Cybersecurity in hospitals is unaligned with reality, says report
US hospital and BioMed executives weigh in on healthcare security in “Perspectives in Healthcare Security Report”
Healthcare is one of the industries most targeted by cyberattacks. According to a recent report, a total of 82 ransomware incidents against the health sector have occurred in 2021 worldwide with 60% of them impacting the United States industry. Recent attacks from notorious gangs such as REvil or Conti on hospitals have accounted for 30% of all large data breaches at an estimated cost of $21 billion in 2020 alone.
"With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security," said Azi Cohen, CEO of CyberMDX. "Hospitals have a lot at stake from revenue loss to reputational damage, and most importantly patient safety. Our new report provides a critical look into the current state of medical device security and will help raise awareness of key issues and disconnects healthcare organizations are facing with their cybersecurity."
The report, conducted by global market research leader Ipsos, surveyed 130 hospital executives in Information Technology and Information Security roles, as well BioMed technicians and engineers. The respondents, who had around 15 years of experience, provided insight into the current state of medical device security within hospitals and noted the challenges their organizations face.
The report is a continuation of the partnership between Philips and CyberMDX announced in November 2020 and represents their joint commitment to provide solutions to protect connected medical systems and devices. CyberMDx develops technologies that protect connected medical devices in hospitals and clinics against cyberattacks. The system monitors a medical facility’s network to automatically identify the most crucial devices and assess potential risks.
The report noted the following key findings:
- Ransomware is attacking the bottom line - 48% of hospital executives reported either a forced or proactive shutdown in the past 6 months as a result of external attacks or queries.
- Midsize hospitals have it worse - Large hospitals reported an average shutdown time of 6.2 hours at a cost of $21,500 per hour while midsize hospitals averaged nearly 10 hours at more than double the cost or $45,700 per hour.
- Cybersecurity investment isn’t a top priority - More than 60% of hospital IT teams have "other'' spending priorities and less than 11% consider cybersecurity a top priority.
- Dangerous vulnerabilities persist - When asked about common vulnerabilities such as BlueKeep, WannaCry and NotPetya, the majority of respondents said their hospitals were unprotected with 52% admitting their hospitals were not protected against the Bluekeep vulnerability. That number increased 64% for WannaCry and 75% for NotPetya.
- Lack of automation creates gaps in security - Some 65% of IT teams in hospitals rely on manual methods for inventory calculations with 7% still in full manual mode. In addition, 15% of respondents from midsize hospitals and 13% from large hospitals admitted they have no way to determine the number of active or inactive devices within their networks.
- Staffing disconnect - While two-thirds of IT teams believe they are adequately staffed for cybersecurity, more than half of Biomed teams believe more staff is needed.
- Cyber insurance and compliance remain popular options - Some 58% of IT teams consider compliance "almost always" a necessity, while 58% noted they had cyber insurance.
"No matter the size, hospitals need to know about their security vulnerabilities," said Maarten Bodlaender, who is the Head of Cyber Security Services at Philips. "Proper cybersecurity begins with a clear understanding of the evolving landscape, and this survey is part of our ongoing efforts to provide insight into cybersecurity needs across healthcare organizations."