When it comes to cyber-attacks in the healthcare field, hospitals and payer organizations are under fire: A full 62% of the 627 executives surveyed in a recent poll admitted to experiencing an attack in the past 12 months – with more than half losing patient data as a result.
Merlin International and the Ponemon Institute’s 2018 Impact of Cyber Insecurity on Healthcare Organizations study scoured publicly available data and found that out of five industries tracked, the medical/healthcare industry accounted for more than 23% of total breaches in 2017, resulting in the exposure of more than 5 million patient records.
Only the business sector saw more successful attacks, meaning that healthcare organizations have come in second for the fourth year running.
The majority of healthcare providers surveyed worked at organizations with 100 to 500 patient beds (67%), using an estimated 10,000 to 100,000 network-connected devices (66%). That’s an attractively wide attack surface for criminals, who are seen as being after patient medical records (77%); patient billing information (56%); log-in credentials (54%); passwords and other authentication credentials to systems, servers or applications (49%) and clinical trial and other research information (45%).
In terms of attack vectors, the exploitation of existing software vulnerabilities greater than three months old leads the way as the main attack method at 71%, followed closely by web-borne malware attacks at 69%. Meanwhile, ransomware was the payload in 37% of attacks. The organizations surveyed also said they are equally concerned with external attacks (63%) as they are with employee negligence or malicious insiders (64%).
“In an increasingly connected, digitally centric world, hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase in scope over time,” said Merlin International’s director of Healthcare Strategy, Brian Wells. “Healthcare organizations must get even more serious about cybersecurity to protect themselves and their patients from losing access or control of the proprietary and personal information and systems the industry depends on to provide essential care.”
Interestingly, “getting serious” doesn’t seem to be firmly on the radar screen. On the medical device security front, 65% surveyed responded “no” or “unsure” when asked whether the security of medical devices is part of their overall cybersecurity strategy. And though these devices appear to be a new and growing target for attackers, 31% of respondents have no plans to include them within a cyber-strategy in the near future.
Similarly, 52% of those surveyed agreed that a lack of employee awareness and training affects their ability to achieve a strong security posture. The workforce gap is in effect here as well: About three-quarters (74%) cited insufficient staffing as the biggest obstacle to maintaining a fully effective security posture. Also, only half (51%) of organizations have a dedicated chief information security officer (CISO), and 60% surveyed don’t think they have the right cybersecurity qualifications in-house.
Worse, even though respondents said that the average compromise costs roughly $4 million, only half of the organizations (51%) have any type of incident response program at all. This means half of all organizations have no process for the mitigation and remediation needed to respond to and prevent attacks from happening again or causing extensive damage.