The survey, conducted in April 2013 with the Ponemon Institute®, evaluates the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. One hundred seventeen health and pharmaceutical sector respondents from the U.S. and U.K. participated in the healthcare portion of the survey.
The health and pharmaceutical industries have undergone significant information security changes in 2013, and Health Insurance Portability and Accountability Act (HIPAA) fines have grown in both size and frequency. In August, Affinity Health Plan was fined more than $1.2 million for HIPAA violations and insurer WellPoint agreed to pay a $1.7 million penalty in July. As the final omnibus rule goes into effect, new state healthcare exchanges place additional security and privacy pressures on healthcare organizations. Despite these regulatory pressures, Tripwire's survey indicates that the healthcare industry lags behind other industries in the implementation of critical security controls.
Key findings include:
· 70% say communicating the state of security risk to senior executives is not effective because communications are contained in one department or line of business.
· Only 52% use formal risk assessments to identify security threats.
· Only 58% have fully or partially deployed change control and security configuration management.
"It is true that healthcare organizations rank better than average in some areas of this survey, but there is still a lot of room for improvement," said Dwayne Melancon, chief technology officer for Tripwire. "About half of healthcare and pharmaceutical organizations are not using any kind of formal risk assessments, and they are also far less open to challenging current assumptions. Both of these factors could cause them to be blindsided by the increasing number of cybersecurity threats to their businesses."
For more information about this survey, please visit http://www.tripwire.com/ponemon/2013/.
About the Ponemon Institute
The Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors, and verifies the privacy and data protection practices of organizations in a variety of industries.
Tripwire is a leading global provider of risk-based security and compliance management solutions, enabling enterprises, government agencies and service providers to effectively connect security to their business. Tripwire provides the broadest set of foundational security controls including security configuration management, vulnerability management, file integrity monitoring, log and event management. Tripwire solutions deliver unprecedented visibility, business context and security business intelligence allowing extended enterprises to protect sensitive data from breaches, vulnerabilities, and threats. Learn more at www.tripwire.com, get security news, trends and insights at http://www.tripwire.com/state-of-security/ or follow us on Twitter @TripwireInc.