Lack of resources the biggest hurdle for healthcare organizations in defending cyberattacks

Image removed.Security professionals in the United States say they feel ill-prepared to defend against cybersecurity attacks, according to new research conducted by The Ponemon Institute and sponsored by Lockheed Martin.

In all, 678 professionals responsible for directing the cybersecurity activities at their organizations were polled, 114 from the healthcare industry. They rated their ability to defend against cyberattacks at 4.9 on scale of 10.

Those who rate their ability as above average rely primarily on commercial threat intelligence feeds (68 percent) followed by collaborative threat intelligence groups, partnerships and forums (37 percent) or dedicated analysts on staff (35 percent).

In healthcare, 68 percent say cyberattacks are increasing in severity, and 77 percent see a rise in frequency, according to a separate infographic.

They cite lack of resources/budget (57 percent) as the biggest impediment to a more secure organization, followed by inadequate expertise (56 percent).

Only 38 percent believe they are not a target, but among those who do, 39 percent say that's based in intuition, while 28 percent base that belief on security intelligence.

As with other sectors, healthcare respondents say insiders--whether malicious or negligent--are the greatest threat.

Interestingly enough, however, healthcare spending on perimeter servers and mobile security outpaces the estimated risk, with cloud security 1 percent more. Meanwhile, risk is estimated far higher than spending on user awareness and supply chain.

Healthcare respondents said compliance is their No. 1 priority. Many security experts, however, reiterate that compliance doesn't equate to security. So far, HIPAA does not require encryption, a basic element of security, especially on mobile devices. However, after the Anthem breach, lawmakers plan to reconsider whether encryption should be mandatory.

In the Anthem case, hackers had access to at least five sets of employee credentials. In the Target attack last year, the hacker posed as a vendor and an employee was duped innocently.

To learn more:
- download the report
- find the infographic (.pdf)

Read more on