Cybersecurity leaders still shaky about post-attack recovery, reports show

Government and industry cyber pros aren't always confident in their organizations' abilities to recover from cyberattacks, two recent surveys suggest. They say underfunded security budgets are causing vulnerabilities in the face of pervasive threats.
By Andrea Fox
10:31 AM

More than half of the healthcare organizations that responded to a recent cross-industry cybersecurity survey by Travelers said they don't have a specialized team to handle a data breach – and even more said they don't use endpoint detection and response tools.

Meanwhile, chief information security officers nationwide told Deloitte and the National Association of State Chief Information Officers in a recent study that threats – exacerbated by the emergence of artificial intelligence technologies – are high, and they are unsure whether their teams are well positioned to handle them.

WHY IT MATTERS

Of the state CISOs from all 50 states and the District of Columbia, 86% said that AI, uncertain budgets, cyber threats and shifting workforces have added to their data privacy responsibilities, according to an announcement from Deloitte on Monday.

The 2024 Deloitte-NASCIO Cybersecurity Study also found that more than one-third of the state CISOs reported lacking a dedicated cybersecurity budget. 

A substantial majority (71%) said they also believe the threat level of AI-enabled threats is "high," while 41% noted that they were unsure if their teams could handle all the cybersecurity threats they face. 

However, the state CISOs did report increasing their skilled workforces since the previous biennial cybersecurity study.

"The good news is many state CISOs have been able to increase employee headcounts, adding specialists to their teams who are focused on cybersecurity-related issues," Meredith Ward, deputy executive director at NASCIO and a coauthor of the new report, said in a statement.

Travelers said its 2024 Risk Index also revealed an unprecedented level of concern over cybersecurity threats, with participating healthcare organizations lagging in some critical cybersecurity controls.

For the survey, Hart Research contacted more than 1,200 U.S. businesses (368 small, 500 midsize and 334 large) this summer to ask about their top challenges. The analysis included the opinions of leaders at 100 companies in the healthcare sector.

Of all respondents, 36% had experienced a security breach, 27% were victims of extortion/ransomware, 27% had info/systems put at risk by employees, 26% had a system glitch and 25% had employees fooled into transferring funds into fraudulent accounts, according to the report.

Healthcare respondents to the Travelers report indicated that unauthorized access to financial accounts was their top cybersecurity concern, followed by system glitches or breaches associated with remote work operations and the third were hackers.

While 82% of the healthcare organizations said they believed they had the proper cybersecurity controls in place, 44% do not use multifactor authentication for remote access – a failure that led to the Change Healthcare takedown and nationwide claims payment systems outage – and 44% lack an incident response plan. 

Cyber maturity gaps also abound, with 55% of the healthcare respondents reporting that they do not have a post-breach team in place and 60% do not use endpoint detection and response tools.

While some healthcare organizations reported taking measures like implementing backup data and infrastructure (80%) and firewall protection (72%), performing background checks on employees (72%), and requiring password changes (70%), according to Travelers 2024 Risk Index, there are technologies they may be overlooking that could better protect patient data.

THE LARGER TREND

Attack surfaces are expanding as fast as emerging threats with data a central component of operations in both government and business.

While budget concerns for state CISOs are back in full force in 2024, according to Deloitte, AI-enabled threats were the second most concerning form of cyber threat trailing only security breaches involving third parties, but higher than concerns about malware and ransomware.

While healthcare has been found underprepared for scope of cyber threats, in December, the U.S. Health and Human Services 405(d) Program focused on how cyber insurance can help organizations recover from an incident and maintain care-delivery operations. Two guides for small and medium-large organizations discuss implementing cyber insurance best practices.

This past year, John Menefee, cyber risk product manager at Travelers Bond and Specialty Insurance, told Healthcare IT News that despite an increase in attacks, insurance opportunities are far from disappearing

He said cyber insurance carriers are getting better than ever at understanding how healthcare cyberattacks unfold and can help protect healthcare organizations before threat actors strike.

ON THE RECORD

So too are C-suites and security leaders at healthcare organizations, according to the recent NASCIO report, which sees more CISOs committing to staffing levels commensurate with the scope of the cyber threat.

"In 2020, 16% of CISOs had fewer than five employees dedicated to cybersecurity initiatives," said Ward in a statement. "Today, that percentage has dropped to just 4%. In addition to growing their teams, our research found these leaders are determined to find creative solutions to protect their organizations and the public."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

The HIMSS Healthcare Cybersecurity Forum is scheduled to take place October 31-November 1 in Washington, D.C. Learn more and register.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.