By Stephen Cobb, Sr. Security Researcher, ESET
When ESET asked researchers at the highly respected Ponemon Institute to survey healthcare organizations, I suspected the results would be troubling. Today in the U.S., a growing cybercrime wave seeks to exploit the black market value of personal information, large amounts of which can be found in healthcare IT systems. At the same time, the healthcare industry is under extraordinary pressure to cut costs, streamline operations, adopt new technology and digitize patient health information. In this environment, how does cybersecurity fare?
The results of our survey of healthcare IT professionals across the country reveal an industry in which the level of response to cyberthreats is even more out of step with the level of threat than has been recognized.
Below are my takeaways.
Unprecedented level of cybercrime
The headline-grabbing data breaches of 2015 were big-name medical insurers and large healthcare systems, but make no mistake, medically related organizations of every kind and size are facing an unprecedented level of cybercrime. More than half of all healthcare organizations that Ponemon surveyed experienced at least one cyberattack in the last 12 months (20 percent experienced more than 10), with almost half experiencing some loss or exposure of patient data in the last 12 months. Most tellingly, the survey reveals that healthcare organizations are experiencing monthly cyberattacks.
The survey also shows that a compliance-oriented focus on patient data theft has overshadowed another very real threat: DDoS attacks. Thirty-seven percent of organizations had experienced at least one Distributed Denial of Service attack during the year that caused a disruption of operations and/or systems downtime, at an average cost of $1.32 million.
Under attack on multiple fronts
When it comes to the security threats that concern healthcare organizations, it’s clear organizations feel under attack on multiple fronts: Seven different threats were rated by 70 percent of respondents as a top concern. System failures was the number one concern, reminding us that availability is one of the three pillars of information system security.
Additionally, the survey exposes a serious gap in healthcare IT: Unsecure medical devices. This was the number two concern, yet only 27 percent of respondents said it was part of their cybersecurity strategy. This is indeed troubling because of the very real potential for patient harm if a medical device is not properly protected.
A perfect storm: Technology change and lack thereof
Despite frequent cyberattacks, our survey shows that the healthcare sector is not consistently prepared with incident response processes to deal with them. These are mandated under HIPAA—yet half of the organizations Ponemon surveyed said they had no incident response process in place.
Respondents cited both lack of staff and budget as serious challenges to the cybersecurity posture, neither of which bode well for swiftly fixing the many security gaps this study documents. Even more worrying, however, was the most-cited obstacle to a better cybersecurity posture: Lack of collaboration with other functions. While I have been hearing anecdotal evidence of this from my colleagues in healthcare for some time, this is the first study in which I have seen it documented. I think it reflects a growing realization that this particular IT environment is more complex and challenging than previously thought.
The study also validates what some industry analysts have been speculating: The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security. About half of respondents agreed that cloud, mobile, IoT and big data increase vulnerability, and the same number say legacy systems increase vulnerability and threats to patient data. At minimum these findings reveal the very real challenge of rolling out new technology securely while existing technology is either under-patched or un-patchable. This reality is reflected in one of the most troubling findings of this study: Exploitation of a vulnerability that was more than three months old had hit almost four out of five organizations surveyed.
About the survey: The Ponemon Institute’s survey, The State of Cybersecurity in Healthcare Organizations in 2016, surveyed 535 IT and IT security practitioners in a variety of U.S. healthcare organizations such as private and public healthcare providers and government agencies. The survey was commissioned by ESET.