Hospitals see cyber security investment as a low priority

by Joseph K. Clark

Cyber security investment in hospitals remains a low priority despite continuing attacks on healthcare delivery organizations, according to a report from CyberMDX and Philips.

Published on 12 August 2021, the Perspectives in healthcare security report examines the impact of cyber attacks on large and mid-size hospitals and the challenges these organizations face in responding to them.

“With new threat vectors emerging every day, healthcare organizations are facing unprecedented challenges to their security,” said Azi Cohen, CEO of CyberMDX.

“Hospitals have much at stake – from revenue loss to reputational damage and, most importantly, patient safety. Our report provides a critical look into the current state of medical device security. It will help raise awareness of key issues and disconnects healthcare organizations face with their cyber security.”

The report – which is based on a study conducted by global market research firm Ipsos – added that “whether the hack is committed by notorious gangs such as REvil or Conti or lesser-known hackers, hospitals now account for 30% of all large data breaches and at an estimated cost of $21bn in 2020 alone.”

According to the survey results, 48% of hospital executives had reported a forced or proactive shutdown in the past six months due to external attacks or queries.

This aligns with previous research from Check Point, which found that cyberattacks in the healthcare industry had grown by 45% between November 2020 and January 2021. It also found that ransomware, botnets, remote code execution, and distributed denial-of-service (DDoS) attacks were the most common incidents faced by healthcare organizations.

However, the CyberMDX report found that despite the continuing attacks on hospitals, more than 60% of hospital IT teams said they have “other’ spending priorities and less than 11% said cyber security is a high-priority spend.

cyber security

The lack of priority given to cyber security spending is also happening despite high material repercussions and a clear awareness that there is little protection from dangerous vulnerabilities.

For example, the report found that cyber-attacks were much more significant in smaller hospitals. Out of those that experienced a shutdown, respondents from large hospitals reported an average shutdown time of 6.2 hours for $21,500 per hour, while mid-size hospitals averaged nearly 10 hours at more than double the cost of $45,700 per hour.

Most respondents also said their hospitals were unprotected against common but dangerous vulnerabilities. This includes 52% admitting their hospitals was not protected against the Bluekeep exposure, which increased to 64% and 75% for WannaCry and NotPetya.

In terms of closing the security gaps, the report implied that automation would go a long way to helping cyber security teams gain visibility of vulnerable devices, as the majority still rely on manual processes for inventory calculations.

For example, 65% of hospital IT teams rely on manual inventory calculation methods. In comparison, 15% of mid-size and 13% of large hospitals admitted they could not determine the number of active or inactive devices within their networks.

In January 2021, Adam Enterkin, Europe, Middle East, and Africa (EMEA) senior vice-president at BlackBerry, said that because healthcare organizations are particularly vulnerable to cybercrime – mainly due to a lack of large, highly skilled cyber security teams – investing in automated technologies could help them protect their assets.

“Automation is key, and technology must take on the heavy lifting. To allow healthcare professionals to prioritize immediate care and ever-present cyber threats, AI [artificial intelligence] and machine learning are the solutions due to their continuous learning capabilities and proactive threat modeling, which grows in sophistication over time,” he said.

“For instance, if a healthcare professional clicks on a suspect link, cutting-edge algorithms, and artificial intelligence can step in proactively to protect them, preventing threats like malware, viruses, ransomware, and malicious websites.”

Related Posts