Cyber security investment in hospitals remains a low priority despite continuing attacks on healthcare delivery organizations, according to a report from CyberMDX and Philips.
Published 12 August 2021, the Perspectives in healthcare security report examines the impact of cyber attacks on large and mid-size hospitals and the challenges these organizations face in responding to them.
“With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security,” said Azi Cohen, CEO of CyberMDX.
“Hospitals have a lot at stake – from revenue loss to reputational damage and, most importantly, patient safety. Our report provides a critical look into the current state of medical device security and will help to raise awareness of key issues and disconnects healthcare organizations are facing with their cyber security.”
The report – which is based on a study conducted by global market research firm Ipsos – added that “whether the hack is committed by notorious gangs such as REvil or Conti or lesser-known hackers, hospitals now account for 30% of all large data breaches and at an estimated cost of $21bn in 2020 alone.”
According to the survey results, 48% of hospital executives had reported a forced or proactive shutdown in the past 6 months due to external attacks or queries.
This is in line with previous research from Check Point, which found that cyberattacks in the healthcare industry had grown by 45% between November 2020 and January 2021. It also found that ransomware, botnets, remote code execution, and distributed denial-of-service (DDoS) attacks were the most common incidents faced by healthcare organizations.
However, the CyberMDX report found that despite the continuing attacks on hospitals, more than 60% of hospital IT teams said they have “other’ spending priorities, and less than 11% said cyber security is a high-priority spend.
The lack of priority given to cyber security spending is also happening despite high material repercussions and a clear awareness that there is little protection from dangerous vulnerabilities.
For example, the report found that cyber-attacks were much more significant in smaller hospitals. Out of those that experienced a shutdown, respondents from large hospitals reported an average shutdown time of 6.2 hours for $21,500 per hour, while mid-size hospitals averaged nearly 10 hours at more than double the cost at $45,700 per hour.
The majority of respondents also said their hospitals were unprotected against some common but dangerous vulnerabilities. This includes 52% admitting their hospitals were not protected against the Bluekeep exposure, which increased to 64% and 75% for WannaCry and NotPetya.
In terms of closing the security gaps, the report implied that automation would go a long way to helping cyber security teams gain visibility of vulnerable devices, as the majority still rely on manual processes for inventory calculations.
For example, 65% of IT teams in hospitals rely on manual methods for inventory calculations. In comparison, 15% from mid-size hospitals and 13% from large hospitals admitted they have no way to determine the number of active or inactive devices within their networks.
In January 2021, Adam Enterkin, Europe, Middle East, and Africa (EMEA) senior vice-president at BlackBerry, said that because healthcare organizations are particularly vulnerable to cybercrime – mainly due to a lack of large, highly skilled cyber security teams – investing in automated technologies could help them protect their assets.
“Automation is key, and technology must take on the heavy lifting. To allow healthcare professionals to prioritize both immediate care and ever-present cyber threats, AI [artificial intelligence] and machine learning are the solutions, due to their continuous learning capabilities and proactive threat modeling, which grows in sophistication over time,” he said.
“For instance, if a healthcare professional clicks on a suspect link, cutting-edge algorithms and artificial intelligence can step in proactively to protect them, preventing threats like malware, viruses, ransomware, and malicious websites.”