IT Security Awareness in Healthcare – Not Highly Prioritized Despite Rising Cyberattacks
Healthcare, and by extension hospitals, are among the industries most vulnerable to cyberattacks. A report from the HHS Cybersecurity Program, published in the summer of 2021, identifies 82 ransomware incidents, 60% of which affect the US healthcare sector. It also indicates that hospitals are responsible for about 30% of all major data breaches. Thus, cyberattacks on healthcare, in 2020 alone, caused an estimated cost of $21 billion.
The findings from the U.S. Department of Health & Human Services (HHS) report are just the beginning. CyberMDX, a leading provider of cybersecurity solutions for medical devices, released the “Perspectives in Healthcare Security” report in mid-2021 in partnership with Philips and Ipsos. The report examines the current security posture, employee:ing concerns, implications for medical device security and cybersecurity in large and mid-sized healthcare organizations.
The report is a continuation of the partnership between Philips and CyberMDX announced in November 2020 and reveals some startling numbers.
Key findings from the Healthcare Security Report
- 48% of hospital leaders:in reported a forced closure in the past 6 months, as a result of external cyber-attacks.
- Of respondents who faced a closure due to external factors, large hospitals reported an average closure time of 6.2 hours at a cost of $21,500 per hour. Mid-sized hospitals had to close for an average of nearly 10 hours at an average cost of $45,700 per hour.
- Despite ongoing cyberattacks on healthcare, more than 60% of hospital IT teams have “other spending priorities” than cybersecurity. Less than 11% say cybersecurity is a high-priority expense.
- When asked about common vulnerabilities, such as BlueKeep, WannaCry and NotPetya, the majority of respondents said their hospitals were unprotected. Fifty-two percent of respondents had to admit that their hospitals were not protected from the Bluekeep vulnerability. For WannyCry, the figure was 64%. And for NotPetya, it was as high as 75%.
- 65% of hospital IT teams rely on manual methods for inventory calculations – 7% even still work completely manually. In addition, 15% of respondents from mid-sized hospitals and 13% from large hospitals said they cannot determine the number of active or inactive devices on their networks.
- While 2/3 of IT teams believe they have sufficient staff for cybersecurity, more than half of biomed teams believe more staff are needed. Conversely, the industry is facing a cybersecurity skills shortage. On average, there is a delay of more than 100 days, in filling such positions.
- 58% of IT teams reported having cyber insurance.
- Whether the cyberattacks are committed by notorious gangs like Conti or lesser-known hackers, hospitals now account for about 30% of all major data breaches.
Cyber insurance alone is not enough
The study surveyed 130 hospital information technology (IT) and information security (IS) executives, as well as biomed technicians and engineers. Respondents provided insight into the current state of medical device security in hospitals, while also revealing the challenges their organizations face.
The bottom line is that there is still work to be done in healthcare when it comes to IT security. But so do all other industries. Cyber insurance alone is not enough. And neither is a firewall if employees are not trained accordingly. After all, the workforce itself is the best firewall.
We would like to tell you what you can do and how you can create better IT security awareness.