Getty Images/iStockphoto

Healthcare Security Culture Trending in the Right Direction, But Needs Improvement

Survey results show a moderately strong security culture in the healthcare sector, but there is still work to be done.

The healthcare sector received a score of 74 out of 100 in terms of maintaining a robust security culture, KnowBe4 Research revealed. Researchers surveyed more than 2,900 organizations across 18 sectors to assess security’s role in different regions and industries.

The report’s rating system ranged from 0 to 100, labeling 0 to 59 as poor, 60 to 69 as mediocre, 70 to 79 as moderate, 80 to 89 as good, and 90 to 100 as excellent. Of course, a “security culture” can mean many different things to people in various industries.

KnowBe4 Research defined security culture as “the ideas, customs, and social behaviors of an organization that influence their security.”

“This definition makes it clear that security culture is a combination of thought processes and knowledge, the habits that employees have adapted and the behaviors that are demonstrated when in the workplace,” the report stated.

Researchers broke down security culture into the following distinct components: attitudes, cognition, communication, behaviors, compliance, norms, and responsibilities. Researchers evaluated security culture through the lens of each of these categories.

US respondents scored highest in terms of security culture, followed closely by Europe. However, it is important to note that no region or industry scored above the “moderate” range.

The impact of the global pandemic showed that while some industry sectors have reduced their security culture significantly, others have improved,” the report noted.

“The most significant finding is that no industry is found to have Poor or Mediocre security culture scores. Although all industry sectors have a security culture that is considered Moderate, many of the industries include organizations that have been rated as Good.”

The highest-scoring industries (technology, insurance, and banking) all scored a 76. With healthcare at 74, the sector still performed far better than most other industries, likely due to the frequency of healthcare cyberattacks and strict compliance requirements.

Even so, healthcare has remained stagnant with a score of 74 for the third year in a row, leaving room for improvement.

“Healthcare and Pharmaceuticals organizations have long been vigilant in the protection of intellectual property and financial information,” the report pointed out.

“However, the rapidly expanded use of telemedicine has increased the amount of data available through patient and healthcare provider portals and apps.”

The pandemic accelerated telehealth and remote patient monitoring (RPM) use across the sector, both of which have been instrumental in maintaining patient care amid a global public health crisis. However, the expanded use of these technologies also expanded the cyberattack surface and raised security concerns, which could partially explain why healthcare’s security culture score remains the same.

“Moreover, medical identity theft, which often includes both a patient’s social security and credit card number(s), are highly lucrative endeavors for cybercriminals,” the report continued.

“Compounding the threat is a need for medical providers to maintain immediate access to patient data; institutions often pay a ransomware attacker to regain access, which also makes this industry an attractive target to malicious actors.”

The report highlighted the fact that people are often an organization’s first line of defense when it comes to security incidents. Implementing regular employee training, education, and technical and administrative safeguards can help healthcare organizations develop a strong security culture.

Next Steps

Dig Deeper on Cybersecurity strategies