Though healthcare companies take their cyber security seriously, there’s still more they can do.
Recent events have undoubtedly focused attention on the healthcare industry’s cyber security. Various shortcomings have been exposed, and the industry’s cyber risks will only increase in future.
While the NHS cyber-attack attracted a lot of media attention, the threat goes far wider than that. The healthcare industry has the highest volume of data breaches in the UK – incurring 43% of all breaches, according to figures from the Information Commissioner’s Office.
And the number of cyber incidents in healthcare has risen year on year, with a 20% increase from the last quarter of 2014 to the last quarter of 2016.
Despite these shortcomings, healthcare companies do take their cyber security very seriously, indicates findings from Lockton’s UK Cyber Security Survey 2017.
In fact, their cyber security seems to compare favourably to many industries. However, there is still room for improvement.
Healthcare companies involve a greater range of stakeholders in cyber breach scenario planning than most companies.
As part of Lockton’s cyber survey, we asked 40 senior decision makers from healthcare companies a series of questions about their cyber security.
Many of the results are encouraging. Healthcare companies, for example, involve a greater range of stakeholders in cyber breach scenario planning than most companies:
• 78% involve the Board – compared to an average of 50% of companies.
• 45% involve the Head of PR and communications – compared to an average of 26% of companies.
• 95% involve Risk Management – compared to an average of 88% of companies.
The survey results also indicate that healthcare companies are more confident than most companies of their responsiveness following a cyber breach. For example:
• 70% say they would be able to inform affected third parties within 2-4 hours of a leak/loss of third-party data – compared to an average of 56% of companies.
Half of healthcare companies say that cyber security is a big influence on their choice of suppliers.
• 22% say they would be entirely operational again within 24 hours of a large-scale leak/loss of third-party data – compared to an average of 10% of companies.
The results also indicate that healthcare companies are more mindful of cyber security when launching new products and when choosing suppliers. For example:
• 72% say that cyber risks/risk management issues are factored into the creation/launch of new products/services – compared to an average of 52% of companies.
• 50% say that cyber security/cyber risk is a big influence on their choice of suppliers – compared to an average of 40% of companies.
Room for improvement?
Other survey results, however, indicate that healthcare companies may be underestimating their cyber risks, and that they could do more to mitigate the threats.
The great majority of healthcare companies are not minimising the risk of being hacked.
More than half (60%) of healthcare companies say that they are ‘leading’ or ‘almost leading’ their industry when it comes to cyber risk mitigation. And almost half (48%) think consider the healthcare industry to be ‘very prepared’ against cyber-attacks.
This confidence appears incongruent with some of the steps healthcare companies actually take to protect themselves. For example:
• The great majority of healthcare companies are not minimising the risk of being hacked. Only 10% take measures to detect whether they’ve been hacked every day – something all companies should do.
• Many do not do enough to minimise the risk of human-error related cyber incidents – for instance, only 48% make new staff aware of their cyber security processes and procedures. (Human error was the main cause of healthcare cyber incidents that took place between October and December 2016.)
• The great majority (95%) do not involve their Head of HR when planning for a cyber breach – worrying, considering how a breach could affect employees (for example, through the loss of personal data).
UK healthcare companies have made great improvements to their cyber security in recent years. It may be, however, that the really hard work is still to come.
For more information, please contact Kevin Culliney on:
+44 (0)20 7933 2692