How a Proactive Approach Improves Healthcare Cybersecurity

By  on June 06, 2016

A recent survey showed that most companies do not use a data security vendor until after a data breach, which could impact the effectiveness of healthcare cybersecurity policies.

While healthcare data breaches were the most reported data security incident in 2015, it is not surprising that more organizations are employing or seeking a third-party managed security services vendor to help identify and react to healthcare cybersecurity threats. Yet, many healthcare organizations are waiting until a significant data loss before using cybersecurity professionals.

According to a recent survey from Raytheon and the Ponemon Institute, about two thirds of businesses reported that their organizations only engage a cybersecurity vendor after a significant data breach occurs. This reactive approach to data security has been attributed to an increase in data loss.

“Cybersecurity is not a waiting game, and organizations without the expertise and tools required to identify and respond to skilled adversaries need to understand that,” said Vice President of Cybersecurity and Special Missions at Raytheon Intelligence Information and Services Jack Harrington. “The old approach waited for technology to flag known threats.”

Using a managed security services provider could help organizations advance data security policies, reported the survey. The overall main reasons for engaging a data security vendor were to improve security postures (59 percent), recruit and retain IT talent (58 percent), and a lack of in-house data security technologies (57 percent).

For healthcare organizations, researchers found that strengthening healthcare data security policies was still the primary motivator for engaging a data security vendor (60 percent), but IT staffing was less of a concern. Only 45 percent stated that their organization hired a third-party to help manage IT staffing.

The majority of companies agreed that managed security services providers are important for understanding the threat landscape, explained the survey. Sixty-five percent of respondents across industries reported that data security vendors were able to leverage insights from tracking numerous data security incidents.

However, many data security vendors were unable to detect new threats in a timely manner. About 51 percent of participants indicated that data security providers could only effectively mitigate risks after they were identified.

Additionally, about 54 percent of respondents stated that their data security vendor was able to identify existing software vulnerabilities greater than three months old. Most security providers were also only able to detect 45 percent of existing software vulnerabilities that were newer.

“Too many organizations today rely on reactive models and automated tools that attempt to detect threats through signature-, rule- or sandbox-driven models,” stated Raytheon Foreground Security’s President David Amsler. “The reactive approach is not enough to stop the determined and sophisticated adversaries which are most often the cause of significant damage or data loss.”

While only 16 percent of respondents stated that their managed security services provider offered a proactive approach, more companies are starting to seek vendors that fit their specific needs.

When outsourcing data security services, healthcare organizations, like the majority of companies surveyed, sought vendors that provided interoperability capabilities with established security intelligence tools (71 percent). This was followed by speedy deployment of services (59 percent).

Despite developing vendor requirements, healthcare organizations indicated that there were some barriers to successfully outsourcing security services. About half of healthcare organizations said that a lack of visibility into the vendor’s IT security infrastructure was a significant challenge.

Forty-three percent of companies in the healthcare field also stated that outsourcing was inconsistent with their organization’s culture, which made it difficult to select a data security vendor.

Outsourcing healthcare cybersecurity has been a major obstacle for many healthcare organizations because of unique data security and patient privacy needs.

Last year, a Black Book poll reported that less than one in 10 health plan IT executives were considering full or end-to-end offshored healthcare data security solutions. Healthcare executives were hesitant to outsource data security services because of an increase in healthcare data breaches and a lack of confidence in a vendor’s ability to robustly protect patient data.

Additionally, reports about new, more sophisticated healthcare cybersecurity threats, such as hospital ransomware and malware, have not made it easier for healthcare organizations to select the best data security vendor for their needs.

As organizations prepare to outsource healthcare cybersecurity, executives and IT staff may need to search for a security provider that uses a more proactive approach before their organization faces a healthcare data security incident.  A cybersecurity provider that is able to identify and mitigate the newest threats could be the key to protecting organization from a healthcare data breach.