Survey finds a spike in healthcare cyberattacks

Eight out of 10 healthcare organizations have experienced an internet of things-focused cyberattack in the past year. Of the organizations hit by an attack, 30% said the security incident compromised end-user safety, according to a survey by security software company Irdeto.

There are 10 million to 15 million medical devices in U.S. hospitals today with an average of 10 to 15 connected medical devices per patient bed, according to research from security company Zingbox. The integration of internet-connected medical devices across healthcare, which is expected to rapidly increase, poses significant cybersecurity risks. 

Irdeto surveyed 700 security decision-makers across the healthcare, transportation and manufacturing industries as well as IoT device manufacturers about cyberattacks targeting their organization and security measures currently in place. The research surveyed both manufacturers and users of IoT devices in five countries—China, Germany, Japan, the U.K. and the U.S. Around 230 of the survey respondents were security leaders in healthcare.

Healthcare security leaders ranked compromised customer data as their top concern as a result of a cyberattack (39%), followed by patient safety (20%) and stolen intellectual property (12%). Security executives also are concerned about brand or reputational damage and operational downtime.

Across all three industries, the survey found that operational downtime (43%) is the most common impact of a cyberattack, which in itself is likely to compromise patient safety when it comes to providers of critical care. This is followed by compromised customer data (42%) and brand or reputational damage (31%).

The survey results indicate healthcare organizations are aware of where the key cybersecurity vulnerabilities exist with their infrastructure but do not necessarily have everything they need to address them. When asked to identify where the most prominent vulnerabilities exist within healthcare organizations, the IT network was cited most frequently (50%), followed by mobile devices and accompanying apps (45%) and IoT devices (42%).

“These findings suggest that network security is no longer enough to prevent significant damage and organizations need to factor security at both the app and device-level into their strategy,” the report authors said.

Device manufacturers are aware of these security gaps, as 82% of IoT device makers say they are concerned the devices are not adequately secured from a cyberattack.

“This goes to show that for many manufacturers of IoT devices, security is still an afterthought instead of something that should be implemented at the very beginning,” the report authors said.

Failure to address these challenges could prove costly, with the average financial impact as a result of an IoT-focused cyberattack in the healthcare space identified as $346,000, according to the survey.

“The benefits of connectivity in healthcare are clear for all to see, but this growth in connectivity brings with it an increase in vulnerabilities, with hackers looking to steal sensitive medical data, execute targeted attacks against care providers’ infrastructure and much more,” Steeve Huin, vice president of strategic partnerships, business development and marketing at Irdeto, said in a statement.

Organizations need to upskill and implement robust cybersecurity strategies incorporating device and app security to ensure patient safety and optimal care, while preventing the extra costs insurance companies must charge as a result of a cyberattack, Huin said.

The WannaCry ransomware attack back in May 2017, which hit more than 300,000 machines in 150 countries, targeted Windows operating systems and succeeded where those operating systems lacked security updates.

An alarming number of devices in healthcare organizations, about 70%, will be running unsupported Windows operating systems by January 2020, according to a cybersecurity report from Forescout. Microsoft support for devices running Windows 7, Windows 2008 or Windows Mobile is planned to expire by Jan. 14, 2020.

Almost all of the healthcare organizations surveyed agree that a security solution should be an enabler of new business models, not just a cost, which suggests attitudes towards IoT security are changing for the better as IoT devices proliferate throughout the sector.

This article was written by Heather Landi and originally appeared in FireceHealthcare.