Hospitals see cyber security investment as a low priority
Cyber security investment in hospitals remains a low priority in spite of continuing attacks on healthcare delivery organisations, according to a report from CyberMDX and Philips.
Published 12 August 2021, the Perspectives in healthcare security report examines the impact of cyber attacks on large and mid-size hospitals, and the challenges that face these organisations in responding to them.
“With new threat vectors emerging every day, healthcare organisations are facing an unprecedented level of challenges to their security,” said Azi Cohen, CEO of CyberMDX.
“Hospitals have a lot at stake – from revenue loss to reputational damage, and, most importantly, patient safety. Our report provides a critical look into the current state of medical device security and will help to raise awareness of key issues and disconnects healthcare organisations are facing with their cyber security.”
The report – which is based on a study conducted by global market research firm Ipsos – added that “whether the hack is committed by notorious gangs such as REvil or Conti or lesser known hackers, hospitals now account for 30% of all large data breaches and at an estimated cost of $21bn in 2020 alone.”
According to the survey results, 48% of hospital executives had reported a forced or proactive shutdown in the past 6 months as a result of external attacks or queries.
This is in line with previous research from Check Point, which found that cyber attacks in the healthcare industry had grown by 45% between November 2020 and January 2021. It also found that ransomware, botnets, remote code execution and distributed denial-of-service (DDoS) attacks were the most common incidents faced by healthcare organisations.
However, the CyberMDX report found that despite the continuing attacks on hospitals, more than 60% of hospital IT teams said they have “other’ spending priorities, and less than 11% said that cyber security is a high-priority spend.
The lack of priority given to cyber security spending is also happening despite high material repercussions, as well as a clear awareness that there is little protection from dangerous vulnerabilities.
For example, the report found that the impact of cyber attacks was much greater on smaller hospitals. Out of those that experienced a shut down, respondents from large hospitals reported an average shutdown time of 6.2 hours at a cost of $21,500 per hour, while mid-size hospitals averaged nearly 10 hours at more than double the cost at $45,700 per hour.
The majority of respondents also said their hospitals were unprotected against some common but dangerous vulnerabilities. This includes 52% admitting their hospitals were not protected against the Bluekeep vulnerability, which increased to 64% and 75% for WannaCry and NotPetya respectively.
In terms of closing the security gaps, the report implied that automation would go a long way to helping cyber security teams gain visibility of vulnerable devices, as the majority still rely on manual processes for inventory calculations.
For example, 65% of IT teams in hospitals rely on manual methods for inventory calculations, while a further 15% from mid-size hospitals and 13% from large hospitals admitted they have no way to determine the number of active or inactive devices within their networks.
In January 2021, Adam Enterkin, Europe, Middle East and Africa (EMEA) senior vice-president at BlackBerry, said that because healthcare organisations are particularly vulnerable to cyber crime – largely due to a lack of large, highly skilled cyber security teams – investing in automated technologies could help them protect their assets.
“Automation is key, and technology must take on the heavy lifting. To allow healthcare professionals to prioritise both immediate care and ever-present cyber threats, AI [artificial intelligence] and machine learning are the solution, due to their continuous learning capabilities and proactive threat modelling which grows in sophistication over time,” he said.
“For instance, if a healthcare professional clicks on a suspect link, cutting-edge algorithms and artificial intelligence can step in proactively to protect them, preventing threats like malware, viruses, ransomware, and malicious websites.”