Healthcare and pharma cyber security rated worst in S&P 500
Analysts worry that a wide-scale security breach could occur in 2014
Healthcare and pharmaceutical companies have the worst cyber security among Standard & Poor’s (S&P) 500, and could suffer from large-scale security breaches in 2014 similar to those experienced by retail companies such as Target and Neiman Marcus, according to a recent report.
BitSight Technologies, a securities ratings company, examined the cyber health of companies on the S&P 500, and found that 82% had been victims of some sort of security breach. Healthcare and pharmaceutical companies ranked the lowest among the four industry categories studied, because of its high volume of incidents and slow response times.
The finance industry ranked best in cyber security, followed closely by the utilities industry. The retail industry, which was rated with a poor performance, came in third. The finance industry has made cyber security a priority and a part of business operations, which led to it outperforming other sectors, according to the study.
“Financial institutions spend more on cyber security than their peers in other industries, and the largest ones tend to go well beyond the measures mandated by government and industry groups,” say the study’s authors. “Many of them share information on emerging industry level threats with their peers in the FS-Information Sharing and Analysis Center, an industry forum.”
When a security event occurs, healthcare and pharmaceutical companies take more than five days, on average, to resolve the situation, while finance companies take less than four days, on average, according to the study. These factors make the healthcare and pharmaceutical industries most vulnerable to large data breaches in 2014.
“Unlike the financial institutions and electric utilities in the S&P 500, the healthcare and pharmaceutical companies do not view cyber security as a strategic business issue,” the study’s authors said. “They do not spend enough resources to protect their data, in part because cyber security has not received the executive level attention it deserves.”
The study’s authors questioned whether the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) is enough to protect healthcare data, because the majority of security breaches occur from stolen or lost devices such as laptops and servers.
“In general, this sector tends to spend only the resources required to be compliant with regulations such as HIPAA, and compliance does not equate to security. More prescriptive controls and better enforcement of HIPAA would certainly help improve security in the healthcare sector, along with a greater emphasis on security throughout these businesses,” say the study’s authors.