector are not keeping pace.
According to EY’s Global Information Security Survey for 2017-18, 97 per cent of global respondents spent $10 million (Dh36.7 million) or less on cybersecurity, while other industries averaged 85 per cent. Furthermore, 59 per cent stated that their cybersecurity budgets increased year on year compared to 63 per cent in other industries, an interesting statistic given the increased level and impacts of cybersecurity incidents across the sector.
“Another complication for securing the health care sector is the complexity in managing the multifaceted supply chains that are littered with third-party suppliers and partners. While still needing improvements, this is one area where the health care sector is outpacing other industries where a full 10 per cent more of organisations require external partners to submit selfassessment of security risks,” Loveless said.
Critical step
However, he said that only four per cent of health care organisations is taking the critical step of maintaining an accurate accounting of their third-party providers, network connections, and data held by third parties compared to 46 per cent across other industries, marking an area for dramatic improvement.
When coupled with a perceived low level of cybersecurity awareness among board members, where 67 per cent of respondents believe that the board has sufficient cybersecurity-related information to spur decision making, the previously noted compounding factors show the urgency of securing data and systems within the sector.
In many cases, he said that decision makers in cybersecurity have no input to the board, with 85 per cent of health care organisations not having a seat in the boardroom.
Moreover, he said that health care providers are one of the largest users and early adopters of technologies that leverage the concept of the Internet of Things (IoT) where medical devices and systems from hospital beds to pacemakers are Internet Protocol-enabled and network connected.
“The perceived risk of IoT
Another complication for securing the health care sector is the complexity in managing the multifaceted supply chains that are littered with third-party suppliers and partners.”
Wayne Loveless | Cybersecurity and advisory partner at EY
usage is thereby much higher in health care overall. However, security for these systems and devices is also impacted by budget constraints, creating a broader attack surface and increased threat aperture for health care provider organisations. This also includes the use of mobile health applications and systems where compromise of data and the potential loss of mobile devices are of increasing concern,” Loveless said.
The rapidly evolving cybersecurity landscape in the health sector requires organisations to become not just more conscious of the cybersecurity threats and increase cybersecurity budgets but to also adopt the key characteristics of a cyber-resilient health organisation, he added.