Breaches and ransomware continue to have alarming impact and disruption across the health & life sciences (HLS) industry worldwide. The global average total cost of data breaches is now USD 3.62 million, with healthcare having the highest per-capita cost across all industries at USD 380 per patient record, according to 2017 Ponemon Cost of a Data Breach Research.
Ransomware infections such as the WannaCry attack in May 2017 severely disrupted HLS critical infrastructure as encrypted patient information became unavailable, compromising patient care and forcing many HLS organizations to direct patients elsewhere. In 2016, ransomware payments were expected to exceed USD 1 billion, according to the FBI. Global ransomware damage costs are predicted to exceed USD 5 billion in 2017, up over 1,400 percent from USD 325 million in 2015, making cybercrime and ransomware increasingly lucrative and likely to continue to grow.
How Does your Security Compare?
Many breaches and ransomware attacks are untargeted, opportunistic, and tend to aﬀect HLS organizations that are lagging in cybersecurity and relatively vulnerable. However, HLS organizations typically do not know how their security capabilities compare with the industry and peers, and whether they are lagging and relatively vulnerable.
The Intel® Security Readiness Program (SRP) is a global open industry initiative with over 40 partners collaborating worldwide to enable HLS organizations to benchmark their cybersecurity compared to the HLS industry and peer organizations of a similar focus, locale, and size. This provides actionable information to security teams in HLS organizations that they can use to prioritize remediation and rally support with stakeholders to allocate resources required to address gaps.
These workshops are synergistic and complementary to regulatory, data protection law, and security standards compliance activities. Confidential, encrypted security readiness reports also show how capabilities and gaps relate to HIPAA, NIST, PCI DSS, CIS, ISO2700x, GDPR, ISO80001, and EU MDR 2017/745 so participating HLS organizations can see how addressing a gap may also help with compliance.
Benchmark information in this program is high quality, acquired by trained security assessors, with verified HLS security teams, and participating HLS organizations can update their data at any time. Currently, this program has over 150 HLS organizations participating across 9 countries and is projected to more than double through 2018. In this blog, I share the latest highlights from industry level, aggregate, and anonymous results of the SRP.
Priorities and Readiness Across Breach Types
Ransomware (86%) is by far the highest priority, followed by Cybercrime Hacking (79%), and Insider Accidents or Workarounds (65%).
A wide distribution in security readiness is evident across all eight breach types; for example, ransomware readiness scores range from 17 percent to 91 percent with an average of 60 percent, indicating there are many HLS organizations that are significantly lagging in security and relatively vulnerable, and on average the HLS industry has a lot of room for improvement in anti-ransomware security capabilities.
Readiness for a given breach type reﬂects the percentage of capabilities the HLS organization has implemented that are relevant to mitigating risk of that breach type. Average readiness scores across 8 breach types assessed range from 49 percent to 62 percent indicating the HLS industry has much room for improvement in security capabilities to mitigate the risk of breaches and ransomware.
Level of Implementation of Key Security Safeguards
Several foundational security capabilities in the Baseline Tier of maturity had relatively weak levels of implementation including Endpoint Data Loss Prevention (Discovery Mode) (20%), Audit and Compliance (60%), Endpoint Device Encryption (63%), and Security Incident Response Plans (63%).
These security capabilities represent areas in urgent need of improvement for the HLS industry. On the other hand, several foundational security capabilities in the baseline tier had relatively strong levels of implementation including Firewall (92%), Anti-malware (93%), and Backup and Restore (89%). These represent areas where the HLS industry is relatively strong in security and in less need of attention.
Ransomware and breaches are disruptive, degrading patient trust and quality of care, and in some cases compromising patient safety. Future breaches and ransomware attacks are likely to increasingly use broadcast phishing emails, computer worms, and other highly scalable propagation techniques to infect and penetrate the broadest possible target base, thereby increasing their total available market for monetization.
It is therefore increasingly important for HLS organizations to understand how their security posture compares with peers and the industry and be prepared to proactively remediate security capability gaps as needed to mitigate risks and enable improved patient care. Guided by high-quality data such as from the SRP, we can move the discussion from “healthcare security is lagging” to specific high-priority breach types and specific security capabilities in urgent need of improvement across the HLS industry. This enables proactive mitigation of risk of breaches and ransomware across the HLS industry and helps pave the way for improved patient care.
If you are with an HLS organization and you would like to explore participating in a 1 hour, complimentary, confidential security readiness workshop with Intel or a partner contact SecurityReadiness@Intel.com or message me on LinkedIn.
Any organization that works with sensitive patient information is eligible to participate in this program including providers, payers, pharmaceuticals, life sciences, and business associates or data processors. Participation in the program is confidential, and reports are encrypted and confidential.
If you are with an organization that helps HLS organizations with security and would like to explore becoming a partner on the security readiness program, contact SecurityReadiness@Intel.com or message me on LinkedIn.
See http://Intel.com/SecurityReadiness for a concise overview, sample report, detailed industry level results, and further information on opportunities to engage. A short video Introduction to the Security Readiness Program is also available and embedded below.
Message me on LinkedIn if you are interested in specific industry level results of this program e.g. for healthcare providers only, or for healthcare providers in the US of medium size only.
What kinds of security priorities, gaps, and challenges are you seeing? Comments and feedback welcome below.