Healthcare is still inadequately prepared for the scale of cyber threats, says the Kroll report

According to a new cyber readiness report from Kroll, healthcare is the industry most likely to consider itself as having “high security maturity.” But it is also one of the most affected sectors, topping the list in 2022 and coming in second last year.

This discrepancy can be traced back to many factors – not the least of which is the fact that healthcare organizations have long been among the top targets of cybercriminals and bad actors.

But it also reflects some unique factors related to how healthcare systems approach and assess their own cybersecurity preparedness, according to the consultancy firm’s new research, which looks at detection and response capabilities, threat intelligence, offensive security and other healthcare factors.

Other findings from the report: Healthcare organizations must be prepared for an increase in cyber threats where initial network access was obtained through remote remote services – creating a growing need for better endpoint security.

Even as both awareness and spending increase, top healthcare officials must prepare for increased government scrutiny and greater responsibility for overseeing cyber defense.

Closing the ‘self-diagnosis gap’

Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other industries, Kroll researchers said in the new report. report“The State of Cyber ​​Defense: Diagnosing Cyber ​​Threats in Healthcare.”

Their research maps the cyber threat landscape in which healthcare currently operates, looking at detection and response, cyber threat intelligence and offensive security.

The reality of the complexity of healthcare IT, “not to mention the extremely time-poor workforce that requires both maximum convenience and maximum security of IT operations,” makes it difficult for the industry to protect itself, Devon said Ackerman, Kroll’s Global Head of Incident Response. and cyber risk.

“The self-diagnosis gap between healthcare’s confidence in its security and its actual security capabilities is particularly concerning given that a cyber incident could disrupt hospital operations and have devastating consequences for patient care and treatment, even endangering human lives,” said he. This is stated in a statement accompanying the new report.

The independent survey of senior IT security decision makers, which was combined for the report with Kroll’s data on handling 3,000 cyber incidents per year, found that more than a quarter of healthcare respondents – 26% – have immature cybersecurity processes, while nearly 50% believe their processes are “very mature.”

Despite this level of confidence, only 3% of healthcare organizations surveyed have mature cyber processes, researchers said.

Remote access a weak point

Previously, Kroll said the fourth quarter of 2023 has set the tone for a demanding 2024, with companies across industries needing to take a consistent approach to advance security and prepare for known and emerging threats.

According to the fourth quarter analysis, Kroll called remote access a vulnerable path. Ransomware groups increasingly gained initial access through external third-party services, while other threats, such as infostealer malware and business email compromises, were on the rise.

The company said the climate is being challenged by organizations offering remote and hybrid work and being complacent about security. They must think beyond central network security and require increasingly strong defenses “at the perimeter level,” the researchers said.

Kroll also noted this in the Data breach outlook report for 2024The report published in February shows that the financial sector overtook healthcare last year as the sector with the most breaches, with healthcare showing an annual increase in both the number of queries related to a breach (14%) and the amount credit or identity monitoring that was conducted (99%).

Interestingly, breaches in the insurance sector fell even lower in the top 10 most affected industries, with an 81% decline in breaches year-on-year compared to 2022, while the technology sector saw a 40% increase year-on-year .

Kroll announced last month that he was tapping Dave Burgpreviously the US cyber leader for global firm EY and a PwC cyber veteran, as global head of cyber risk to oversee and expand threat lifecycle management capabilities.

Control and accountability by the C-Suite

Also in February, Kroll released his version 10 trends for 2024 in different sectors. Key trends focus on an increasingly complex cyber threat landscape, public market and private market economies that continue to diverge, and the increasing use of AI and the high level of compliance risks it will bring.

The company said it will be interesting for all industry leaders to see how the U.S. Securities and Exchange Commission moves in how it engages private entities. The agency no longer looks to an entity’s Chief Compliance Officer as a point of contact; it is the upper echelons of the C-suite that they ask for the right resources – both in terms of human capital and systems.

It is not difficult to imagine that, should the effort bear fruit, greater accountability of top officials for governance and oversight in the financial sector could be a tactic other agencies, such as HHS, try.

“For CEOs and other directors, plausible deniability when it comes to compliance issues is no longer an option,” the Kroll researchers said.

In combination with that, it is also something to take into account that the finishing touches on sanctions are also something to take into account.

Kroll mentioned rules such as the Foreign Corrupt Practices Actwhere “companies that fail to comply face enormous financial and reputational consequences.”

Compliance with safety regulations is a significant challenge for companies “with enormous potential financial and reputational risks”, researchers said. This means that organizations that pay cyber ransoms to a group that includes a sanctioned individual could become involved in a violation.

Andrea Fox is editor-in-chief of Healthcare IT News.

Healthcare IT News is a HIMSS Media publication.