In recent years, the importance of robust cybersecurity has been illuminated by large-scale data breaches, regulatory guidance, and consumer privacy concerns.
The health care industry has been particularly hard-hit by the cyberattacks, illustrating the cybersecurity challenge in health care.
Considering the growing number of cyber threats and data breaches facing a number of industries, and high public awareness of cybersecurity issues, it was surprising to read the recently released “The Third Annual Study on the Cyber Resilient Organization,” which found the average budget allocated to cyber resilience among surveyed organizations did not increase between 2016 and 2017.
Are companies overly confident in their ability to deal with cyberattacks?
Conducted by Ponemon Institute and sponsored by IBM, a Center for Connected Medicine (CCM) partner, the Cyber Resilient Organization study surveyed 2,800 global security and IT professionals on their organizations’ cyber resilience, an increasingly popular framework for approaching cybersecurity because it aligns threat prevention, detection and response capabilities to manage, mitigate and recover from cyberattacks.
It’s interesting to compare Ponemon’s findings, which were not focused on a specific industry, with results from a CCM survey of health system leaders last year. Released in December 2017, the CCM’s Top of Mind for Top Health Systems 2018 survey found nearly all responding health systems were planning to boost spending on cybersecurity in 2018. Perhaps that’s not unexpected considering the number of high-profile and costly data breaches that have impacted hospitals and health plans in the past few years.
It’s important to note differences between the two surveys. Ponemon’s Cyber Resilient study was global in scale, did not target a particular sector, and looked at data from 2017. The CCM’s Top of Mind 2018 findings were based on a survey of U.S. health IT and health care C-suite leaders on their opinions about top health IT trends for 2018, including cybersecurity.
Still, the two studies tell us something about the complexities surrounding cybersecurity and cyber resilience, and they share several parallel findings:
‘Where health systems are increasing cybersecurity resources in 2018’ from the Top of Mind for Top U.S. Health Systems 2018 study.
- The Cyber Resilient study found the average budget allocated to cyber resilience did not change between 2016 and 2017 – but will budgets increase globally in 2018? We could draw a conclusion from the CCM’s Top of Mind 2018 survey, which found that large health care organizations planned to boost spending on cybersecurity in 2018.Ninety-two percent of Top of Mind 2018respondents said their organizations would increase cybersecurity technology resources in 2018; 67 percent said their organizations would add cybersecurity staff and 42 percent said they would increase cybersecurity IT leadership in 2018. It will be interesting to see what next year’s Cyber Resilient report shows for 2018, and whether budgets increase. One hint: just 31 percent of those surveyed by Ponemon reported having an adequate budget for cyber resilience in place last year.
‘Allocation of investment to five areas of a CSIRP’ from The Third Annual Study on the Cyber Resilient Organization.
- It’s unanimous: organizations allocate greater resources to identifying and protecting against cyber threats than they do to recovery or response. While the CCM’s survey did not ask specifically about cyber resilience, health care organizations did say they plan to allocate greater resources to identifying threats (54 percent); protecting against threats (50 percent); and detecting threats (50 percent) than to recovery or response after an incident (21 percent and 17 percent, respectively). (Note: Top of Mind 2018 respondents could pick multiple answers.) The Cyber Resilient survey also found prevention and detection activities received the most investment in 2017:
- Prevention: 44 percent
- Detection: 26 percent
- Containment: 15 percent
- Remediation (recovery): 11 percent
- Post incident response: 4 percent
- Misplaced confidence in cyber resilience? Ponemonfound increased confidence surrounding cyber resilience in 2017, compared with 2016. Seventy-two percent of respondents said their organizations were more cyber resilient, with 48 percent saying their organizations’ cyber resilience was high or very high – up from just 32 percent in 2016. Yet, the study found 77 percent of respondents’ organizations didn’t have a formal cybersecurity incident response plan applied consistently across their organization. And nearly half said their incident response plan was informal, ad hoc or non-existent. What’s more, respondents believed their organizations were more resilient than they were in 2016 in part because of having hired skilled personnel. But the majority (71 percent) said they did not have adequate cybersecurity staff in place.
- Health care leaders were cautiously optimistic. Top of Mind 2018 survey data brought to light some of the same complexities surrounding cybersecurity. While health systems may feel prepared to face a cyberattack, they do not know what the next threat will be or when it will come, which breeds uncertainty. Health systems recognize that they are high profile targets, and feel cautiously optimistic in their defense strategies. But they also note they must maintain constant vigilance and continue to work to improve.
Download The Third Annual Study on the Cyber Resilient Organization for additional findings and recommendations for improving cyber resilience.
For more on cybersecurity in health care and other top health IT trends for 2018, download the Top of Mind 2018 report.