Ransomware, WannaCry, Petya, NotPetya. What’s next in cybercrime? 

Whatever may come, it appears that hackers are just getting started. And the real problem is that many healthcare organizations are not ready. New and evolving threats combined with persistent resource challenges, in fact, limit organizations’ abilities to defend against cyber-intrusions, according to the second installment of ISACA’s 2017 State of Cybersecurity Study. The ISACA is a worldwide association for IT professionals.

[Also: These overlooked training strategies can help stop your staff from causing breaches]

Eighty percent of the security leaders who participated in the survey believe it is likely their enterprise will experience a cyberattack this year, but many organizations are struggling to keep pace with the threat environment.

Fifty-three percent of security leaders reported a year-over-year increase in cyberattacks for 2016, representing a combination of changing threat entry points and types of threats. The Internet of Things, for example, overtook mobile as the primary focus for cyber-defenses as 97 percent of organizations see a rise in IoT usage, the survey said. As the IoT becomes more prevalent in organizations, cybersecurity professionals need to ensure protocols are in place to safeguard new threat entry points, the ISACA said.

[Also: Artificial intelligence is giving healthcare cybersecurity programs a boost]

What’s more, 62 percent of security leaders reported experiencing ransomware attacks in 2016, but only 53 percent have a formal process in place to address it – a concerning number given the significant international impact of the recent WannaCry and Petya ransomware attacks, the ISACA said.

More bad news: Fewer than one in three organizations (31 percent) say they routinely test their security controls, and 13 percent never test them, the survey found, while 16 percent do not have an incident response plan.

“There is a significant and concerning gap between the threats an organization faces and its readiness to address those threats in a timely or effective manner,” said Christos Dimitriadis, ISACA board chair and group head of information security at Intralot. “Cybersecurity professionals face huge demands to secure organizational infrastructure, and teams need to be properly trained, resourced and prepared.”

Participants indicated that while cybersecurity is a priority for enterprise leadership, roadblocks facing cybersecurity professionals remain.

When it comes to good news, more organizations than ever now employ a chief information security officer – 65 percent, up from 50 percent in 2016. However, security leaders continue to struggle to fill open cybersecurity positions, and nearly half (48 percent) of respondents don’t feel comfortable with their cyber-team’s ability to address anything beyond simple cybersecurity issues, the survey found. Additionally, more than half said cybersecurity professionals lack an ability to understand the business.

While training is critically needed to address these skill shortages, one in four organizations have training budgets of less than $1,000 per cybersecurity team member, the survey said. While overall cybersecurity budgets remain strong, fewer organizations are increasing their budgets this year. And only about half will see budget increases, down from 61 percent in 2016, the survey said. 

“The rise of CISOs in organizations demonstrates a growing leadership commitment to securing the enterprise, which is an encouraging sign,” Dimitriadis said. “But that’s not a cure-all. With the number of malicious attacks increasing, organizations can’t afford a resource slowdown. Yet with so many respondents showing a lack of confidence in their teams’ ability to address complex issues, we know there is more that must be done to address the urgent cybersecurity challenges faced by all enterprises.”

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn