PKI mismanagement leaves healthcare organizations vulnerable

Ponemon Institute and Keyfactor say 60% of organizations aren't adequately maintaining their digital certificates and public key infrastructure.
By Nathan Eddy
11:34 AM

Current approaches to managing and protecting cryptographic keys and digital certificates, also known as digital identities, are putting organizations at significant risk, according to a survey sponsored by Keyfactor and conducted by the Ponemon Institute.

WHY IT MATTERS
The report included responses from more than 600 IT and information security executives and practitioners in the United States and Canada across 14 industries, including healthcare and pharmaceutical, which represented 12% of respondents.

The study revealed nearly two-thirds (73%) of organizations surveyed continue to experience unplanned downtime and outages due to mismanaged digital certificates and public key infrastructure.

More than half of respondents (55%) said their organizations have experienced four or more certificate-related outages in the past two years alone.

Making matters worse is the fact that the vast majority of organizations 74% of respondents believe their organizations do not know exactly how many keys and certificates (including self-signed) they have, much less where to find them or when they expire.

In addition, 76% of respondents said they believe failure to secure keys and certificates undermines the trust their organization relies upon to operate, and less than four in 10 (38%) said they have enough IT security staff dedicated to handling PKI issues. 

THE LARGER TREND
Failed audits and Certificate Authority compromises were seen as the most serious and frequent threats – and the study revealed that on average, organizations have experienced a CA or rogue man-in-the-middle and/or phishing attack five times in the past 24 months.

Although the least frequent incidents are unplanned outages due to certificate expiration, survey results indicated the frequency of these events is still of major concern: 73% of respondents admitted that digital certificates have and continue to cause unplanned downtime and outages.

ON THE RECORD
"This report reinforces cryptography’s importance within the security agenda," Chris Hickman, chief security officer at Keyfactor, said in a statement. "In many cases, PKI remains a manual function with ownership split across IT and security teams. Growing connectivity has created an exposure epidemic. Without a clear PKI in-house or outsourced program owner and process to close critical trust gaps, the risk of outages and breaches will continue to rise."

Dr. Larry Ponemon, founder of the Ponemon Institute, noted in a statement that he was too optimistic in the pace of progress, following indicators in the 2019 report more executives invested the resources needed to close the gap between "standard practice" and "best practice" when it comes to PKI.

"This year’s report shows that while progress has been made in a few areas, that gap is actually growing wider," said Ponemon.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209