In a year when hospitals, clinics and outpatient facilities face an increase in threats and attacks, only half of them have an incident response program in place, according to new figures. Each attack costs an average of $4 million, placing security expense versus potential vulnerability loss under scrutiny.
A new report shows that such an apparent lack of preparedness for cybersecurity disruption and damage leaves healthcare professionals, their patients, extensive private data and IT infrastructures at risk with no clear resolution pathway.
"Hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase over time," said Brian Wells, director of healthcare strategy at Merlin International, a systems integration and services supplier to the US government, and author of the report: 2018 Impact of Cyber Insecurity on Healthcare Organizations.
The report was conducted by the Ponemon Institute, and is based on interviews with 627 healthcare executives.
The medical and healthcare industry accounted for almost a quarter of all breaches in 2017, second only to the business sector, showing how much pressure these facilities are coming under.
Healthcare is underprepared
The US healthcare system is expecting an increase in challenges this year, with attacks focused on medical devices, patient records, billing information and clinical trial information, among other targets. Reports of attacks aimed directly at patient medical support systems in life-or-death situations are sparse, but have anecdotally started appearing. (See IoT Use Complicates Security Landscape in Healthcare.)
Merlin survey respondents seemed oblivious to the threat of attack and impairment of medical devices, many of which are directly attached to patients. The report found that 65% either weren't sure or knew that they didn't have medical devices secured.
Almost a third of them don't have plans to include securing of such devices in the near future.
The majority of respondents have facilities with between 100 to 500 beds for patients and have up to 100,000 connected devices. About 60% of them experienced an attack in the last 12 months, with more than half of those resulting in a loss of patient data.
Interestingly, concern by these professionals about future attacks resides not only with external threats as with, equally, employee negligence or malicious insiders. These organizations see security danger on all sides, challenging their security focus. About three-quarters of respondents said they worried about the loss of patient records, fortunately though it's here that defense seems best.
"The risk (to patient safety is) real but actual impacts are not widespread," Wells told Security Now. "The vast majority of hospitals are prepared for outages of their electronic medical record systems and while there may be delays or disruptions in care, the risk to patients is low."
Other worries in the survey ranked second with loss of patient billing information, then IT staff login credentials, other authentication credentials, and then worries about clinical trial and research information.
Healthcare software under threat
Shortcomings in software patching were discovered, with exploitations of vulnerabilities older than 12 weeks representing about 70% of attacks, closely followed by web-borne malware, at 69%. Ransomware, accounting for about 40% of attacks, has recently hit hard, notably disrupting critical care systems, and incidences are expected to grow.
The ability to monitor, understand and fix cyber damage is a major issue, with 74% of facilities reporting too few staff available as their biggest headache. Over half reported a lack of staff training and awareness was undermining their security posture, and about 60% acknowledged they lack any cybersecurity experience. About half of them don't have a CSO.
Given these shortcomings are there advantages to taking security and outsourcing it to others?
"Outsourcing is a challenge as there is little consistency across provider organizations with respect to the security toolsets in use," Wells said. "An outsourcer would need staff on hand that are familiar with a broad collection of tools and technologies … and that creates a business that cannot achieve the efficiencies that come from one common set of tools used across all customers.
The threats, the attacks, the losses and the ability to defend on so many fronts are predictably hitting smaller organizations the hardest, and their recourse is limited. Independent facilities need the economies of scale of their larger cousins, and the advantages of more up-to-date solutions, but there's a silver lining.
"One benefit of consolidation currently occurring in the healthcare provider industry is that smaller institutions are able to take advantage of advanced information technology tools and resources that exist at larger institutions," Wells said.
— Simon Marshall, Technology Journalist, special to Security Now