The threats of ransomware and phishing are more prevalent than ever — data from the Department of Health and Human Services shows that nearly 3 million individuals were the victims of health data breaches in August. However, not all healthcare providers have appropriately adjusted their strategies to mitigate increasing risk. In fact, a new report shows that many healthcare organizations could be overestimating their level of cloud security.
The report — released Tuesday by ClearDATA, a cloud security solutions provider for healthcare organizations — collected survey data from more than 200 IT, security and compliance leaders at healthcare organizations including hospitals, health systems, ambulatory practices and home health providers. Participants’ companies earn a minimum of $50 million in annual revenue.
A full 85% of respondents said they are confident in their organization’s cloud security and compliance program. However, the report revealed a significant disparity between how C-suite executives view cloud security compared to vice presidents, directors and managers. C-suite executives were more likely to describe their cloud maturity level as advanced, with 64% of them characterizing it this way compared to 20-28% of vice presidents, directors and managers. Being further away from day-to-day realities could give C-suite leaders a false sense of security, claimed Chris Bowen, ClearDATA’s founder and chief information security officer.
“It is likely that the C-suite doesn’t understand what’s happening in their organization,” he said.
C-suite leaders should become more acquainted with the daily operations of their IT and cybersecurity staff so they have an accurate picture of the risks their organizations face, Bowen suggested. They should also ensure that the metrics their team reports back to them show not only what is currently happening at their organization but also what could happen in the future, he said.
Increasing risks have influenced the majority of organizations to increase their cybersecurity budgets, the report showed. More than 70% of cybersecurity budgets grew in 2022 compared to the previous year. Among these budgets that grew, 35% increased by less than 10%, 29% increased by 11-24%, and 7% increased more than 25%.
And in as many as 81% of cases, the decision to augment the budget was made proactively to prevent potential attacks. That’s a good move, given that it is “simply irresponsible” to be reactive when it comes to cybersecurity budgeting, Bowen said.
“The key is to prevent these vulnerabilities rather than react and try to fix the issue after a serious security incident,” he said. “Organizations need to model their approach to the threats they will likely encounter. In healthcare, we know very well what those attack patterns are. The Cybersecurity and Infrastructure Security Agency, HHS, FBI, and Homeland Security have been sharing this information with the healthcare industry quite frequently.”
Even though most respondents reported their their cybersecurity budgets have increased, many said they did not practice crucial risk reduction activities, including the basic practices of backing up data, using multi-factor authentication and handling passwords securely. Even fewer respondents said they had implemented more advanced measures, such as forming a hierarchical cybersecurity policy or simplifying technology infrastructure.
The report also showed that hospitals are more likely than health systems to categorize their cloud security strategy as advanced (43% vs 27%), and health systems are more likely to categorize their cloud security as intermediate (44% vs 34%). This is because hospitals have a smaller footprint and can move in a more nimble manner, according to Bowen.
Outsourcing cybersecurity and compliance solutions to third-party vendors can help healthcare providers move faster, he added. Larger providers (those with more than $500 million in annual revenue) are more likely to outsource all of the management and technology solutions for security and compliance, with 42% of them doing so compared to 22% of smaller providers. This indicates that even though larger providers have greater internal resources than small providers, they are usually further along in their cloud journey and need external assistance to manage the increasing complexity of their cloud operations.
Additionally, smaller organizations are more likely to cite cybersecurity worries as a barrier to cloud adoption. Half of large providers named cybersecurity as a top barrier, whereas 63% of smaller providers said the same. However, cybersecurity worries and cloud adoption should not be at odds, according to Bowen.
“The cloud is actually an enabler of greater security because it uses the latest technologies and reduces the attack surface by leveraging ephemeral approaches and serverless technologies,” he said.
Photo: traffic_analyzer, Getty Images