Cyberattacks and ransomware cost medium-sized healthcare institutions significantly more than larger organizations, with the average cost of a shutdown caused by a cyber incident exceeding $440,000 for smaller organizations versus $130,000 for larger institutions, a new report shows.
About half of all healthcare organizations—42% of mid-size practices and 61% of large organizations—had an unplanned shutdown of medical devices or equipment due to an external attack in the past six months. Despite that, most respondents believe they have enough staff for enterprise cybersecurity, with 61% of mid-sized and 69% of large healthcare organizations saying staffing is at least adequate, according to a survey published by medical-infrastructure protection firm CyberMDX.
Overall, the report highlights that, while attacks have increased, companies—especially mid-sized hospitals—have not adapted, says Azi Cohen, CEO of CyberMDX.
While only a minority of respondents revealed their IT and security budgets, the survey found that the average mid-sized hospital spends $3.5 million, and the average large hospital about $3.1 million, on their IT budget. About $300,000, or about 8% to 11% of that, is spent on securing medical devices and connected equipment. On average, about $617,000 is spent on cybersecurity compliance, which about half find insufficient for their mission, the report stated.
"The report is saying they feel the pain of an attack more," he says. "They estimate their losses or costs to be higher than large hospitals—so it’s not about spend, it’s about cost. We don’t know why but can make an assumption that with fewer staff and resources they have a heavier load to bear and that creates more to do and a higher cost."
The CyberMDX report is not the only one to find that healthcare attacks pose an increasing threat.
Any respite afforded the healthcare sector by attackers during the coronavirus pandemic is now over, according to Microsoft, which disclosed during a US House of Representatives' Subcommittee on Oversight and Investigations hearing that the healthcare sector accounts for the most engagements with its security services. Healthcare made up 17% of the company's engagements, compared to the media-and-entertainment, energy, and financial sectors, which accounted for 14% each.
"[D]espite continued promises by some cybercriminals not to attack hospitals or healthcare companies during the global pandemic, Microsoft has observed that healthcare remains the number one target of ransomware," Kemba Walden, assistant general counsel for Microsoft's Digital Crimes Unit (DCU), said in written testimony, adding that "ransomware is not limited to high-profile incidents. It is ubiquitous and pervasive, impacting wide swathes of our economy, from the biggest to the smallest players."
In a March report, the US Department of Health and Human Services found that opportunistic attacks against healthcare had become less common. Instead, attacks targeting healthcare organizations focused on gaining a beachhead, compromising a significant number of systems, stealing data, and then deploying ransomware. The latter two components—known as the double-extortion attack—has become the de facto way that cybercriminals monetize successful compromises.
In addition, attackers are increasingly using automation and social-engineering as part of their attacks, HHS stated.
Yet, while attackers are adapting their methods toward crypto-ransomware and data theft, healthcare organizations are slow to improve their defenses, according to the CyberMDX survey.
Of particular concern, the cybersecurity maturity of hospitals and healthcare organizations appears to lag significantly behind other sectors. About two thirds of mid-sized and 57% of large organizations have a mix of manual processes, or a fully manual process, for inventorying devices on the network.
Companies should adopt find and eliminate manual processes and automate as much as possible, CyberMDX's Cohen says.
"It would make sense for hospitals to assess and align impacts and priorities across departments and ensure the resources are focused in the right places," he says. "[L]let's make certain teams are not just addressing the needs of individual departments but are working together to tackle the holistic problem of how to mitigate cyber threats."
The survey also found that vulnerabilities continue to be a significant problem. More than three-quarters of organization have failed to fully patch against the vulnerabilities used by NotPetya, while about half are not protected against the Apache Struts vulnerability used against Equifax in 2017 nor the BlueKeep vulnerability in Microsoft Remote Desktop Protocol (RDP) servers disclosed in 2019.
"Known vulnerabilities are extremely dangerous as the playbook for how to exploit them is already publicly available and hackers know this," Cohen says. "Hospitals must do a better job protecting their medical devices and this will hopefully raise awareness that if these well known vulnerabilities aren’t protected against, what about the less known but equally dangerous ones out there?"