Freely subscribe to our NEWSLETTER

The Q1-2020 State of UK Healthcare Secure Access report by Pulse Secure surveyed more than 60 senior information security and decision-making executives from healthcare organisations in the UK with 1,000 to over 10,000 employees.

The research examined overall IT spending strategy, incidents, control gaps, operational capacity and technology tools. The report confirms that UK healthcare industry is investing heavily in a hybrid IT strategy with an overwhelming majority expecting to increase investments by greater than 10% with usage predominately going into private cloud (94%) followed by datacentres (88%). The continued uplift in cloud adoption and reinvestment in data centre resources has also introduced data breach concerns, as 60% plan to improve access control consistency across hybrid IT environments.
While a wide variety of potential secure access exposures were presented to respondents, unauthorised data access, mobile and web exposures, and vulnerable and unsanctioned endpoint device issues plagued UK health institutions. Correspondingly, one in four respondents said their organisation faced impact from malware, privileged user and IOT security incidents. The majority of midsized UK-based service providers cited significant impact with unauthorised application/resource access and use of unauthorised devices, whereas large institutions (those with 5,000 to 10,000 employees) claimed application unavailability/outage as having the highest impact.

The report states: “Despite knowledge of their high impact incidents and access control gaps, a substantial number of respondents are less than confident, notwithstanding large investments in tools and security initiatives. Healthcare organisations’ ability to ‘orchestrate dynamic access authentication and protection’ is also in question, with 68% of respondents expressing little confidence.”

UK Healthcare providers are embracing mobile computing and taking advantage of network- and web-connected devices to improve medical responsiveness, delivery and outcomes for their patients. However, a majority (82%) of survey respondents cited mobile computing exposures and weak device access compliance among their top control gaps. Equally concerning is that 70% had nominal confidence in BYOD access enforcement, and 64% expressed similar confidence with IoT devices. As a result, streamlining BYOD and web-based mobile access and enhancing IoT security were expressed among the top priorities for security professionals in healthcare.

The research also illustrated a complex picture of healthcare organisations trying to plug holes and being reactive to threats or changes in IT infrastructures. While the industry seeks to optimise investments, the survey found that UK healthcare IT security practitioners use, on average, at least four related tools within each category of secure access. The vast majority (96%) of respondents expressed a positive outlook towards tool set consolidation. To this end, over 40% place one or more secure access functions in the hands of managed service providers and plan to increase outsourcing by as much as 7% over the next 18 months.

The report states: “With the evolving nature of the sector this is no big surprise with mergers, legacy technologies, modernisation and shifts in working patterns and service provision all thrown into a melting pot of change. Healthcare organisations need to think about tool consolidation and standardising on integrated platforms.”

Looking at longer term strategy, the report indicates healthy investment to improve access security where the majority (56%) of UK healthcare respondents cited secure access expenditures to rise by 5 to 15% and a third expect spend to increase up to 25%. Of particular note was the interest in Software Defined Perimeter (SDP) technologies [also depicted as Zero Trust Network Access]. SDP enables trusted access directly between the user and their device to the application and resource. Like perimeter-based VPN technology, SDP invokes user, device and security state authentication controls before and during an authorised, protected connection. 62% of healthcare security decision makers anticipate an SDP project or pilot within the next 18 months.

Commenting on the report, Scott Gordon, chief marketing officer for Pulse Secure said, “The findings indicated that while workforce mobility, cloud and IoT security still threaten data privacy and service availability obligations for UK healthcare, these institutions appear to be making appropriate upcoming priorities and investments to reduce secure access risks.”

“The report data suggests that hybrid IT adoption and security infrastructure consolidation in the UK healthcare segment is likely over the next few years as new approaches such as Zero Trust Network Access can serve to protect patient care advancements.”