Ransomware and phishing threats are more common than ever — data from Department of Health and Human Services shows that nearly 3 million people were the victims health data breaches in August. However, not all healthcare providers have appropriately adjusted their strategies to mitigate the increased risk. Actually new report shows that many healthcare organizations may be overestimating their level of cloud security.
The report — published Tuesday by ClearDATA, a provider of cloud-based security solutions for healthcare organizations—collected survey data from more than 200 IT, security and compliance executives in healthcare organizations, including hospitals, health systems, ambulatory practices and home health providers. Participant companies earn a minimum of $50 million in annual revenue.
A full 85% of respondents said they are confident in their organization’s cloud security and compliance program. However, the report revealed a significant disparity between how C-suite executives view cloud security compared to vice presidents, directors and managers. C-suite executives are more likely to describe their cloud maturity level as advanced, with 64% of them characterizing it this way, compared to 20-28% of VPs, directors and managers. Being more removed from day-to-day realities can give C-suite executives a false sense of security, says Chris Bowen, ClearDATA’s founder and chief information security officer.
“Management probably doesn’t understand what’s going on in their organization,” he said.
C-suite executives need to become more familiar with the day-to-day operations of their IT and cybersecurity staff so they have an accurate picture of the risks their organizations face, Bowen suggested. They also need to ensure that the metrics their team reports to them show not only what’s happening right now in their organization, but also what might happen in the future, he said.
Rising risks have influenced most organizations to increase their cyber security budgets, the report shows. More than 70% of cybersecurity budgets grew in 2022 compared to the previous year. Among those budgets that increased, 35% increased by less than 10%, 29% increased by 11-24%, and 7% increased by more than 25%.
And in a full 81% of cases, the decision to increase the budget was made proactively to prevent potential attacks. This is a good move considering that it is “it’s just irresponsible” to be reactive when it comes to cybersecurity budgeting, Bowen said.
“The key is to prevent these vulnerabilities instead of reacting and trying to fix the problem after a major security incident,” he said. “Organizations must model their approach to the threats they are likely to encounter. In healthcare, we know very well what these attack patterns are. The Cybersecurity and Infrastructure Security Agency, HHS, the FBI, and Homeland Security quite often share this information with the healthcare industry.”
Although most respondents reported that their cybersecurity budgets had increased, many said they had not practiced important risk mitigation activities, including the basic practices of backing up data, using multi-factor authentication, and handling passwords securely. Even fewer respondents said they had implemented more advanced measures, such as forming a hierarchical cybersecurity policy or simplifying technology infrastructure.
The report also showed that hospitals are more likely than health systems to categorize their cloud security strategy as advanced (43% vs. 27%), and health systems are more likely to categorize their cloud security as intermediate (44% vs. 34 %). That’s because hospitals have a smaller footprint and can move in a more agile way, according to Bowen.
Outsourcing cybersecurity and compliance solutions to third-party providers can help healthcare providers move faster, he added. Larger vendors (those with more than $500 million in annual revenue) are more likely to outsource all security and compliance management and technology solutions, with 42 percent doing so, compared to 22 percent of smaller vendors. This shows that although larger vendors have greater internal resources than smaller vendors, they are typically further along in their cloud journey and need external help to manage the increasing complexity of their cloud operations.
Additionally, smaller organizations are more likely to cite cybersecurity concerns as a barrier to cloud adoption. Half of large suppliers cited cybersecurity as a major obstacle, while 63% of smaller suppliers said the same. However, cybersecurity concerns and cloud adoption don’t have to be at odds, according to Bowen.
“The cloud is actually a vehicle for greater security because it uses the latest technologies and reduces the attack surface by using ephemeral approaches and serverless technologies,” he said.
Photo: traffic_analyzer, Getty Images