Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operational Security //

Data Leakage

3/27/2018
12:05 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Healthcare Industry Underprepared for Cyber Attacks Report

A study from Merlin International finds that healthcare facilities and businesses are underprepared for cyber attacks, and that patient data remains at risk.

In a year when hospitals, clinics and outpatient facilities face an increase in threats and attacks, only half of them have an incident response program in place, according to new figures. Each attack costs an average of $4 million, placing security expense versus potential vulnerability loss under scrutiny.

A new report shows that such an apparent lack of preparedness for cybersecurity disruption and damage leaves healthcare professionals, their patients, extensive private data and IT infrastructures at risk with no clear resolution pathway.

"Hackers have more opportunities and incentive than ever to target healthcare data, and the problem will only increase over time," said Brian Wells, director of healthcare strategy at Merlin International, a systems integration and services supplier to the US government, and author of the report: 2018 Impact of Cyber Insecurity on Healthcare Organizations.

The report was conducted by the Ponemon Institute, and is based on interviews with 627 healthcare executives.

The medical and healthcare industry accounted for almost a quarter of all breaches in 2017, second only to the business sector, showing how much pressure these facilities are coming under.

Healthcare is underprepared
The US healthcare system is expecting an increase in challenges this year, with attacks focused on medical devices, patient records, billing information and clinical trial information, among other targets. Reports of attacks aimed directly at patient medical support systems in life-or-death situations are sparse, but have anecdotally started appearing. (See IoT Use Complicates Security Landscape in Healthcare.)

Merlin survey respondents seemed oblivious to the threat of attack and impairment of medical devices, many of which are directly attached to patients. The report found that 65% either weren't sure or knew that they didn't have medical devices secured.

Almost a third of them don't have plans to include securing of such devices in the near future.

The majority of respondents have facilities with between 100 to 500 beds for patients and have up to 100,000 connected devices. About 60% of them experienced an attack in the last 12 months, with more than half of those resulting in a loss of patient data.

Interestingly, concern by these professionals about future attacks resides not only with external threats as with, equally, employee negligence or malicious insiders. These organizations see security danger on all sides, challenging their security focus. About three-quarters of respondents said they worried about the loss of patient records, fortunately though it's here that defense seems best.

"The risk (to patient safety is) real but actual impacts are not widespread," Wells told Security Now. "The vast majority of hospitals are prepared for outages of their electronic medical record systems and while there may be delays or disruptions in care, the risk to patients is low."

Other worries in the survey ranked second with loss of patient billing information, then IT staff login credentials, other authentication credentials, and then worries about clinical trial and research information.

Healthcare software under threat
Shortcomings in software patching were discovered, with exploitations of vulnerabilities older than 12 weeks representing about 70% of attacks, closely followed by web-borne malware, at 69%. Ransomware, accounting for about 40% of attacks, has recently hit hard, notably disrupting critical care systems, and incidences are expected to grow.

The ability to monitor, understand and fix cyber damage is a major issue, with 74% of facilities reporting too few staff available as their biggest headache. Over half reported a lack of staff training and awareness was undermining their security posture, and about 60% acknowledged they lack any cybersecurity experience. About half of them don't have a CSO.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth annual Big Communications Event. There's still time to register and communications service providers get in free!

Given these shortcomings are there advantages to taking security and outsourcing it to others?

"Outsourcing is a challenge as there is little consistency across provider organizations with respect to the security toolsets in use," Wells said. "An outsourcer would need staff on hand that are familiar with a broad collection of tools and technologies … and that creates a business that cannot achieve the efficiencies that come from one common set of tools used across all customers.

The threats, the attacks, the losses and the ability to defend on so many fronts are predictably hitting smaller organizations the hardest, and their recourse is limited. Independent facilities need the economies of scale of their larger cousins, and the advantages of more up-to-date solutions, but there's a silver lining.

"One benefit of consolidation currently occurring in the healthcare provider industry is that smaller institutions are able to take advantage of advanced information technology tools and resources that exist at larger institutions," Wells said.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.