According to a survey released this morning by 451 Research, 63 percent of health care industry respondents said they had experienced a breach, the highest of any industry vertical studied.
But spending priorities were focused on perimeter defenses. According to the survey, network security was the top category for increased spending over the next 12 months, chosen by 49 percent of respondents. In addition, 78 percent rated network defenses as "very" or "extremely" effective at protecting sensitive data, also the top-rated category.
By comparison, just 72 percent of health care respondents selected data-at-rest defenses as "very" or "extremely" effective, the lowest of any vertical other than government, at 68 percent, and below the U.S. average of 75 percent.
One reason is that health care organizations spend money on strategies that have worked in the past, said Tina Stewart, vice president of marketing at Vormetric, which sponsored the report.
"Lots of investment is going into network and endpoint protection," said Stewart. "However, healthcare organizations should prioritize protecting critical information once perimeters have been breached. It’s not that we don’t need network and endpoint defenses, but priorities should shift to include data security."
It is not uncommon for organizations to default to the status quo, she added.
"It’s reassuring and familiar, after all," she said. "We do think, though, this will start to change over time as organizations are forced to learn the hard way.”
One promising sign is that 46 percent of health care organizations did plan to increase spending on data-at-rest defenses such as disk encryption, file encryption, data access controls, application encryption and tokenization, the highest ranking of any vertical. In particular, 46 percent say they will implement data security to follow industry best practices, 39 percent plan to implement cloud security gateways, 35 percent plan to implement tokenization, and 29 percent plan to implement application encryption.
A majority of the health care respondents cited compliance as a top spending priority for IT security.
According to the report, 68 percent of U.S. healthcare respondents view compliance as "very" or "extremely" effective, the highest of any vertical.
[ HOW HEALTHY? Healthcare breaches need a cure for human errors ]
"This is understandable," said Stewart. "After all, organizations operating within a regulated industry won’t be able to stay in business without remaining compliant. The surprise is that so many of the professionals polled thought it would also effectively protect them from data breaches."
Meanwhile, compliant organizations routinely fall victim to successful cyberattacks, she added.
One problem with over-relying on compliance for security is that regulations are updated only over many months or years.
"Cyberattacks change daily and hourly," she said. "This leaves compliance mandates requiring organizations to use protection methods that may already have been eclipsed by the attackers.”
Cybercriminals were rated as the biggest threat by health care organizations, chosen by 72 percent of health care respondents, but despite recent reports, only 49 percent recognized nation-states as high-risk external threats.
The Internet of Things looms as a potential risk, with 21 percent of respondents saying the connected devices were the greatest risk of loss of sensitive data, higher than other verticals.