Based on data collected over two years from over 500 organizations in 15 countries, covering 11 industries and a range of company sizes, the report aimed to provide valuable insights into the level of cyber risk in critical infrastructure entities, including those within the healthcare sector.
Over the past few years, the number of cybersecurity solutions available on the market has increased significantly. Despite this, there has been a 38 percent increase in global cyberattacks, risking reputation and finances. Notably, healthcare was one of the three industries that faced the highest number of cyberattacks in 2022.
In terms of sectors, the energy and financial industries achieved the highest scores in terms of cyber maturity levels. In comparison, the healthcare, retail, and government sectors scored among the lowest.
Out of 11 industries, the healthcare sector had the second lowest score in identity management security.
In healthcare, patient data is protected through Identity and Access Management (IAM), allowing organizations to grant and deny user access rights and manage identity governance. Credentials are keys to all doors leading to PHI, ensuring only verified and authorized digital identities receive privileged access. Without these protections in place, the risks of cyber threats can increase.
Among all industries, including healthcare, the report found that 32 percent had a weak password policy and 23 percent had a weak authentication mechanism.
Network security is another crucial cyber maturity domain, guarding against data and network breaches. The domain encompasses access control, antivirus software, application security, network analytics, various network-related security types, firewalls, VPN encryption, and more.
Despite its importance, healthcare scored lowest in network security. The report found that among all industries, 28 percent had administrative and sensitive interfaces exposed to the internet, and 24 percent of respondents had outdated firewall rule bases.
Sensitive data or personally identifiable information (PII) encompasses information that individuals or organizations want to keep confidential, such as Social Security numbers, passport numbers, driver’s license numbers, addresses, email addresses, photos, biometric data, or any other data traceable to an individual.
This low ranking signals a serious need for more awareness surrounding patient privacy. Researchers stated that factors like weak EHR systems, telemedicine, and complex interrelationships among insurance companies, practitioners, specialists, and patients all reveal cybersecurity vulnerabilities.
On the other hand, Norway has the highest overall cyber maturity level, even though it only introduced its first national cybersecurity strategy in 2003. Given the US’s low scoring, researchers believe that a large financial investment only sometimes results in a high maturity level. This emphasizes that organizations can achieve greater maturity without a large cybersecurity budget if they plan and invest wisely.
“CYE’s cybersecurity report should serve as a wake-up call for both private and governmental organizations,” Reuven Aronashvili, founder and CEO at CYE, said in a press release. “While there are some excellent companies doing it right when it comes to cyber preparedness in the relevant industries and countries that we looked at, overall, the picture we get is still far from ideal,”
“The main takeaway from this research is that organizations can achieve a superior maturity posture even without a huge cybersecurity budget if they plan and spend it right.”