Security experts have spoken of their surprise at a report by risk start-up BitSight which suggests that the healthcare and pharmaceutical industries “lag behind” other sectors when it comes to cyber security.
The report, based on publicly available data, claims that healthcare and pharmaceutical firms are increasingly becoming the main target for hackers and cyber criminals looking to make off with personal data.
BitSight’s research also claims that healthcare takes longer than any other sector to respond to cyber attacks.
However, cyber security experts told Computing that the results of the report are something of a surprise, as healthcare is often seen as one of the most well defended industries against potential cyber attacks.
“I was surprised to see pharma pulled out as an example of a poorly protected industry,” said Orlando Scott-Cowley, technologist at security vendor Mimecast, who explained that pharmaceutical firms place huge importance on security.
“Pharma is traditionally viewed as one of the more highly defended industries, dealing as it does with extremely lucrative projects,” he said.
“Protecting its intellectual property has long been viewed as vitally important and security has therefore always been a significant part of pharma companies’ budgets, in terms of personal, physical and IT security.”
Scott-Cowley also questioned the nature of the data, arguing that basing a report solely on publicly available data is not going to result in an accurate picture of the full situation.
“We know that most companies don’t report breaches unless they absolutely have to, or if they are legally required to report breaches they are only required to do so when personal or customer data is compromised,” he said.
“Based on that information alone, I find it hard to agree with the extrapolated conclusion that pharma is ‘lagging behind’ in terms of security performance.”
Oliver Pinson-Roxburgh, systems engineering manager at information security firm Trustwave, also expressed his surprise at the findings of the BitSight report.
“I certainly don’t think it’s fair to say that the healthcare and pharmaceutical industries are lagging behind others,” he told Computing.
However, he did suggest that the fines issued to the NHS by the Information Commissioner’s Office mean there are areas in which data security in healthcare can be improved.
“It does seem that they are failing on areas such as insecure data cleansing. As well as selling old drives online, faxes with sensitive data have been leaked in the past, which by no means is a targeted attack on the healthcare provider,” Pinson-Roxburgh said.
“This suggests that some of the basics around data leakage prevention and employee awareness and education around data security are not being observed.”