Healthcare lags behind several other sectors of the U.S. economy when it comes to IT security, according to an analysis by BitSight, a security rating firm headquartered in Cambridge, Mass.
For the report, titled “Will Healthcare Be the Next Retail,” BitSight analyzed the security performance of S &P 500 companies in four industry sectors—finance, utilities, retail and healthcare.
According to the report, healthcare has many of the same characteristics as retail—which has long been plagued by poor performance when it comes to cyber security—such as a high volume of security incidents and slow response times.
BitSight found that while the healthcare sector’s security performance improved over the period between April 1, 2013 and March 31, 2014, it saw the largest percentage increase in the number of observed security incidents. In addition, the average event duration of these incidents was longer than any of the other analyzed industries at 5.3 days.
BitSight said its findings echo the recent SANS Health Care Cyber Report that found security issues involving medical devices, conferencing systems, web servers, printers and edge security technologies sending out malicious traffic from medical organizations—in some cases for months before the breach was recognized and repaired.
The report also found that cyber security receives less attention at the executive level in healthcare than in other sectors. For example, it referred to a study that found that the healthcare and pharmaceutical sector ranks the lowest in compensation for information security staff and suggested that the sector “tends to spend only the resources required to be compliant with regulations such as HIPAA, and compliance does not equate to security.”
BitSight also reported that the healthcare sector continues to have problems with the theft and loss of laptops and other devices that contain patient and personal data, and pointed out that the 2014 Data Breach Industry Forecast states “the healthcare industry, by far, will be the most susceptible to publicly disclosed and widely scrutinized data breached in 2014.”
The report concluded that while the finance and utilities sectors have created a culture that raises these security issues to a high level, the performance of the retail and healthcare industries is more uneven and that even with “tougher regulations and increased public scrutiny, there remains substantial room for improvement.”