Healthcare still underprepared for scope of cyber threats, says Kroll report

Meeting the cybersecurity challenges of 2024 requires healthcare organizations to boost their organizational capabilities, which are often below-average compared to other industries, researchers said.
By Andrea Fox
01:46 PM

Photo: zf L/Getty Images

Healthcare is the industry that's most likely to self-assess as having "very mature security," according to a new cyber readiness report from Kroll. But it's also one of the most-breached sectors – topping the list in 2022 and coming in second this past year.

That discrepancy can be traced to many factors – not least the fact that healthcare organizations have long been among the top targets of cybercriminals and bad actors.

But it also reflects some unique factors related to how health systems approach and assess their own cybersecurity readiness, according to the new research from the advisory firm, which looks at detection and response capabilities, threat intelligence, offensive security and other factors in healthcare.

Among the report's other findings: Healthcare organizations need to be ready for an uptick in cyber threats where initial network access was gained through external remote services – driving a growing need for better end-point security. 

Also, even as awareness and spending are both on the increase, health system C-suites should prepare for more government scrutiny and greater accountability for oversight of cyber defenses.

Closing the 'self-diagnosis gap' 

Healthcare organizations are 65% less likely to fully outsource their cybersecurity services than organizations in other sectors, Kroll researchers said in the new report, "The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare."

Their research maps out the cybersecurity threat landscape the healthcare sector currently operates in, looking at detection and response, cyber threat intelligence and offensive security.

The realities of healthcare IT's complexities, "not to mention the extremely time-poor staff that need both maximum convenience and security from IT operations," make it hard for the industry to protect itself, according to Devon Ackerman, Kroll's global head of incident response and cyber risk.

“The self-diagnosis gap between healthcare’s confidence in its security and its real-world security capabilities is particularly worrying considering that a cyber incident could disrupt hospital operations and have devastating outcomes for patient care and treatment, even putting human lives at risk," he said in a statement accompanying the new report. 

The independent survey of global senior IT security decision-makers, which was combined with Kroll's data from its handling of 3,000 cyber incidents annually for the report, revealed that more than a quarter of healthcare business respondents – 26% – have immature cybersecurity processes, while nearly 50% believe their processes are "very mature." 

Despite this level of self-confidence, only 3% of the healthcare organizations surveyed have mature cyber processes in place, researchers said. 

Remote access a weak point

Previously, Kroll said that fourth-quarter 2023 set the tone for a demanding 2024, requiring firms across sectors to adopt a consistent approach to advancing their security and prepare for known threats and emerging ones. 

According to its Q4 analysis, Kroll cited remote access as a vulnerable pathway. Ransomware groups were increasingly gaining initial access through external remote services, while other threats, like infostealer malware and business email compromises, trended up. 

The company said that the climate is challenged by organizations that provide remote and hybrid work and are complacent about security. They need to think beyond central network security, requiring ever-stronger defenses "at the perimeter level," the researchers said.

Kroll also noted in the 2024 data breach outlook report, released in February, that the finance sector overtook healthcare as the most breached industry last year, healthcare showed YoY increases in both the number of inquiries following a breach (14%) and in the amount of credit or identity monitoring taken up (99%).

Interestingly, breaches in the insurance sector fell even lower in its top 10 most breached industries with an 81% drop in breaches YoY when compared to 2022, while the technology sector saw a YoY increase of 40%.

Kroll announced last month that it tapped Dave Burg, formerly Americas cyber lead for global firm EY, and a PwC cyber veteran, as its global head of cyber risk in order to oversee and expand threat life cycle-management capabilities. 

C-suite scrutiny and accountability 

Also in February, Kroll released its 10 trends for 2024 across industries. The top trends focus on an increasingly complex cyber threat landscape, public market and private market economies that continue to diverge, and the growing use of AI and the high level of compliance risks it will bring.

The company said that an interesting takeaway for all industry leaders is how the U.S. Securities and Exchange Commission is pivoting in how it engages private entities. No longer is the agency looking to an entity's chief compliance officer as the point of contact, it's the upper ranks for the C-suite that they ask about proper resourcing – both in terms of human capital and systems.

It's not hard to envision that increased C-suite accountability for governance and supervisory oversight in the finance sector, should the effort bear results, could be a tactic that other agencies, like HHS, try.

"For CEOs and other principals, plausible deniability when it comes to compliance issues is no longer an option," the Kroll researchers said.

Coupled with that, crossing t's and dotting i's on sanctions is also something to be aware of.

Kroll cited rules such as the Foreign Corrupt Practices Act, where "corporations that are non-compliant face immense financial and reputational consequences."

Security compliance is a significant challenge for corporations "with immense potential financial and reputational risks," researchers added, meaning that organizations paying a cyber ransom to a group that contains a sanctioned individual could get caught up in a violation.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.