Cybersecurity leaders are still unsure about recovery from the attack, reports show
More than half of healthcare organizations that responded to a recent cross-industry cybersecurity survey from Travelers say they don’t have a dedicated team to handle a data breach – and even more say they don’t use endpoint detection and response tools .
Meanwhile, national chief information security officials told Deloitte and the National Association of State Chief Information Officers in a recent survey that the threats – exacerbated by the rise of artificial intelligence technologies – are significant and they are unsure if their teams are well positioned to deal with them to go. them.
WHY IT’S IMPORTANT
Among state CISOs from all 50 states and the District of Columbia, 86% said AI, uncertain budgets, cyber threats and changing workforces have increased their data privacy responsibilities, according to an announcement from Deloitte on Monday.
The 2024 Deloitte-NASCIO Cybersecurity Study also found that more than a third of CISOs in the state reported they did not have a dedicated budget for cybersecurity.
A substantial majority (71%) also said they believe the threat level of AI-enabled threats is “high,” while 41% noted they were unsure if their teams can handle all the cybersecurity threats they face.
However, state CISOs did report that they have expanded their skilled workforce since the previous biennial cybersecurity study.
“The good news is that many CISOs in the state have been able to increase workforces by adding specialists to their teams who focus on cybersecurity-related issues,” said Meredith Ward, deputy executive director at NASCIO and co-author of the new report. reportsaid a statement.
Travelers said it was Risk index 2024 also revealed an unprecedented level of concern about cybersecurity threats, with participating healthcare organizations lagging behind on a number of critical cybersecurity controls.
For the survey, Hart Research contacted more than 1,200 U.S. companies (368 small, 500 medium, and 334 large) this summer to ask about their top challenges. The analysis included the opinions of leaders from 100 companies in the healthcare industry.
Of all respondents, 36% had experienced a security breach, 27% had been victims of extortion/ransomware, 27% had information/systems compromised by employees, 26% had experienced a system failure, and 25% employees tricked into transferring money to fraudulent accounts, report finds.
Healthcare respondents in Traveler’s report said unauthorized access to financial accounts was their top cybersecurity concern, followed by system failures or breaches related to remote working, and third was hackers.
While 82% of healthcare organizations said they believed they had the right cybersecurity controls in place, 44% are not using multi-factor authentication for remote access – a failure that led to the removal of Change Healthcare and nationwide payment system outages – and 44% have no incident response plan.
Cyber maturity gaps also abound, with 55% of healthcare respondents reporting they do not have a post-intrusion team in place and 60% not using endpoint detection and response tools.
While some healthcare organizations reported taking measures such as implementing backup data and infrastructure (80%) and firewall protection (72%), conducting employee background checks (72%), and requiring password changes (70%), according to Travelers 2024 Risk Index, there are technologies they may be overlooking that could better protect patient data.
THE BIG TREND
Attack surfaces are expanding as quickly as emerging threats, with data becoming a central part of both government and business operations.
While budget concerns for state CISOs are back in full force in 2024, according to Deloitte, AI threats were the second most concerning type of cyber threat, behind only security breaches involving third parties, but exceeding concerns about malware and ransomware.
While the healthcare industry is underprepared for the scope of cyber threats, the U.S. Health and Human Services 405(d) Program in December focused on how cyber insurance can help organizations recover from an incident and maintain healthcare delivery. Two guides for small And medium sized organizations discuss implementing best practices in cyber insurance.
Over the past year, John Menefee, cyber risk product manager at Travelers Bond and Specialty Insurance, said Healthcare IT news that despite an increase in the number of attacks, insurance options have far from disappeared.
He said cyber insurers understand better than ever how healthcare cyber attacks unfold and can help protect healthcare organizations before threat actors strike.
ON THE RECORD
That includes C-suites and security leaders at healthcare organizations, according to the recent NASCIO report, which sees more CISOs committed to staffing levels commensurate with the scale of the cyber threat.
“In 2020, 16% of CISOs had fewer than five employees focused on cybersecurity initiatives,” Ward said in a statement. “Today, that percentage has dropped to just 4%. In addition to growing their teams, our research shows that these leaders are committed to finding creative solutions to protect their organizations and the public.”
Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
The HIMSS Healthcare Cybersecurity Forum will take place from October 31 to November 1 in Washington, DC More information and registration.