Cybersecurity risks loom large in hospital networks

Healthcare cybersecurity vendor CyberMDX said in a report that cybersecurity investment is not a high priority for hospital networks, despite continuing cyber-attacks against the healthcare sector. Roughly half of the respondents experienced an externally motivated shutdown in the last six months, according to a study, conducted by global market research leader Ipsos, which surveyed 130 hospital executives in information technology (IT) and information security (IS) roles, apart from biomedical technicians and engineers. 

Yet, more than 60 percent of hospital IT teams have ‘other’ spending priorities and less than 11 percent say cybersecurity is a high priority spend, the report said. Titled, ‘Perspectives in Healthcare Security Report,’ it was done in collaboration with Philips and examines attitudes, concerns, and their impact on medical device security, as well as on cybersecurity across large and midsize healthcare delivery organizations, or hospital networks. 

The respondents, who averaged 15 years of experience in their fields, provided insight into the current state of medical device security within hospitals, and highlighted the challenges their organizations face, CyberMDX said. The latest report on hospital networks is a continuation of the partnership between Philips and CyberMDX announced in November 2020, and represents their joint commitment to provide solutions to protect connected medical systems and devices.

“With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security,” Azi Cohen, CEO of CyberMDX, said in a press statement. “Hospitals have a lot at stake — from revenue loss to reputational damage, and most importantly patient safety. Our new report provides a critical look into the current state of medical device security and will help raise awareness of key issues and disconnects healthcare organizations are facing with their cybersecurity.”

The healthcare sector faces persistent cybersecurity threats that have grown in number and sophistication, while the COVID-19 pandemic led to the rapid adoption of digital technologies and increased connectivity exacerbating the threat landscape. A recent report from HHS cited a total of 82 ransomware incidents so far this year worldwide with 60 percent of them impacting the United States health sector. Recent attacks from notorious gangs such as REvil or Conti contribute to the impact, and hospitals now account for 30 percent of all large data breaches by these gangs.

Ransomware is attacking the bottom line, with 48 percent of hospital executives reporting either a forced or proactive shutdown in the last six months, as a result of external attacks or queries, the report identified. 

Large hospitals appear more likely to have experienced internally or externally initiated shutdowns. The bigger hospital networks reported an average shutdown time of 6.2 hours at a cost of US$21,500 per hour, while midsize hospitals averaged nearly 10 hours at more than double the cost or $45,700 per hour, it added.

Another key finding of the CyberMDX-Philips report is that the healthcare sector has been plagued by dangerous vulnerabilities. When the respondents were asked about common vulnerabilities such as BlueKeep, WannaCry and NotPetya, the majority of respondents said their hospitals were unprotected. Fifty-two percent of respondents admitted their hospitals were not protected against the Bluekeep vulnerability, and that number increased to 64 percent for WannaCry, and 75 percent for NotPetya.

The report also detected the lack of automation, creating security gaps in hospital networks. Sixty-five percent of IT teams in hospitals rely on manual methods for inventory calculations with 7 percent still in full manual mode. In addition, 15 percent of respondents from midsize hospitals and 13 percent from large hospitals admitted they have no way to determine the number of active or inactive devices within their networks, according to the CyberMDX report.

CyberMDX also identified a staffing disconnect, with two-thirds of IT teams believing that they are adequately staffed for cybersecurity, and over half of the biomedical teams believe more staff is needed. But, almost half of all respondent types find their medical device and IoT (Internet of Things) security staffing inadequate, as the industry grapples with a cybersecurity talent shortage, and at times, taking over a 100 days lag to fill jobs.

In June, groups from the healthcare sector urged U.S. President Joe Biden to strengthen the cybersecurity framework and resilience, and increase funds available to the sector, following rising ransomware and cybersecurity attacks in the nation’s critical infrastructure sector. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.