Poor Patching Practices in Healthcare Exposed on Ponemon Institute Study

April 11, 2018


A recent survey performed by the Ponemon Institute for ServiceNow has disclosed that healthcare and pharmaceutical businesses are not keeping up to date on repairing. Faults are not being repaired swiftly leaving businesses vulnerable to attack.

The survey was sent to 3,000 safety workers from groups with over 1,000 staff members across a broad variety of industry sectors and countries. The results of the survey were incorporated in the report: Today’s State of Susceptibility Reaction: Patch Work Requires Attention.

The report indicated 57% of those that took the survey respondents had undergone at least one data breach where access to the system was gained by abusing a vulnerability for which a patch had earlier been issued. One-third of respondents replied that they were conscious that the weakness existed and a repair was available before the breach. More disturbing was two-third of groups didn’t know they were vulnerable to attack.

Even though there is a major danger of vulnerabilities being abused, 37% of respondents said they don’t check for dangers and for that reason can’t be certain all weaknesses are known and tackled. The healthcare and pharmaceutical sectors were somewhat better than average, even though 28% of IT safety workers from those industries said susceptibility checking was not finished.

65% of cybersecurity employees said they find it tough to prioritize repairing and determine what software must be repaired first. 61% said manual procedures were putting them in danger when repairing faults, and an average of 12 days were being lost coordinating repairing activities across teams.

Over three-quarters of IT safety workers felt the delay in repairing weaknesses was because of a lack of trained staff. They simply didn’t have sufficient staff members to keep on top of repairing. On average, 321 hours a week are being spent on weakness management, but even so, medium to low priority repairs are still taking eight weeks or longer to be fixed.

60% of respondents said they were employing more staff in the next year to assist speed up the patching of faults. On average, groups are looking to hire four new workers exclusively for weakness response.

Deciding to get more staff is one thing. Hiring staff is a separate problem. There is a lack of trained IT staff and the problem is getting worse. As per a recent survey performed by the advocacy group ISACA, by 2019 there will be 2 million available cybersecurity positions.

Even if staff can be employed, there is no assurance that safety posture can be considerably increased. Although more staff could definitely help some businesses, the report indicates there is a patching paradox – employing more staff doesn’t mean better safety.

ServiceNow Security and Risk Vice President and General Manager Sean Convery said: “Adding more talent alone won’t tackle the main problem plaguing today’s safety teams. Automating routine procedures and prioritizing weaknesses assists organizations avoid the ‘patching paradox,’ instead of focusing their people on important work to dramatically decrease the possibility of a breach.”

The Ponemon Institute/ServiceNow study offers five sanctions that can assist groups to develop a roadmap to an improved safety posture.

  • Record an impartial inventory of weakness reaction abilities.
  • Speed up time-to-benefit by tackling low-hanging fruit first.
  • Break down data hurdles between safety and IT to regain lost time spent coordinating between the two
  • Describe and prioritize end-to-end weakness reaction procedures and then automate as much as you can within reason.
  • Make sure retention of talent by concentrating on culture and work setting.