Healthcare gets a failing grade in worldwide Cyber Security – 2017 Tenable Network Security Report

A new report by Tenable, a worldwide network security firm, has been released, with a global assessment of trends that we have been aware of for some time.  What is particularly interesting is that their global report boils down security risk assessments down to a graded number, similar to our healthcare-focused CTS ScoreCard for Privacy and Data Security, on which we base our detailed assessments using CSA privacy principles and ISO/IEC 27002:2013 information security controls. The value of this method of reporting results is that it is relatively easy to review trends across regions and over time.

The Tenable report, which based on a worldwide survey of 700 security practitioners,  75% of whom hold management, director or leadership roles, gives Canada an overall “C” grade for risk assessment and security assurance, down from “C+” last year.  And for overall risk assessment and security assurance in health care?  Tenable gave it a “D”, down from “C” in 2016.

The overall trend, worldwide, points to a massive decline in perceptions of global cyber readiness (12% lower than last year), which has become more acute through difficulties in assessing and mitigating security risks.

The most important finding, however, is that there is no single contributing factor to the huge decline in Risk Assessment scores.  Rather, it appears to be a by-product due to the widening array of interconnected assets, resulting in an expanded surface across which to direct attacks.

“Technology drives innovation, but it also creates more complexities and room for vulnerabilities to work their way into the network” – Tenable Report December 2016.

What does this mean to health practitioners in private clinics?  We need to pay attention to cyber security like never before.  Desktop computers, laptops, smartphones, servers, network-connected medical diagnostic devices, even security cameras and digital video recorders can be compromised, leading to major network attacks. Add to this phishing attacks through through carefully crafted email messages, shared documents, and social media, and the problem becomes not just an IT issue, but one that requires total awareness and careful education of all staff handling patient information.

What can you do now?  Our upcoming blog series on Privacy and Security Best Practices, gathered from healthcare experts across the country, will provide practical steps that you can implement now. Taken together, they will go a long way towards helping to prevent your patient data from being compromised.

In the meantime, if you are interested in learning how your clinic can be quickly and systematically assessed for privacy and data security risks contact us.