Healthcare CISOs: Are you getting the most out of your IT security budget?
Most organized hackers target health care records due to the nature of personal information beyond just social security numbers and dates of birth. According toReuters, a single stolen healthcare credential is worth $10 when sold on the black market, which is 10-to-20 times more valuable than a single stolen credit card. Cyber security spending in the healthcare vertical is playing catch up in comparison to other industry segments, hence the number of data breaches remain stubbornly high. The truth is that there are as many cyber security vendors, both small and large, as there are cyber threats, further complicating the situation.
Security incidents have soared 60 percent, and the cost of a security breach leaped 282 percent in healthcare.” – PwC
“Healthcare CEOs are aware of the risk involved— 69 percent are concerned about cyber threats, and 24 percent are extremely concerned.” – PwC
It is challenging enough to stay current with the threat landscape, but now as a CISO your burden is higher, given the need to invest in the right products and solutions and to partner with industry-leading vendors. We hope to shed some light on the current threats to help prioritize them based on your business. Armed with a prioritized list, you should be able to focus on the areas that matter to you and maximize the impact of your cyber security budget.
Current Threat Landscape from the 2016 Verizon Data Breach Investigation Report
- 89% of breaches had a financial or espionage motive
- 63% of confirmed breaches involved leveraging weak, default or stolen passwords
- 30% of phishing messages were opened in 2015, and 12% of targets clicked on the malicious attachment or link
- In cases of confirmed data breaches—where data was stolen— discovery took months or more in 56% of cases
- Insider and privilege misuse accounts for 23% of security incidents reported, and it is the leading cause of confirmed data breaches, where data was stolen
Has the spending slowed down?
The good news is that budget allocation increases for Information Security in Healthcare remain strong based on the reports from Cyberedge and PwC. However, there are many small and medium healthcare firms where the IT security budget is anemic and needs a serious uplift. Company Boards have started requesting regular security updates to check if there is an ongoing risk-based cyber security program to assure data protection.
Is the increased spending helping protect against breaches?
The short answer is probably not. As evidenced by the Verizon DBIR 2016 stats, increased spending on malware protection or endpoint protection has not yielded positive results. The bottom line is you cannot patch people. According to Cyberedge, an overwhelming 86 percent of the respondents are looking to augment or replace endpoint protection tools.
What is the right approach?
Healthcare first needs to acknowledge that good data protection is essential to achieve good privacy. Here are some recommendations to help bolster your data security posture:
“Organizations are also adopting risk-based cyber security frameworks like the NIST Cybersecurity Framework and HITRUST to help guide their overall security practices.” PwC
- Adopt a risk-based cyber security framework
- Prioritize and reach a consensus on data-security measures – HIT
- Prevent data breaches by detection first approach
- Buy cyber insurance for what can’t be protected
Building a data protection strategy with the assumption that a breach is likely to happen will yield the best results. Learn how to achieve the most optimal data security with Industry leading products and solutions for healthcare from Imperva.