Poor Patching Practices Increase the Risk of Exploited Vulnerabilites

April 12, 2018 James Keogh HIPAA News

Ponemon Institute conducted a survey on behalf of ServiceNow to learn about the issues on patching that healthcare and pharmaceutical industries are struggling with. The study revealed that organizations are not patching vulnerabilities promptly hence leaving their network systems open to cyber attacks. The survey respondents included 3,000 security professionals from different industry organizations with over 1,000 employees. The survey results can be read in the report Today’s State of Vulnerability Response: Patch Work Demands Attention.

According to the report, 57% of respondents confirmed experiencing at least one data breach that involved access to the network because of a vulnerability for which there was a patch previously released. One-third of respondents admitted knowing about the vulnerability and the patch available before the breach occurred. But two-thirds did not know they were vulnerable to the cyber attack at all.

Although most people know about the risk of vulnerabilities being exploited, 37% of respondents admit that they do not scan for vulnerabilities and so they are not certain about existing vulnerabilities in their system not to mention fixing them. 28% of IT security professionals from the healthcare and pharmaceutical industries said that they do not perform scans.

Regarding the patching of vulnerabilities, 65% of cybersecurity professionals had difficulty prioritizing this task and identifying which software to patch first. 61% said that the manual patching of vulnerabilities is putting them at a disadvantage. About 12 days are wasted on coordinating the patching activities among the teams.

About 75% of IT security professionals believe that the lack of staff is causing the delay in patching. On average, vulnerability management takes about 321 hours per week. But even with that much time spent on the job, it still takes 8 weeks or more just to apply medium to low priority patches. 60% of respondents said they had plans of hiring more employees in the next 12 months to speed up work. On average, companies are likely to recruit four new employees just for vulnerability response.

The problem of skilled IT staff shortage is growing worse. The advocacy group ISACA conducted a survey which revealed that about 2 million cybersecurity positions will be unfilled by 2019. Filling the positions, however, does not guarantee a better security. Automating routine processes and prioritizing vulnerabilities are necessary. People must be focused on doing critical work to reduce the likelihood of a security breach.

The Ponemon Institute – ServiceNow report recommended five tasks that must be done to achieve better security posture.

  1. Have an honest evaluation of vulnerability response capabilities.
  2. Speed up time-to-benefit by dealing with low-hanging fruit first.
  3. Break down data gaps between security and IT to stop wasting time on coordinating between the two
  4. Define and optimize end-to-end vulnerability response processes and automate.
  5. Retain talent by focusing on culture and environment.
About James Keogh 144 Articles
James Keogh has been writing about the healthcare sector in the United States for several years. With several years of covering healthcare topics, he has developed expertise in HIPAA-related issues, including compliance, patient privacy, and data breaches. His work is known for its thorough research and accuracy, making complex legal and medical information accessible . James's articles are valuable resources for healthcare professionals and have been featured in reputable publications. You can follow James on Twitter https://x.com/JamesKeoghHIPAA and contact James on LinkedIn https://www.linkedin.com/in/james-keogh-89023681.
Twitter LinkedIn