Only 52 percent of healthcare IT professionals use formal risk assessments according to new research on risk-based security management in the healthcare and pharmaceutical industries.
The survey was conducted by Tripwire, a provider of risk-based security and compliance management solutions, and the Ponemon Institute, an organization that conducts independent research on privacy, data protection and information security policy.
The survey evaluates the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. 117 health and pharmaceutical sector respondents from the US and UK participated in the healthcare portion of the survey.
Despite regulatory pressures caused by the Health Insurance Portability and Accountability Act (HIPAA), Tripwire's survey indicates that the healthcare industry lags behind other industries in the implementation of critical security controls.
The survey found that 70 percent say communicating the state of security risk to senior executives is not effective because communications are contained in one department or line of business. Only 52 percent use formal risk assessments to identify security threats, and only 58 percent have fully or partially deployed change control and security configuration management.
"It is true that healthcare organizations rank better than average in some areas of this survey, but there is still a lot of room for improvement," said Dwayne Melancon, chief technology officer for Tripwire. "About half of healthcare and pharmaceutical organizations are not using any kind of formal risk assessments, and they are also far less open to challenging current assumptions. Both of these factors could cause them to be blindsided by the increasing number of cybersecurity threats to their businesses."
Tripwire, Ponemon Institute, HIPAA, Dwayne Melancon