Study Reveals 56% of Healthcare Organizations Plan to Invest in Data Breach Protection Solutions
The Netwrix Corporation, a provider of a visibility platform for data security and risk mitigation in hybrid environments, has published the results of a recent study on healthcare IT risks. Netwrix asked healthcare IT professionals about the biggest security risks faced by their organizations, how security budgets are being allocated and the main areas where future security budgets will be directed.
Netwrix said, “We aimed to look deeper into IT security practices, successful experiences and plans of healthcare organizations, as well as the most typical pain points.”
The survey shows the biggest data security concern of healthcare IT professionals is employees. 56% of respondents said employees were the biggest data security threat. Only 38% believe the biggest threat comes from hackers.
The results are unsurprising since the majority of data security incidents in 2016 were caused as a result of the actions of employees. The two biggest causes of data security incidents last year were malware and human error, with malware often installed as a result of the actions of employees. 59% of respondents said they had experienced malware incidents in 2016 while 47% said they had to deal with security incidents caused by human error.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
While healthcare organizations have invested heavily in cybersecurity defenses, only 31% of respondents said their organization is well prepared to beat cyber risks. Budgets are primarily being directed at protecting endpoints, databases and virtual infrastructure. 61% said their main focus was endpoint security, 56% said databases and 47% said virtual infrastructure. The main focus of future investment was data breach prevention for 56% of organizations, with 25% saying they are focused on new measures to prevent intellectual property theft and 25% on technologies to prevent cyber sabotage.
The report authors pointed out that “Despite following the requirements of HIPAA and other compliance standards, medical organizations are likely to focus on certain areas of IT environment instead of having visibility across all critical systems, which increases their vulnerability to cyber threats.”
The study revealed there are a number of key areas where security protections are lacking. 38% of respondents said unstructured data in third party data centers was a major data security risk. The other main areas that had been neglected were BYOD (29%) and shadow IT (21%).
Data stored in third party data centers tends not to be as sensitive as data stored on premise, although poor visibility and a lack of control of data in hybrid cloud environments posed security problems. While measures are being introduced to improve the security of personal devices, a lack of visibility threatened organizations’ security posture.
Michael Fimin, CEO and co-founder of Netwrix. “Having a clear understanding of what is going on in the environment will help [healthcare organizations] mitigate the risk of human errors, detect and investigate incidents faster, and, as a result, improve the security of their sensitive patient data.”
The main obstacles preventing healthcare organizations from managing cybersecurity risks more effectively were time and money. Three quarters of respondents said a lack of money and a lack of time were hampering efforts to manage cyber risks more effectively, while 44% of respondents said a lack of participation of senior management was a major obstacle.
Healthcare organizations have had plenty of time to implement policies to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA) and ensure sufficient security protections are in place to ensure protected health information is safeguarded. However, 36% of respondents said they had experienced problems with compliance and passing audits. One of the major problems was not a failure to maintain an audit trail of user activity but the inability to access that information and produce it for auditors in the allocated time frame.
