Study: Healthcare IT Professionals Overconfident in Breach Detection Skills
In a study evaluating the confidence of IT professionals regarding the efficacy of seven key security controls to help detect a cyber attack in progress, healthcare IT professionals were overconfident in their ability to quickly collect the data needed to identify and remediate a cyber attack.
Tripwire, a provider of security and compliance solutions, sponsored the study, which was conducted by Dimensional Research. The study evaluated the confidence vs. knowledge of IT professionals regarding the efficacy of seven key security controls, which must be in place to quickly detect a cyber attack in progress. Respondents of the Tripwire 2016 Breach Detection Study included 763 IT professionals from various industries, including 101 participants from the health care sector.
For many controls, IT professionals believed they had the information necessary to detect a breach quickly—but provided contradictory information about the specific data, according to the study report.
The Tripwire study also cites data from Verizon’s 2016 Data Breach Investigations Report which indicates that 63 percent of successful system compromises in the health care industry occurred within minutes, 56 percent of data breaches impacting the health care sector actually took months to detect.
The Tripwire study found that 90 percent of healthcare IT professionals believe they could detect configuration changes to endpoint devices on their organization’s networks within hours, but less than half (49 percent) know exactly how long it would take their vulnerability scanning systems to generate an alert.
“There’s no argument that these basic controls work and contribute directly to an organization’s cyber security, yet the research shows they are not in place at enough health care organizations,” Tim Erlin, senior director of IT security and risk strategy at Tripwire, said in a statement. “This is occurring at a time when the health care industry is facing unique cyber threats, from physical theft to sophisticated ransomware campaigns.”
Erlin continued, “The basics of finding unauthorized devices and vulnerabilities and applying patches in a timely manner should be done at every organization in order to create a baseline of cybersecurity. These fundamental controls should be in place before organizations look at the latest shiny security object.”
The study results also indicated that nearly two-thirds (60 percent) of the healthcare IT respondents believe their automated tools do not pick up all of the critical details or information that is needed to identify the locations and departments where the unauthorized devices were detected.
Eighty-three percent of the respondents believe they could detect configuration changes to a network device within hours; however, only a little over half (54 percent) know how long the process would actually take.
Nearly half of the respondents (45 percent) said critical vulnerabilities detected by their scanning tools are not fixed or remediated within 30 days. Additionally, 43 percent of the respondents said less than 80 percent of patches succeed in a typical patch cycle.
The study is based on seven key security controls required by a wide variety of compliance regulations, including PCI DSS, SOX, NERC CIP, MAS TRM, NIST 800-53, CIS Top 20 and IRS 1075. These controls also align with the United States Computer Emergency Readiness Team’s (US-CERT) recommendations and international guidance, such as the Australian Signals Directorate’s Strategies to Mitigate Targeted Cyber Intrusions.
When implemented across an organization, these controls deliver specific, actionable information necessary to defend against the most pervasive and dangerous cyber attacks. According to the study authors, it is vital for organizations to identify indicators of compromise quickly, so that appropriate action can be taken before any damage is done.