Cynerio reports persistent cyberattacks, insufficient accountability impact healthcare sector

Healthcare IoT security company Cynerio disclosed in a report that cyberattacks have increasingly targeted healthcare facilities, with widespread and repeated attacks, financial losses measured in the millions, and frequent failures to take basic cybersecurity measures. Although lagging security practices have fueled the cyberattacks, the failures are measured in fatalities rather than fiscal loss. 

Furthermore, nation-states, ransomware gangs, and other groups have identified the healthcare sector as presenting low levels of cyber protection paired with multiple revenue channels. From alarming mortality rate increases to higher-than-expected ransomware payments, the report seeks to clarify the risks faced by healthcare facilities.

In its latest report titled ‘Insecurity of Connected Devices in HealthCare 2022 Report,’ Cynerio partnered with Ponemon Institute to conduct an industry-wide report that examines the current impacts of cyberattacks on healthcare facilities and network-connected IoT (Internet of Things) and medical devices. The interpretation is based on data from 517 healthcare experts in leadership positions at hospitals and healthcare systems throughout the U.S. 

“It’s clear that cyberattackers have increasingly focused their efforts on hospitals since 2020,” Chad Holmes, security evangelist at Cynerio, said in a media statement. “What had been unclear was the frequency and resulting damage of their attacks. By teaming with Ponemon Institute, we have been able to collect feedback from hundreds of hospitals and present a clear picture of the issues they’re facing, both in terms of financial losses and impact to patient care. Ultimately, our aim for this data is to inform and expedite improved cybersecurity funding, training, and policy creation for all healthcare providers.”

The report further details a range of financial impacts, attack types, and detailed sentiments surrounding investments made towards IoT/IoMT security. It also details alarming trends, including widespread and repeated attacks, financial losses measured in the millions, and frequent failures to take basic cybersecurity measures.

The report said that the fallout of cyberattacks on healthcare has led to 56 percent of respondents saying their organizations experienced one or more cyberattacks in the past 24 months involving IoMT/IoT devices, with an average of 12.5 attacks over the same time frame. 

Forty-five percent of these respondents report adverse impacts on patient care from these attacks, and 53 percent percent of those (24 percent in total) report adverse effects resulting in increased mortality rates, Cynerio said. Additionally, out of the 56 percent of respondents who experienced at least one cyber attack in the last 24 months, 82 percent experienced an average of four or more attacks in that time frame. Ransomware attacks experienced roughly equivalent rates, with 43 percent of respondents having experienced an attack and 76 percent of those experiencing an average of three or more.

The Cynerio report said that ransomware attacks have led to hospitals increasingly seeing ransom payments as a viable option for a quick recovery, with 47 percent of those experiencing an attack resulting in a ransom being paid. Thirty-two percent of the ransoms paid come under the US$250,000 – $500,000 range. It added that those who did not pay the ransom most frequently attributed their actions to an effective backup strategy (53 percent) and company policy at 49 percent.

The Cynerio report also detects that reselling patient data is still valuable, as demonstrated by the 43 percent of respondents who suffered at least one data breach in the prior 24 months. Of those, 65 percent suffered an average of five or more data breaches in that time frame, with IoT/IoMT devices involved 88 percent of the time. The average total cost of the largest data breach was estimated at $13 million for the organizations represented in the research.

“Patients cannot continue to receive treatment in environments with a ‘heads we win/tails we lose’ security mentality at the leadership level, particularly when new technologies and emerging practices are available to reduce risk well below the ‘about half’ failure rates that are currently experienced,” Cynerio said in the report.

Another big problem that the Cynerio report brought out was staffing shortages that led to empty seats and large gaps in knowledge. Attackers have taken advantage of the IoT/IoMT security knowledge gap by unleashing various attacks on healthcare environments. Respondents believe that a combined lack of knowledge and a wide array of attacks lead to a complicated threat landscape. Among the top threats to IoT and other connected devices, respondents expressed the most concern about the lack of visibility into IoT networks (45 percent), phishing (45 percent), zero-day attacks (41 percent), and ransomware attacks (39 percent), it added.

The Cynerio report also pointed to a lack of ownership and accountability delaying IoT/IoMT security. “When asked who is primarily responsible for ensuring the security of these risky devices, not one role received more than 18% of responses. Even the top responses varied widely from CIO/CTO (18%) to Operations Leadership (14%), CISO/ CSO (14%), and Network Leadership (11%). In an industry where leadership and guidance are often well defined, the lacking agreement on responsibility for IoT/IoMT devices requires significant improvements,” it added.

Another aspect that the report brought out was that perceived risk in IoT/IoMT devices is high, while proactive security actions are not. Seventy-one percent of respondents rated the level of security risk created by IoMT/IoT devices as high or very high. Still, only 21 percent of respondents self-report a mature stage of proactive security actions. In about half of the cases (46 percent), the most basic activity of scanning for devices is in place, but two-thirds of these respondents (67 percent) don’t track the resulting inventory.

The report also disclosed that HIPAA regulations have led to an environment where data breaches are disproportionately reported, leading to a skewed public perception of healthcare providers’ risks. In the background, facilities are confronting attacks that have shifted from bits and bytes to cyber-physical threats. When cyberattacks result in adverse patient care (45 percent), patients face risks, including high rates of impacted service (54 percent) and inappropriate therapy or treatment deliveries (26 percent). Moreover, there are likely thousands more unknown and far more dangerous for every reported set of vulnerabilities related to hospital robots or infusion pumps.

Cynerio said that, on average, hospitals spend 3.4 percent of the IT budget ($5 million annually) on securing devices, as budget owners often struggle with allocating resources to secure their environments. This will be an ongoing challenge in the IoT/IoMT space for years, but initial practices are clarifying. For example, the typical IT spend for respondents averages $145 million in the fiscal year, and an average of 17 percent of that spend is focused on IT security. In addition, an average of 20 percent of that security spending was reported to go towards IoT/IoMT device security – an average of $5 million in the fiscal year.

Earlier this year, Cynerio data disclosed under-addressed risks, threats, and security issues related to the healthcare IoT environments. Unfortunately, critical medical device risks leave hospitals and their patients vulnerable to cyberattacks and data security issues. Based on information collected from millions of connected devices at hundreds of hospitals in the U.S. and worldwide, Cynerio found that over 50 percent of connected devices have critical risks present in a typical hospital setup.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.