IT professionals in the healthcare sector say their security programs are as successful, on average, as those in other industry verticals, according to new research.
The data for 281 respondents in healthcare is broken out in a separate report.
Cyber attacks against healthcare organizations have risen sharply this year. In October, the Canadian Centre for Cyber Security issued a renewed warning of an elevated level of risk to healthcare organizations involved in the response to the pandemic. “Now we’re seeing the attackers go after the vaccine supply chain,” said Dave Lewis, Global Advisory CISO at Cisco Canada. “It’s absolutely staggering in so many ways, but that is how nefarious the attackers can be.”
Nonetheless, IT professionals in healthcare believe their industry is performing slightly better than average at managing risk. However, it could do better at enabling the business and improving operational efficiencies.
Good health in security risk management
In the category of managing risk, the healthcare sector reports its strongest success rates in meeting compliance regulations. Fifty-one per cent of respondents say they’re achieving this outcome, as compared to the global average of 48 per cent. This view isn’t surprising, said Lewis, even though compliance on its own didn’t necessarily correlate to program success in the study. “Compliance is prevalent because of the fact that we take the privacy of patient information so seriously,” he said. “The kind of thing we hold near and dear to our hearts is the ability to trust that our medical information is going to be protected,”
Despite the pressures of the pandemic, healthcare IT professionals reported slightly better than average success at avoiding major incidents and managing top risks. Lewis agreed that that the sector has been making good progress in these areas.
The sector’s performance also ranked well on gaining executive confidence and peer buy-in on security programs. “This is good because historically, there hasn’t always been enough focus on security training in many industry verticals,” said Lewis. “You have to make sure that the end users understand their responsibilities. They have to be part of a wider security ecosystem.”
Extra care needed on the business front
The study shows that healthcare organizations struggle with operational efficiency in their security programs. Like many industries, it has challenges in minimizing unplanned work and streamlining processes.
A contributing factor may be that healthcare has had a steeper learning curve to adjust to the remote work environment, said Lewis. “Healthcare organizations are very focused on patient care and they’re used to being on-premises,” said Lewis. “It is a culture shift to move to a remote workforce so it makes sense that this takes time. They are doing a good job of rising to meet that challenge.”
When it comes to “keeping up with the business,” the healthcare sector scores slightly lower than the global average for all industries. It also struggles to retain top security talent, a common issue across all industries.
The prescription for successful security
IT professionals in healthcare held consistent views with other industries on which security practices lead to the best outcomes. Proactive technology refreshes play a major role in enabling business objectives and managing the top risks faced by healthcare institutions. As the report says, “you can’t teach old tech new threats.” A well-integrated technology stack goes hand-in-hand with the technology refreshes. These two themes were reinforced throughout the main report and, if anything the results are stronger for healthcare. “The value of modern, best-of-breed infrastructure cannot be understated,” the study says.
Lewis said he believes that healthcare institutions in Canada have made recent strides forward in modernizing their technology because of the pandemic. “In the past, the concentration was more on the protection of health records and less on the infrastructure,” he said. “They’ve had to address that in short order because of the need to support a remote workforce and a resilient infrastructure.”
Security awareness training was also seen as key to creating a successful security culture by creating buy-in from peers across the organization.
Automating repeatable procedures is expected to help improve efficiency, strengthen incident detection and, surprisingly, to retain talent. The report suggests that this practice will free security staff from “mundane, soul-crushing tasks to focus on more challenging, rewarding work. Employees who have rewarding jobs are bound to stick around.”
