Free EHR, EHR and Healthcare IT Newsletter Want to receive the latest updates on EHR, EMR and Healthcare IT news sent straight to your email? Get all the latest EHR News for FREE!

Black Book’s Annual Cybersecurity Survey Reveals Healthcare Enterprises Are Not Maturing Fast Enough, Processes Continue Underfunded and Understaffed

The industry is deluged with new applications, challenging systems, new devices and innovative approaches to handling and sharing data.

PRESS RELEASE  MAY 14, 2018 08:00 EDT

TAMPA, Fla., May 14, 2018 (Newswire.com) – Black Book Market Research LLC surveyed over 2,464 security professionals from 680 provider organizations to identify gaps, vulnerabilities and deficiencies that persist in keeping hospitals and physicians proverbial sitting ducks for data breaches and cyber attacks.  Ninety-six percent of IT professionals agreed with the sentiments that data attackers are outpacing their medical enterprises, holding providers at a disadvantage in responding to vulnerabilities.

A fragmented mix of 410 vendors offering data security services, core products and solutions, software, consulting and outsourcing received user feedback including large IT companies, mid and small security vendors and start-ups in the polling period Q3 2017 to Q2 2018.

Over 90 percent of healthcare organizations have experienced a data breach since Q3 2016 and nearly 50 percent have had more than five data breaches during the same timeframe.  Not only has the number of attacks increased, more than 180 million records have been stolen since 2015, affecting about one in every 12 healthcare consumers.

The dramatic rise in successful attacks by both criminal and nation-state-backed hackers illustrates how attractive and vulnerable these healthcare enterprises are to exploitation. Despite these wake-up calls, the provider sector remains exceedingly susceptible to ongoing breaches.

Budget constraints have encumbered the practice of replacing legacy software and devices, leaving enterprises more susceptible to an attack. “It is becoming increasingly difficult for hospitals to find the dollars to invest in an area that does not produce revenue,” said Doug Brown, founder of Black Book. According to 88 percent of hospital representatives surveyed, IT security budgets have remained level since 2016. As a percentage of IT organizational budgets, cybersecurity has decreased to about three percent of the total annual IT spend.

Despite the lack of earmarked funds by U.S. buyers, Black Book projects the global healthcare cybersecurity spend to exceed $65 billion cumulatively over the next five years.

A third of hospital executives that purchased cybersecurity solutions between 2016 and 2018 report they did so blindly without much vision or discernment.  Ninety-two percent of the data security product or service decisions since 2016 were made at the C level and failed to include any users or affected department managers in the cybersecurity purchasing decision. Only four percent of organizations had a steering committee to evaluate the impact of the cybersecurity investment.

“The dilemma with cybersecurity budgeting and forecasting is the lack of reliable historical data,” said Brown. “Cybersecurity is a newer line item for hospitals and physician enterprises and budgets have not evolved to cover the true scope of human capital and technology requirements yet.”

Last year’s Black Book cybersecurity survey revealed 84 percent of hospitals were operating without a dedicated security executive. As a solution to unsuccessfully recruiting a qualified healthcare chief information security officer, 21 percent of organizations opted for security outsourcing to partners and consultants or selected security-as-a-service options as a stop-gap measure.

That shortage of healthcare cybersecurity professionals is forcing a rush to acquire services and outsourcing at a pace five times more than cybersecurity products and software solutions. Cybersecurity companies are responding to the labor crunch by offering healthcare providers and hospitals with a growing portfolio of services.

“The key place to start when choosing a cybersecurity vendor is to understand your threat landscape, understanding the type of services vendors offer and comparing that to your organization’s risk framework to select your best-suited vendor,” said Brown. “Healthcare organizations are also more prone to attacks than other industries because they persist at managing through breaches reactively.”

Fifty-seven percent of IT management respondents report their operations are not aware of the full variety of cybersecurity solution sets that exist, particularly mobile security environments, intrusion detection, attack prevention, forensics and testing.

Fifty-eight percent of hospitals did not select their current security vendor in advance of a cybersecurity incident.

Thirty-two percent of healthcare organizations did not scan for vulnerabilities before an attack.

“Providers are at a severe disadvantage when they are forced to hastily retain a cybersecurity firm in the midst of an ongoing incident as the ability to conduct the necessary due diligence is especially limited,” said Brown.

Sixteen percent of healthcare organizations reported they felt intimidated by a vendor to retain services when the vendor identified a vulnerability or security flaw. “While the intrinsic nature of cybersecurity radiates pressures and urgency, hospitals shouldn’t let this dictate the vendor selection process,” said Brown.

Sixty percent of healthcare enterprises have not formally identified specific security objectives and requirements in a strategic and tactical plan. Without a clear set of security goals, providers are operating in the dark and it’s impossible to measure results.

Eighty-three percent of healthcare organization have not had a cybersecurity drill with an incident response process, despite the skyrocketing cases of data breaches in the healthcare industry.

Only 12 percent of hospitals and nine percent of physician organizations believe that a Q2 2019 assessment of their cybersecurity will show improvement. Twenty-three percent of provider organizations believe their cybersecurity position will worsen, as compared to three percent in other industries.

In 2018, 24 percent of providers still do not carry out measurable assessments of their cybersecurity status. Of those that did, seven percent used an objective third-party service to benchmark their cybersecurity status, six percent used an objective software solution to benchmark their cybersecurity status and 78 percent self-assessed with their own criteria.

Twenty-nine percent of respondents currently report they do not have an adequate solution to instantly detect and respond to an organizational attack.

Seventy-four percent of surveyed CIOs did not evaluate the total cost of ownership (TCO) before making a commitment to sign their current cybersecurity solution or service contract. Eighty-nine percent reported they bought their cybersecurity solution to be compliant, not necessarily to reduce risk when the IT decision was made.

Healthcare organizations are hyper-focused on patient care and reimbursement. “Cybersecurity risks are not on the forefront of executives’ minds,” said Brown. “Medical and financial leaders also wield more influence over organizational budgets making it difficult for IT management to implement needed cybersecurity practices despite the existing environment.”

BLACK BOOK ANNOUNCE THE 2018 TOP CYBERSECURITY SERVICES & SOLUTIONS VENDORS

Black Book Market Research LLC conducts polls and surveys with healthcare executives and front-line users about their current technology and services partners and awards top-performing vendors based on performance based on 18 qualitative indicators of client experience and solution/service satisfaction and three indicators of customer loyalty. Black Book surveyed users of 18 categories of cybersecurity vendors, consultants and advisors which produced the 2018 rankings of No. 1 performing suppliers.

AUTHORIZATION & AUTHENTICATION SOLUTIONS – FIREEYE

Other Top Authorization & Authentication Solution Vendors include: SAILPOINT, AVATIER, SECUREAUTH, AUTH0, OPTIMAL IDM, CROSSMATCH & IMPRIVATA.

BLOCKCHAIN SOLUTIONS – HASHED HEALTH

Other Top Blockchain Solution Vendors include: POKITDOK, IBM BLOCKCHAIN, HEALTHCOMBIX, MEDICAL CHAIN, HEALTH LINKAGES, GEM & BLOCK MD.

COMPLIANCE & RISK MANAGEMENT SOLUTION – CLEARWATER COMPLIANCE

Other Top Compliance & Risk Management Solution Vendors include: EY, DELOITTE, SERA-BRYNN, KPMG, COALFIRE, CYNERGISTEK & BAE SYSTEMS.

CYBERSECURITY ADVISORS & CONSULTANTS – LEIDOS

Other Top Compliance & Risk Management Solution Vendors include: KPMG, EY, SECURE DIGITAL SOLUTIONS, CYNERGISTEK, IBM, ATOS & IMPACT ADVISORS.

CYBERSECURITY TRAINING & EDUCATION – KNOWBE4

Other Top Cybersecurity Training Solution Vendors include: INSPIRED ELEARNING, DIGITAL DEFENSE, THE SANS INSTITUTE, (ISC)2, OPTIV, VANGUARD & CIRCADENCE.

DDOS ATTACK PROTECTION – IMPERVA

Other Top Cybersecurity DDOS Attack Protection Vendors include: CLOUDFLARE, F5 NETWORKS, FORTINET, ARBOR NETWORKS, NEXUSGUARD, AKAMAI TECHNOLOGIES & ROOT9B.

END POINT SECURITY SOLUTIONS – CARBON BLACK

Other Top End Point Security Solutions include: SYMANTEC, FORTINET, CHECKPOINT SOFTWARE, DUO, ABSOLUTE SOFTWARE, COUNTER TACK, TREND MICRO & MCAFEE.

ENTERPRISE ACCESS MANAGEMENT – BOMGAR

Other Top Access Management Vendors include: IMPRIVATA, TREND MICRO, MICROSOFT, CISCO, SAILPOINT, RSA SECURITY & MICRO FOCUS.

ENTERPRISE FIREWALL NETWORKS – FORTINET

Other Top Firewall Network Vendors include: SONICWALL, ZSCALER, CHECKPOINT SOFTWARE, PALO ALTO NETWORKS, CISCO, HUAWEI, FOREPOINT & SOPHOS.

HEALTHCARE DATA ENCRYPTION – ONPAGE

Other Top Data Encryption Vendors include: SENETAS, THALES, DATA LOCKER, SYMANTEC, SOPHOS, CHECKPOINT SOFTWARE, TREND MICRO, FLEXENTIAL, VIRTRU & APRICORN.

INTRUSION PROTECTION SOLUTIONS – IMPERVA

Other Top Intrusion Protection Solution Vendors include: CISCO, INTEL SECURITY (MCAFEE), TREND MICRO TIPPING POINT, IBM, PALO ALTO NETWORKS, ALERT LOGIC, HEWLETT PACKARD & EXTREME NETWORKS.

MEDICAL DEVICE & INTERNET OF THINGS SECURITY – FORTIFIED HEALTH SECURITY

Other Top Medical Device & IoT Security Solution Vendors include: BAYSHORE NETWORKS, SENRIO, RUBICON, SECURERF & BASTILLE.

OUTSOURCING & NETWORK MANAGED SERVICES – TRUSTWAVE

Other top Outsourcing & Managed Services Vendors include: CYTELLIX, SECUREWORKS, DXC TECHNOLOGIES, ARMOR, BOMGAR, NTT, OPTIV, LEVEL3, AT&T & SECUREWORKS.

PATIENT PRIVACY MONITORING – FAIRWARNING

Other Top Patient Privacy Monitoring Solution Vendors include: CONVERGEPOINT, HAYSTACK, IATRIC, CYNERGISTEK, MAIZE ANALYTICS, JERICHO SYSTEMS & TRUE VAULT.

RANSOMWARE PROTECTION – ZIX CORPORATION

Other Top Ransomware Protection Solution Vendors include: IBOSS, ZSCALER, DIGITAL GUARDIAN, WEBSENSE, CISCO, SYMANTEC & BARKLY.

SECURE COMMUNICATIONS PLATFORMS – DOC HALO

Other Top Secure Communications Platform Vendors include: PERFECTSERVE, PATIENT SAFE SOLUTIONS, VOCERA, IMPRIVATA, SPOK, ONPAGE, TIGER TEXT & TELEMEDIQ.

THREAT DETECTION & CYBER ATTACK PREVENTION – DIGITAL GUARDIAN

Other Top Threat Detection & Prevention Vendors include: SYMANTEC, FORCEPOINT, CROWDSTRIKE FALCON, CARBON BLACK, TRAPX SECURITY, MCAFEE, FIREEYE, IBM, FORTINET & CYLANCE.

THREAT INTELLIGENCE & ANALYTICS – JVION

Other Top Threat Intelligence & Analytics Vendors include: EY, RAYTHEON, RAPID7, CSC, HAYSTACK, NOVETTA, REDSEAL & SAS INSTITUTE.

About Black Book Research

Black Book Market Research LLC, its founder, management and staff do not own or hold any financial interest in any of the vendors covered and encompassed in the surveys it conducts. Black Book reports the results of the collected satisfaction and client experience rankings in publication and to media prior to vendor notification of rating results and does not solicit vendor participation fees, review fees, inclusion or briefing charges and/or vendor collaboration as Black Book polls vendors’ clients.

In 2009, Black Book began polling the healthcare user and client experience of now over 600,000 healthcare software and services users. Black Book expanded its survey prowess and reputation of independent, unbiased crowd-sourced surveying to IT and health records professionals, physician practice administrators, nurses, financial leaders, executives and hospital information technology managers. Cybersecurity services and products satisfaction and client experience polling was initiated in 2013 by Black Book Market Research LLC.

May 14, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 5 blogs containing over 11,000 articles with John having written over 5500 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 18 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Survey Shows Insider Threats on the Rise: Organizations Experience an Average of 3.8 Attacks per Year

Survey by Crowd Research Partners Shows Endpoints Are by Far the Most Common Launch Point for an Insider Attack; Highlights Need for Robust Endpoint Security and Policies

VERO BEACH, FL − (June 24, 2015)SpectorSoft™, a leader in the user activity monitoring and behavior analysis market, today released results of the Insider Threat Report, a crowd-based research project that was done in cooperation with the 260,000+ member Information Security Community on LinkedIn and Crowd Research Partners to gain more insight into the state of insider threats and solutions to prevent them. The final report results were based on a comprehensive survey of over 500 cybersecurity professionals from organizations of varying sizes across many industries; the results highlight the increasing need for better security practices and solutions to reduce the risks posed by insider threats.

Among the report’s findings:

The Rise of Insider Attacks: A majority of security professionals (62 percent) saw a rise in insider attacks over the last 12 months, while 22 percent saw no rise, and 16 percent were unsure if they had been attacked or not.

Frequency of Insider Attacks: Forty-five percent of respondents cannot determine whether their organizations experienced insider attacks in the last 12 months. Twenty-two percent said they experienced between one and five attacks, and 24 percent of organizations believe they experienced no attacks at all. Of the respondents who were willing to admit they suffered an insider attack, the average number was 3.8 incidents per organization per year.

Cost of Remediation: The overall average cost of remediating a successful insider attack is around $445,000. With an average risk of 3.8 insider attacks per year, the total remediation cost of insider attacks can quickly run into the millions of dollars.

Monitor Insider Activity on the Endpoint: The survey highlights the need for robust endpoint security and policies; respondents identified endpoints as the most common launch point for insider attacks (56 percent); this was followed by networks (43 percent) and mobile devices (42 percent).

Top Insider Threats: Organizations overwhelmingly maintained that data loss was the top concern regarding insider threats. When asked which types of insider attacks were most concerning, 63 percent of respondents said data leaks, 57 percent said inadvertent data breaches and 53 percent said malicious data breaches.

Vulnerable Data: Sixty-four percent of respondents feel extremely, very or moderately vulnerable to insider threats. Due to its value to attackers, the most vulnerable type of data is customer data (57 percent). This was closely followed by intellectual property (54 percent) and financial data (52 percent).

Internal versus External Attacks: Sixty-two percent of respondents find it more difficult to detect internal threats than external threats, while 38 percent cannot determine which type of threat is most difficult to detect.

Monitoring the Threat: When it comes to threat monitoring, 75 percent of companies monitor the security controls of their applications, 60 percent monitor a majority of all of their key IT assets, while only 21 percent continuously monitor user behavior taking place on their networks.

“The survey and report called out a rise in insider threats, the difficulty in detecting them, and the significant costs in cleaning up after a successful insider attack,” said Mike Tierney, COO, SpectorSoft.  “Companies need the ability to detect for anomalies in user behavior to make sure they are aware of the threats that exist within their organizations, because insiders will deviate from their normal behavior patterns when planning and executing an attack.”

About SpectorSoft

SpectorSoft is the leader in user activity monitoring and an innovator in user behavior analysis software. SpectorSoft has helped more than 36,000 businesses, government organizations, schools and law enforcement agencies improve how they address security and achieve compliance. SpectorSoft award-winning solutions include enterprise-grade insider threat detection software, a powerful user activity monitoring solution deployed by thousands of companies in more than 110 countries, robust Event and Security Log Management, and the world’s leading employee investigation tool. For more information, please visitwww.spectorsoft.com.

June 26, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 5 blogs containing over 11,000 articles with John having written over 5500 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 18 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HITRUST and (ISC)²® Partner to Develop Professional Standards for Credentialing in Healthcare Information Security

With Healthcare Breaches on the Rise, New Alliance Will Help Fill Market Demand for Qualified Healthcare Security Pros

Palm Harbor, Fla., U.S.A., December 12, 2012 – (ISC)²® (“ISC-squared”), the world’s largest information security professional body and administrators of the CISSP®, and the Health Information Trust Alliance (HITRUST), a non-profit organization responsible for the development, management, education and awareness relating to health information security and the leading organization aiding the healthcare industry in advancing the state of information protection, announced today they have entered into an agreement to meet the growing demand for qualified security professionals who can protect sensitive healthcare information. This relationship was also established to allow both organizations to connect with key stakeholders in the healthcare market that can contribute to building new IT security certification and education programs for healthcare professionals.

According to a recently released HITRUST report, “A Look Back: U.S. Healthcare Data Breach Trends,”the healthcare industry has made very little progress in reducing the number of breaches and that the industry’s susceptibility to certain types of breaches has been largely unchanged since breach data became available from the U.S. Department of Health and Human Services (HHS) and the new Health Insurance Portability and Accountability Act (“HIPAA”) and the Health Information Technology for Economic and Clinical Health (“HITECH”) Act went into effect. The HITRUST analysis concludes that every organization would benefit from better education of professionals and the simpler identification of the necessary skills in professionals available to assist them in their security efforts.  In fact, HHS recommends that smaller organizations seek out certified professionals to help conduct risk assessment and analysis if they lack the capability in-house.

“Through this cooperative relationship, HITRUST and (ISC)² will work together to ensure information security professionals working in healthcare have the required skills to be successful within their organizations and careers,” said Daniel Nutkis, chief executive officer, HITRUST. “Our experience has shown us that organizations with more knowledgeable security professionals manage information risks better and have more advanced information security programs. Healthcare organizations will benefit from having a simpler method to ensure their information protection professionals have the appropriate skills.”

In the U.S. alone, there are approximately 5,754 hospitals registered with the American Hospital Association and almost 240,000 physician practices, according to market research firm SK&A. Some of the key challenges that healthcare organizations face today include:

·         They must not only safeguard sensitive patient information within their immediate sphere of control, but they must also ensure the security and privacy of the information shared with their vendors, contractors, and business partners;

·         They must comply with vague and non-prescriptive regulations at various levels with HIPAA, HITECH and meaningful use;

·         They must contend with the complexities posed by a wide range of business partners with differing capabilities, requirements and risk profiles; and

·         They must continuously address significant security, privacy and compliance risks in an effort to protect patient information.

“Healthcare IT professionals are at a critical juncture. With the move to electronic health records, complex regulations to adhere to, and sophisticated cyber security threats knocking at their doors, they have no choice but to improve their security skills and knowledge,” said W. Hord Tipton, CISSP-ISSEP, CAP, CISA, executive director of (ISC)². “Our new relationship with HITRUST underscores our joint commitment to address this problem and improve not only the skills of healthcare information security professionals, but also cyber security professionalization. We believe that an organization’s privacy and security programs are significantly enhanced when properly trained and experienced individuals are involved. As we look toward 2013, (ISC)² and HITRUST are thrilled to join forces to bring the healthcare IT market real solutions for educating, qualifying and certifying professionals in this field.”

This new cooperative development between HITRUST and (ISC)² will establish metrics for qualifications held by information protection professionals in the industry. In January 2013, the organizations will conduct a credential-building workshop, with several key contributors involved in the job task analysis (JTA) they are jointly working on. This workshop will help the organizations identify the major job requirements and subsequently the knowledge and skills needed by a healthcare information protection professional to fulfill these requirements.

Some of those participating experts include:

·         Cathy Beech, chief information security officer, The Children’s Hospital of Philadelphia

·         Kevin Charest, chief information security officer (acting), US. Department of Health & Human Services

·         Clara Cheung, senior systems manager (application infrastructure), Hong Kong Hospital Authority

·         Bryan Cline, vice president, CSF development and implementation, and chief information security officer, HITRUST

·         Jamie Crow, IT regulatory compliance analyst, Express Scripts

·         Leo Dittemore, director, IS security administration, HealthCare Partners, LLC

·         Michael Gerleman, director of audit and compliance, Availity

·         Kevin Haynes, chief privacy officer, The Nemours Foundation

·         Darren Lacey, chief information security officer, Johns Hopkins University/Johns Hopkins Health System

·         Taylor Lehmann, chief security officer, Independent Health

·         Joy Poletti, director – IT security compliance, Catholic Health Initiatives

·         John Sapp, senior director, information security and IT risk management, McKesson Corp.

·         Jason Taule, corporate information security and privacy officer, CSC Civil Health Sector

·         Ken Vander Wal, chief compliance officer, HITRUST

·         Jason Zahn, IT senior internal audit manager, University of Pittsburgh Medical Center

About HITRUST

The Health Information Trust Alliance (HITRUST) is a non-profit organization that was born out of the belief that information security should be a core pillar of, rather than an obstacle to, the broad adoption of health information systems and exchanges. HITRUST, in collaboration with healthcare, business, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. Beyond the establishment of the CSF, HITRUST is also driving the adoption of and widespread confidence in the framework and sound risk management practices through awareness, education, advocacy and other outreach activities. For more information, visit HITRUSTalliance.net.

About (ISC)²

(ISC)² is the largest not-for-profit membership body of certified information security professionals worldwide, with over 87,000 members in more than 135 countries. Globally recognized as the Gold Standard, (ISC)² issues the Certified Information Systems Security Professional (CISSP®) and related concentrations, as well as the Certified Secure Software Lifecycle Professional (CSSLP®), Certified Authorization Professional (CAP®), and Systems Security Certified Practitioner (SSCP®) credentials to qualifying candidates. (ISC)²’s certifications are among the first information technology credentials to meet the stringent requirements of ANSI/ISO/IEC Standard 17024, a global benchmark for assessing and certifying personnel. (ISC)² also offers education programs and services based on its CBK®, a compendium of information security topics. More information is available at www.isc2.org.

January 3, 2012 I Written By