Cybersecurity Survey Results 4 November 2015 DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Learning Objectives Identify the tools in use to secure the healthcare environment. Learn how organizations assess, prevent and detect cybersecurity events. Learn which threat motivators respondents were most concerned about. Determine which items are the biggest barriers to mitigate cyber security incidents.
History of HIMSS Security Research First survey conducted in 2008 in USA Three-quarters of respondents conducted risk analysis Spent less than three percent of IT budget on security User-based and role-based controls to secure patient information Conducted for the sixth time in 2014 in USA Greatest security threat motivator encountered in healthcare is healthcare workers snooping into records 92 percent conducted in risk analysis Half reported spending three percent or less of their overall IT budget on securing patient data
SUMMARY RESULTS CYBERSECURITY SURVEY 2015
Motives for Improving Information Security Posture Top motivators for improving information security environments included results of risk assessment and virus/malware and vulnerability analysis results
Information Security as Business Priority of respondents indicated information security had increased as a business priority
Enhanced Information Security Capabilities 73% Improved Continuity of IT 67% 63% 33% Network Security Data Loss Prevention Disaster Recovery 27% Improving the Protection of Endpoints
Access control lists Antivirus / malware Audit logs of every access to health patient records and Public Key Authentication / Web of Trust (e.g., PGP) Biometric Technologies (static - for example, fingerprint or Data Encryption (data at rest) Data encryption (data in transit) Data loss prevention application (DLP [data loss prevention]) Digital signature Firewalls Intrusion detection system (IDS [Intrusion Detection System]) Intrusion prevention system Messaging Security Gateway Mobile Device Management (MDM [Mobile Device Mobile application management (MAM [Mobile Application Multi-factor authentication (ie, two-factor authentication) Network monitoring tools (eg data flow analysis tools) Patch management and vulnerability Single Sign On User access controls Web security gateway Do not know Information Security Tools in Place 90,0% 80,0% 70,0% 60,0% 50,0% 40,0% 30,0% 20,0% 10,0% 0,0%
Ability to Protect Information Rate the options on a scale 1-7, where one is "not prepared" and seven is "fully prepared" Brute Force Attacks (4.75) Exploit Known Vulnerabilities (4.6) Phishing Attacks (4.5) Negligent Insider Attacks (4.4) Malicious Insider Activity (4.4) Zero Day Attack (4.3) Attacks Denial of Service (DoS) (4.2) Advanced Persistent Threat of Attacks (4.1)
Techniques Used to Detect and Investigate Incidents Monitoring activity logs Monitoring user access records Network monotring 61,9% 61,9% 71,4% Working with enforcement officials of local/state law Use of cyber threat intelligence Do not know None of the above 14,3% 4,8% 9,5% 9,5%
Preparedness to Detect Security Incidents Rate the options on a scale 1-7, where one is "not prepared" and seven is "fully prepared" Statement Average Brute Force Attack 4.25 Exploitation of Known Software Vulnerabilities 4.25 Malicious insider attacks 4.20 Negligent insider attacks 4.15 Zero Day Attacks 4.05 Phishing Attacks 4.00 Denial of Services (DoS)/Distributed Denial of Services (DDoS) 4.00 Advanced Persistent Threat (APT) Attacks 3.90
Consequences of Security Incidents 31% Loss of Data/Information 19% 6% 19% Limited Disruption to Operations Significant Impact on IT Systems Damage to IT Systems 6% Other Impact
Exploitation of known software vulnerabilities is a concern Respondents are highly concerned about exploitation of known software vulnerabilities in the future 65 % polled named it as their biggest concern.
Significant Threats of the Future Top Ten Exploitation of known software vulnerabilities Malicious internal agent Domain Name System poisoning attack (DNS) Attacks Denial of Service Advanced persistent threat of attacks Phishing attacks Bruce force attacks Lax internal agent Social engineering attacks / elicitation (except phishing attacks) SQL injection attack 40% 40% 40% 45% 45% 50% 50% 55% 55% 65%
Drivers of the Most Common Threats Employees stealing patient information Members of workforce spying on information 3rd Consultants/Suppliers spying on information Medical identity theft (external) Employees stealing business information of the Consultant/Supplier who steal organisation's Black market activities Financial identity theft (external) Industrial espionage 25% 25% 35% 50% 50% 45% 45% 40% 55%
Staff Allocation to Information Security Function Dedicated to information security only part-time Member of the full-time staff Information security handled by external Chief Information Officer Information Security Director (Chief Information Security) No team members (Internal or external) Others 23,30% 16,70% 10,00% 6,70% 6,70% 3,30% 33,30%
Barriers to Information Security Count Percent Lack of adequate cybersecurity staff 60% Lack of financial resources 55% Too many emerging threats 25% Lack of know-how to use and effective implementation 20% Lack technologies and tools for effective use 20% Too many endpoints 20% Too many users too much for provisioning and deprovisioning of accounts in a timely and effective 20%
Conclusions Survey respondents organizations are challenged with respect to resources: Staffing Processes Tools Software vulnerabilities and Insider threat are of great concern Level of uncertainty still surrounds ability to protect against current and future attacks (internal and external)
Questions Lisa A Gallagher, BSEE, CISM, CPHIMS, FHIMSS VP, Technology Solutions HIMSS North America lgallagher@himss.org