Healthcare is the industry most likely to self-assess itself as having “very mature security,” according to Kroll's new Cyber Readiness Report. But he is also one of the most breached sectors, and in 2022 he topped the list, and last year he took second place.
This discrepancy is due to many factors. Especially given the fact that healthcare organizations have long been a top target for cybercriminals and malicious actors.
But it also reflects some unique factors related to how health systems approach and evaluate their cybersecurity responses, according to the advisory firm's new research. The study examines detection and response capabilities, threat intelligence, offensive security, and other factors in healthcare.
The report also includes findings such as: Healthcare organizations must prepare for an increase in cyberthreats where initial network access is gained through external remote services, increasing the need for improved endpoint security.
And even as both awareness and spending trend upward, health system executives should prepare for increased government oversight and increased accountability for oversight of cyber defenses.
Filling the “self-diagnosis gap”
In a new report, “The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare,” Kroll researchers find that healthcare organizations are 65% more likely to completely outsource cybersecurity services than organizations in other sectors. He said it was low.
Their research maps out the cybersecurity threat landscape in which the healthcare sector currently operates, with a focus on detection and response, cyber threat intelligence, and offensive security.
According to Devon Ackerman, Global Head of Incident Response at Kroll, the reality of healthcare IT complexity is that “not to mention extremely time-strapped staff who need both maximum convenience and security from IT operations. This makes it difficult for the industry to protect itself. and cyber risk.
“Given that cyber incidents can disrupt hospital operations, have devastating consequences for patient care and treatment, and even put lives at risk, confidence in the security of healthcare institutions and their actual security capabilities are “The self-diagnosis gap between the two countries is particularly worrying,” he said. said in a statement accompanying the new report.
An independent survey of global IT security senior decision makers combined with data from Kroll, which processes 3,000 cyber incidents annually for the report, found that more than a quarter of respondents in healthcare businesses (26%) found their cybersecurity processes to be immature, while mostly immature. 50% believe their company's processes are “very mature.”
Despite this level of confidence, only 3% of healthcare organizations surveyed have mature cyber processes in place, according to the researchers.
Weaknesses of remote access
Previously, Kroll said the fourth quarter of 2023 will set the tone for a challenging 2024 that will require companies across all sectors to adopt a consistent approach to hardening security and prepare for known and emerging threats. He said he would decide.
According to our Q4 analysis, Kroll cited remote access as a vulnerable path. While ransomware groups are increasingly gaining initial access through external remote services, other threats such as information-stealing malware and business email compromises are also on the rise.
The company said organizations that offer remote or hybrid work and are comfortable with security are challenging this climate. The researchers said there was a need to think beyond central network security and needed stronger defenses than ever before at the “perimeter level.”
In its 2024 Data Breach Outlook report released in February, Kroll also revealed that the financial sector overtook healthcare as the most breached industry last year, with healthcare accounting for 14% of calls after a breach. He pointed out that both amounts showed an increase from the previous year. Credit or identity monitoring occurs (99%).
Interestingly, when compared to 2022, the insurance industry saw an 81% year-on-year decline in breaches, with the top 10 most breached industries seeing even more declines, while the technology sector saw a 40% year-on-year increase. did.
Last month, Kroll announced the hiring of Dave Berg, former head of Americas cyber at global firm EY and PwC cyber veteran, to oversee and expand its threat lifecycle management capabilities as global head of cyber risk. did.
Executive scrutiny and accountability
Also in February, Kroll released its 10 industry-wide trends for 2024. Top trends focus on the increasingly complex cyber threat landscape, the continuing divergence of public and private market economies, and the growing use of AI and the high level of compliance risks it poses.
The company said what will be interesting to all industry leaders is how the U.S. Securities and Exchange Commission pivots on how it engages with private companies. Government agencies are no longer looking to a company's chief compliance officer as their point of contact, but rather at the top of the C-suite to ask about ensuring adequate resources, both from a human capital and systems perspective.
If the effort is successful, it's not hard to imagine that increasing executive responsibility for governance and oversight in the financial sector could be a tactic that other agencies like HHS try.
“Plausible deniability is no longer an option for CEOs and other executives when it comes to compliance issues,” the Kroll researchers wrote.
In addition, be careful about crossing the 't' or dotting the 'i' when it comes to sanctions.
Kroll cited regulations such as the Foreign Corrupt Practices Act, which “inflicts significant economic and reputational consequences on companies that violate them.”
Researchers say security compliance is a “significant challenge with potential financial and reputational risks” for companies, and organizations that pay cyber ransoms to groups that include sanctioned individuals could be caught in a breach. He added that it means having sex.
Andrea Fox is a senior editor at Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.
