Healthcare and pharmaceutical companies have the worst cyber security among Standard & Poor’s (S&P) 500, and could suffer from wide-scale security breaches in 2014 similar to the ones experienced by retail companies such as Target and Neiman Marcus, according to a recent report.
BitSight Technologies, a securities ratings company, examined the cyber health of companies on the S&P 500, and found that 82% had been victims of some sort of security breach. Healthcare and pharmaceutical companies ranked the lowest among the four industry categories studied, because of its high volume of incidents and slow response times.
The finance industry was the best in cyber security followed by utilities industry. The retail industry, which was rated with a poor performance, was ranked third. The finance industry has made cyber security a priority and a part of business operations, which led to it outperforming other sectors, as per the study.
“Financial institutions spend more on cyber security than their peers in other industries, and the largest ones tend to go well beyond the measures mandated by government and industry groups,” say the study’s authors. “Many of them share information on emerging industry level threats with their peers in the FS-Information Sharing and Analysis Center, an industry forum.”
In case of a security event, healthcare and pharmaceutical companies take more than five days on average to resolve the situation, while finance companies take less than four days on average, the study said. These are the reasons healthcare and pharmaceutical industries will be the most vulnerable to data breaches in 2014.
“Unlike the financial institutions and electric utilities in the S&P 500, the healthcare and pharmaceutical companies do not view cyber security as a strategic business issue,” the study’s authors said. “They do not spend enough resources to protect their data, in part because cyber security has not received the executive level attention it deserves.”
The study authors also questioned whether the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) were enough to protect healthcare data, since majority of security breaches occur from stolen or lost devices such as laptops and servers.