Just 27 percent of healthcare security executives said they have confidence they could safeguard patients’ medical records, even though nearly 80 percent are required to comply with government regulations, according to a recent survey from cybersecurity solutions provider Radware.
The survey of nearly 200 security executives from the healthcare sector (almost 90 percent having executive authority to direct security activities and investments) found that healthcare lagged behind other industries such as retail and financial services when it comes to mitigating risk.
Analysis of survey feedback paints a portrait of a sector ill at ease with the growing security demands being placed on their institutions, the report authors wrote. Nearly two-thirds of respondents (62 percent) have little to no confidence they could rapidly adopt security patches and updates without having an operational impact, while 70 percent said less than 50 percent of data loss incidents over the past 24 months were fully tracked and patched.
More than half (55 percent) of healthcare organizations said they had no way to track data shared with a third party after it left the corporate network. Healthcare organizations are particularly unlikely to monitor the Darknet for stolen data, with 37 percent saying they did so, compared to 56 percent in financial services, and 48 percent in retail.
While 68 percent of respondents invested somewhat or significantly in security controls following major industry data breaches or attacks, only 21 percent use API gateways, 23 percent WAFs and only 29 percent use both.
The survey results were published in a report titled “Web Application Security in a Digitally Connected World,” and looked at the retail, financial services and healthcare sectors specifically. Radware, in conjunction with Ponemon Research, surveyed over 600 chief information security officers (CISOs) and other security leaders across six continents. The intent was to uncover the challenges that emerging technologies, such as blockchain, artificial intelligence (AI) and Internet of Things (IoT) as well as rapid-fire application deployments are presenting, ascertain how organizations in different industries identified application-layer and API vulnerabilities, measure the impact that bots are having on organizations and construct a security roadmap for today and tomorrow.
The research also exposed the proliferation of bot-driven Web traffic and its impact on organizations’ application security. Bots, as with other industries, are becoming more dominant from a generated traffic perspective, with 36 percent of network traffic in healthcare being bots. However, only 20 percent of respondents can identify with certainty whether the 36 percent are good or bad bots.
The report also found that nearly half (45 percent) of respondents, across retail, financial services and healthcare industries, had experienced a data breach in the last year, and 68 percent are not confident they can keep corporate information safe.
What’s more, companies often leave sensitive data under-protected. Some 60 percent of organizations both share and consume data via APIs, including personally identifiable information, usernames/passwords, payment details, medical records, etc. Yet 52 percent don’t inspect the data that is being transferred back and forth via their APIs, and 51 percent of respondents don’t perform any security audits or analyze API vulnerabilities prior to integration.
Many organizations want the full automation and agility that the continuous delivery model of app development provides—half (49 percent) of respondents currently use the continuous delivery of application services and another 21 percent plan to adopt it within the next 12 to 24 months. However, continuous delivery can compound the security challenges of app development: 62 percent reckon it increases the attack surface and approximately half say that they do not integrate security into their continuous delivery process.
Any organization that collects information on European citizens will soon be required to meet the strict data privacy laws imposed by General Data Protection Regulations (GDPR). These regulations take effect in May 2018. However, with less than a year until the due date, 68 percent of organizations are not confident they will be ready to meet these requirements in time.
“It’s alarming that executives at organizations with sensitive data from millions of consumers collectively don’t feel confident in their security,” Carl Herberger, vice president of security solutions at Radware, said in a statement “They know the risks, but blind spots continue to pose a threat. Until companies get a handle on where their vulnerabilities are and take steps to protect them, major attacks and data breaches will continue to make headlines.”
