Survey: 26 Percent of Healthcare Organizations Would Pay Ransom in a Cyber Attack | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Survey: 26 Percent of Healthcare Organizations Would Pay Ransom in a Cyber Attack

November 15, 2017
by Heather Landi
| Reprints
Click To View Gallery

The healthcare industry has become a prime target for cybercriminals, and as cybercriminals increasingly shift to a ransom model, healthcare organizations also have become a popular target for ransomware.

The growing cyber threat is weighing heavily on healthcare professionals, as hospitals and health system leaders prepare for how they would respond to a ransomware attack. A survey of 300 healthcare IT professionals in the U.K. and the U.S. found that 26 percent reported that their organization would be willing to pay a ransom in the event of a cyber attack. Of these, 85 percent of UK healthcare IT professionals and 68 percent of U.S. healthcare IT professionals have a plan in place for this situation.

Conversely, one third of healthcare IT professionals do not know whether their organizations would be willing to pay a ransom in the event of a cyber attack.

IT security company Infoblox commissioned the survey among 305 healthcare IT professionals in the UK and US (152 and 153 respectively in each region) to gain a better understanding of whether the healthcare industry is adequately prepared to combat evolving cyber threats.

In a report about the survey, titled “Cybersecurity in healthcare: The diagnosis,” details how the survey found that nearly a quarter (23 percent) of UK healthcare IT professionals say they are not confident in their organization's ability to respond to a cyber attack. Confidence is much higher among US healthcare IT professionals, with just 12 percent lacking confidence in their organization’s ability to respond to a cyberattack.

A significant security concern, as highlighted by the recent WannaCry ransomware attack, is ensuring that all the different operating systems upon which these run on are secure and updated. One in five healthcare IT professionals reported that Windows XP is running on their network, which has been unsupported since April 2014.

At the same time, the number of connected devices on healthcare organizations' networks is exploding, with 37 percent of the large healthcare organizations surveyed indicating that they are managing over 5,000 devices on their network. According to the survey, 18 percent indicated that connected medical devices on their network are running on the unsupported operating system, leaving organizations open to exploitation through security flaws in these unpatched devices. Also, 15 percent of UK healthcare IT professionals and 11 percent of US healthcare IT professionals don’t believe that their current security policy for newly connected devices is effective. This could suggest that hospitals and health centers are rapidly adopting new connected devices without due care and attention towards security policies.

Patching outdated operating systems is impossible for the 7 percent of IT professionals responding that they don't know what operating systems their medical devices are running on. Even when the operating system these devices run on is known, a quarter (26 percent) of large organizations either can't or don't know if they can update these systems.

However, those that can patch these systems are quite effective in doing so, with 57 percent of healthcare IT professionals patching systems at least once a week.

One positive trend indicated by the survey results is that 85 percent of healthcare IT professionals reported that their organization has increased cybersecurity spending in the past year, with 12 percent of organizations increasing spending by over 50 percent. Traditional security solutions are the most popular, with anti-virus software and firewalls the solutions most invested in over the past year, at 61 percent and 57 percent respectively.

What’s more, half of organization have invested in network monitoring to identify malicious activity on the network; one third have invested in DNS security solutions, which can actively disrupt Distributed Denial of Service (DDoS) attacks and data exfiltration; and 37 percent have invested in application security to secure web applications, operating systems and software.

Encryption is being deployed more regularly in the US than UK, with half of US healthcare IT professionals reporting that their company invests in encryption software, compared to 36 percent of those in the UK. Similarly, roughly one third of healthcare IT professionals indicated that their company is investing in employee education, email security solutions and threat intelligence (35 percent, 33 percent and 30 percent respectively), with just one in five healthcare organizations investing in biometrics solutions.

With the increasing number of attacks on healthcare organizations, it’s essential that CIOs and IT leaders strategically plan their cybersecurity defenses to protect both patient and employee data, and against disruption to services.

The report authors make a number of recommendations:

  • Understand what devices are on your network and what operating systems those devices are running on is essential to ensure that vulnerable endpoints are patched and not leaving healthcare organizations exposed
  • Network monitoring can notify IT professionals in real time of any anomalous behavior on the network that may be an indicator of malicious activity.
  • Healthcare IT professionals must introduce a plan to update operating systems to supported versions. This may cause short term issues in terms of the running of certain software and/or devices, however, but it is better to manage that anticipated inconvenience, rather than wait until it is maliciously exploited as this will ultimately result in a far greater cost to the organization, either through significant disruption of services or the loss of sensitive data.
  • Organizations need a plan of action to deal with a ransomware attack, whether they wish to pay or not.
  • Healthcare organization need to employ strategic cyber spending. CIOs and IT managers need to plan their cyber defenses to protect against evolving threats, such as through DNS security and threat intelligence.

 

Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More

Topics

News

Study will Leverage Connecticut HIE to Help Prevent Suicides

A new study will aim to leverage CTHealthLink, a physician-led health information exchange (HIE) in Connecticut, to help identify the factors leading to suicide and to ultimately help prevent those deaths.

Duke Health First to Achieve HIMSS Stage 7 Rating in Analytics

North Carolina-based Duke Health has become the first U.S. healthcare institution to be awarded the highest honor for analytic capabilities by HIMSS Analytics.

NIH Releases First Dataset from Adolescent Brain Development Study

The National Institutes of Health (NIH) announced the release of the first dataset from the Adolescent Brain Cognitive Development (ABCD) study, which will enable scientists to conduct research on the many factors that influence brain, cognitive, social, and emotional development.

Boston Children's Accelerates Data-Driven Approach to Clinical Research

In an effort to bring a more data-driven approach to clinical research, Boston Children’s Hospital has joined the TriNetX global health research network.

Paper Records, Films Most Common Type of Healthcare Data Breach, Study Finds

Despite the high level of hospital adoption of electronic health records and federal incentives to do so, paper and films were the most frequent location of breached data in hospitals, according to a recent study.

AHA Appoints Senior Advisor for Cybersecurity and Risk

The American Hospital Association (AHA) has announced that John Riggi has joined the association as senior advisor for cybersecurity and risk.