Cybersecurity not a priority in healthcare, despite surge in attacks

More than 60 percent of hospital IT teams says they have “other” spending priorities, indicates new research

Posted 16 August 2021 by Christine Horton

New research shows that healthcare IT teams aren’t focused on cybersecurity, despite a surge in attacks.

The report Perspectives in Healthcare Security Report by CyberMDX in collaboration with Philips found fewer than 11 percent of hospital IT teams say cybersecurity is a high priority spend. This is despite roughly half of respondents experiencing an externally motivated shutdown in the last six months.

More than 60 percent of IT teams says they have “other” spending priorities.

When asked about common vulnerabilities such as BlueKeep, WannaCry and NotPetya, most respondents said their hospitals were unprotected. Fifty-two percent of respondents admitted their hospitals were not protected against the Bluekeep vulnerability, and that number increased 64 percent for WannaCry and 75 percent for NotPetya.

“With new threat vectors emerging every day, healthcare organisations are facing an unprecedented level of challenges to their security,” said Azi Cohen, CEO of CyberMDX. “Hospitals have a lot at stake – from revenue loss to reputational damage, and most importantly patient safety.”

Healthcare is one of the most targeted industries for cyberattacks. A recent report from HHS cited a total of 82 ransomware incidents so far this year worldwide. Recent headlines from notorious gangs such as REvil or Conti contribute to the impact where hospitals now account for 30 percent of all large data breaches and at an estimated cost of $21 billion in 2020 alone.

The research found that 48 percent of hospital executives reported either a forced or proactive shutdown in the last six months as a result of external attacks or queries. Of respondents that experienced a shutdown due to external factors, large hospitals reported an average shutdown time of 6.2 hours at a cost of $21,500 per hour while midsize hospitals averaged nearly 10 hours at more than double the cost or $45,700 per hour.

Sixty-five percent of IT teams in hospitals rely on manual methods for inventory calculations with seven percent still in full manual mode. In addition, 15 percent of respondents from midsize hospitals and 13 percent from large hospitals admitted they have no way to determine the number of active or inactive devices within their networks.

“No matter the size, hospitals need to know about their security vulnerabilities,” said Maarten Bodlaender, head of cyber security services at Philips.

“Proper cybersecurity begins with a clear understanding of the evolving landscape, and this survey is part of our ongoing efforts to provide insight into cybersecurity needs across healthcare organizations.”