+1 206 446 0600 umv@merysolsecurity.com

Healthcare Devices under attack – study reports

A recent 2022 industry report by Cynerio and Ponemon Institute examining the current impact of cyberattacks on healthcare devices, reveals the following conclusions:

Cyberattacks Are Frequent with Notable Impact on Patient Care

The fallout of cyberattacks on healthcare is often measured fiscally, but this study uncovers a darker truth. 56% of respondents say their organizations experienced one or more cyberattacks in the past 24 months involving IoMT/IoT devices, with an average of 12.5 attacks over the same timeframe. 45% of these respondents report adverse impacts on patient care from these attacks, and 53% percent of those (24% in total) report adverse impacts resulting in increased mortality rates.

Repeat Attacks Are Commonplace and Inevitable

The anecdotal nature of cyberattack examples paints a picture of one-time attacks with poor outcomes. The truth is that attackers routinely perform long-term operations that uncover numerous avenues for repeated attacks. Of the previously noted 56% of respondents who experienced at least one cyber attack in the last 24 months, 82% of those experienced an average of 4 or more attacks in that timeframe. Ransomware attacks experienced roughly equivalent rates, with 43% of respondents having experienced an attack and 76% of those experiencing an average of three or more.

Ransomware Is a Vicious, Profitable Cycle Fueled by Frequent Hospital Payments

Ransomware attacks are crippling to all aspects of a hospital and often present a situation with only bad options. Hospitals are increasingly seeing ransom payments as a viable option for quick recovery with 47% of those experiencing an attack resulting in a ransom being paid. 32% of the ransoms paid fall in the range of $250k – $500k. Those that did not pay the ransom most frequently attributed their actions to an effective backup strategy (53%) and company policy (49%).

Cyberattacks Including Data Breaches Almost Always Involve IoT / IoMT Devices

Reselling patient data is still valuable, as demonstrated by the 43% of respondents who suffered at least one data breach in the prior 24 months. Of those, 65% suffered an average of 5 or more data breaches in that timeframe with IoT / IoMT devices being involved 88% of the time. Respondents were asked to estimate the total cost of the one largest data breach involving an IoMT/IoT device including direct cash outlays, direct expenditures, indirect labor costs, overhead costs and lost business opportunities. The average total cost of the largest data breach was estimated at $13 million for the organizations represented in this research.

Lacking Ownership and Accountability Delay IoT / IoMT Security

One reason for lagging security practices is clear – there is no widely accepted ownership. When asked who is primarily responsible for ensuring the security of these risky devices, not one role received more than 18% of responses. Even the top responses varied widely from CIO/CTO (18%) to Operations Leadership (14%), CISO/ CSO (14%) and Network Leadership (11%). In an industry where leadership and guidance is often well defined, the lacking agreement on responsibility for IoT/IoMT devices requires significant improvements. Perceived Risk in IoT / IoMT Devices Is High, but Proactive Security Actions Are Not When asked to rate the level of security risk created by IoMT/IoT devices on a 1-10 scale (1 = low risk to 10 = high risk), 71% of respondents rated the risk as high or very high (7 or higher) but only 21% of respondents self-report a mature stage of proactive security actions. In about half of cases (46%) the most basic activity of scanning for devices is in-place, but ? of these respondents (67%) don’t track the resulting inventory.

On Average Hospitals Report Spending 3.4% of IT Budget ($5 Million Annually) to Secure Devices

Budget owners often struggle with allocating resources to secure their environments. This will be an ongoing challenge in the IoT/IoMT space for years to come, but initial practices are clarifying. The typical IT spend for respondents averages $145 million in the fiscal year and an average of 17% of that spend is focused on IT security. Of that security spend, an average of 20% was reported to go towards IoT/IoMT device security – an average of $5 million in the fiscal year. These numbers will likely vary widely, but provide an initial baseline for others to work from.

Healthcare Faces Widespread Attack Types

Staffing shortages lead not only to empty seats, but also to large gaps in knowledge. Attackers have taken advantage of the IoT / IoMT security knowledge gap by unleashing a wide array of attacks on healthcare environments. Respondents believe that a combined lack of knowledge and wide array of attacks are leading to a complicated threat landscape. Among the top threats to IoT and other connected devices that respondents expressed the most concern about were lack of visibility into IoT networks (45%), phishing (45%), zeroday attacks (41%), and ransomware attacks (39%).

You May Also Like …


Submit a Comment

Your email address will not be published. Required fields are marked *