Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

3/27/2018
12:05 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Healthcare Industry Underprepared for Cyber Attacks Report

A study from Merlin International finds that healthcare facilities and businesses are underprepared for cyber attacks, and that patient data remains at risk.

In a year when hospitals, clinics and outpatient facilities face an increase in threats and attacks, only half of them have an incident response program in place, according to new figures. Each attack costs an average of $4 million, placing security expense versus potential vulnerability loss under scrutiny.

A new report shows that such an apparent lack of preparedness for cybersecurity disruption and damage leaves healthcare professionals, their patients, extensive private data and IT infrastructures at risk with no clear resolution pathway.

"Hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase over time," said Brian Wells, director of healthcare strategy at Merlin International, a systems integration and services supplier to the US government, and author of the report: 2018 Impact of Cyber Insecurity on Healthcare Organizations.

(Source: Rawpixel via Pixabay)\r\n
(Source: Rawpixel via Pixabay)\r\n

The report was conducted by the Ponemon Institute, and is based on interviews with 627 healthcare executives.

The medical and healthcare industry accounted for almost a quarter of all breaches in 2017, second only to the business sector, showing how much pressure these facilities are coming under.

Healthcare is underprepared
The US healthcare system is expecting an increase in challenges this year, with attacks focused on medical devices, patient records, billing information and clinical trial information, among other targets. Reports of attacks aimed directly at patient medical support systems in life-or-death situations are sparse, but have anecdotally started appearing. (See IoT Use Complicates Security Landscape in Healthcare.)

Merlin survey respondents seemed oblivious to the threat of attack and impairment of medical devices, many of which are directly attached to patients. The report found that 65% either weren't sure or knew that they didn't have medical devices secured.

Almost a third of them don't have plans to include securing of such devices in the near future.

The majority of respondents have facilities with between 100 to 500 beds for patients and have up to 100,000 connected devices. About 60% of them experienced an attack in the last 12 months, with more than half of those resulting in a loss of patient data.

Interestingly, concern by these professionals about future attacks resides not only with external threats as with, equally, employee negligence or malicious insiders. These organizations see security danger on all sides, challenging their security focus. About three-quarters of respondents said they worried about the loss of patient records, fortunately though it's here that defense seems best.

"The risk (to patient safety is) real but actual impacts are not widespread," Wells told Security Now. "The vast majority of hospitals are prepared for outages of their electronic medical record systems and while there may be delays or disruptions in care, the risk to patients is low."

Other worries in the survey ranked second with loss of patient billing information, then IT staff login credentials, other authentication credentials, and then worries about clinical trial and research information.

Healthcare software under threat
Shortcomings in software patching were discovered, with exploitations of vulnerabilities older than 12 weeks representing about 70% of attacks, closely followed by web-borne malware, at 69%. Ransomware, accounting for about 40% of attacks, has recently hit hard, notably disrupting critical care systems, and incidences are expected to grow.

The ability to monitor, understand and fix cyber damage is a major issue, with 74% of facilities reporting too few staff available as their biggest headache. Over half reported a lack of staff training and awareness was undermining their security posture, and about 60% acknowledged they lack any cybersecurity experience. About half of them don't have a CSO.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Given these shortcomings are there advantages to taking security and outsourcing it to others?

"Outsourcing is a challenge as there is little consistency across provider organizations with respect to the security toolsets in use," Wells said. "An outsourcer would need staff on hand that are familiar with a broad collection of tools and technologies … and that creates a business that cannot achieve the efficiencies that come from one common set of tools used across all customers.

The threats, the attacks, the losses and the ability to defend on so many fronts are predictably hitting smaller organizations the hardest, and their recourse is limited. Independent facilities need the economies of scale of their larger cousins, and the advantages of more up-to-date solutions, but there's a silver lining.

"One benefit of consolidation currently occurring in the healthcare provider industry is that smaller institutions are able to take advantage of advanced information technology tools and resources that exist at larger institutions," Wells said.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37803
PUBLISHED: 2021-10-27
An SQL Injection vulnerability exists in Sourcecodester Online Covid Vaccination Scheduler System 1.0 via the username in lognin.php .
CVE-2021-37805
PUBLISHED: 2021-10-27
A Stored Cross Site Scripting (XSS) vunerability exists in Sourcecodeste Vehicle Parking Management System affected version 1.0 is via the add-vehicle.php endpoint.
CVE-2021-37806
PUBLISHED: 2021-10-27
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , ...
CVE-2021-37807
PUBLISHED: 2021-10-27
An SQL Injection vulneraility exists in https://phpgurukul.com Online Shopping Portal 3.1 via the email parameter on the /check_availability.php endpoint that serves as a checker whether a new user's email is already exist within the database.
CVE-2021-37808
PUBLISHED: 2021-10-27
SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An atta...