HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Study Reveals Poor Patching Practices in Healthcare

A recent survey conducted by the Ponemon Institute on behalf of ServiceNow has revealed the healthcare and pharmaceutical industries are struggling to keep on top of patching. Vulnerabilities are not being patched promptly leaving organizations open to attack.

The survey was conducted on 3,000 security professionals from organizations with more than 1,000 employees across a broad range of industry sectors and countries. The results of the survey were published in the report: Today’s State of Vulnerability Response: Patch Work Demands Attention.

The report revealed 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released. A third of respondents said that they were aware that the vulnerability existed and a patch was available prior to the breach. More alarming was two third of organizations did not know they were vulnerable to attack.

Even though there is a considerable risk of vulnerabilities being exploited, 37% of respondents said they do not scan for vulnerabilities and therefore cannot be sure all vulnerabilities are identified and addressed. The healthcare and pharmaceutical industries were slightly better than average, although 28% of IT security professionals from those industries said vulnerability scanning was not performed.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

65% of cybersecurity professionals said they find it difficult to prioritize patching and determine what software should be patched first. 61% said manual processes were putting them at a disadvantage when patching vulnerabilities, and an average of 12 days were being lost coordinating patching activities across teams.

More than three quarters of IT security professionals felt the delay in patching vulnerabilities was due to a shortage of staff. They simply did not have enough employees to keep on top of patching. On average, 321 hours a week are being spent on vulnerability management, but even so, medium to low priority patches are still taking eight weeks or longer to be applied.

60% of respondents saying they were recruiting more staff in the next 12 months to help speed up the patching of vulnerabilities. On average, organizations are looking to hire four new employees solely for vulnerability response.

Deciding to hire more staff is one thing. Recruiting staff is another. There is a shortage of skilled IT staff and the problem is getting worse. According to a recent survey conducted by the advocacy group ISACA, by 2019 there will be 2 million unfilled cybersecurity positions.

Even if staff can be recruited, there is no guarantee that security posture can be significantly improved. While additional staff could certainly help some companies, the report suggests there is a patching paradox – hiring more staff does not mean better security.

“Adding more talent alone won’t address the core issue plaguing today’s security teams,” said ServiceNow Security and Risk Vice President and General Manager Sean Convery. “Automating routine processes and prioritizing vulnerabilities helps organizations avoid the ‘patching paradox,’ instead focusing their people on critical work to dramatically reduce the likelihood of a breach.”

The Ponemon Institute/ServiceNow report offers five recommendations that can help organizations develop a roadmap to a better security posture.

  • Take an unbiased inventory of vulnerability response capabilities.
  • Accelerate time-to-benefit by tackling low-hanging fruit first.
  • Break down data barriers between security and IT to regain lost time spend coordinating between the two
  • Define and optimize end-to-end vulnerability response processes and then automate as much as you can.
  • Retain talent by focusing on culture and environment.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.