The healthcare industry has become a prime target for cybercriminals, and as cybercriminals increasingly shift to a ransom model, healthcare organizations also have become a popular target for ransomware.
The growing cyber threat is weighing heavily on healthcare professionals, as hospitals and health system leaders prepare for how they would respond to a ransomware attack. A survey of 300 healthcare IT professionals in the U.K. and the U.S. found that 26 percent reported that their organization would be willing to pay a ransom in the event of a cyber attack. Of these, 85 percent of UK healthcare IT professionals and 68 percent of U.S. healthcare IT professionals have a plan in place for this situation.
Conversely, one third of healthcare IT professionals do not know whether their organizations would be willing to pay a ransom in the event of a cyber attack.
IT security company Infoblox commissioned the survey among 305 healthcare IT professionals in the UK and US (152 and 153 respectively in each region) to gain a better understanding of whether the healthcare industry is adequately prepared to combat evolving cyber threats.
In a report about the survey, titled “Cybersecurity in healthcare: The diagnosis,” details how the survey found that nearly a quarter (23 percent) of UK healthcare IT professionals say they are not confident in their organization's ability to respond to a cyber attack. Confidence is much higher among US healthcare IT professionals, with just 12 percent lacking confidence in their organization’s ability to respond to a cyberattack.
A significant security concern, as highlighted by the recent WannaCry ransomware attack, is ensuring that all the different operating systems upon which these run on are secure and updated. One in five healthcare IT professionals reported that Windows XP is running on their network, which has been unsupported since April 2014.
At the same time, the number of connected devices on healthcare organizations' networks is exploding, with 37 percent of the large healthcare organizations surveyed indicating that they are managing over 5,000 devices on their network. According to the survey, 18 percent indicated that connected medical devices on their network are running on the unsupported operating system, leaving organizations open to exploitation through security flaws in these unpatched devices. Also, 15 percent of UK healthcare IT professionals and 11 percent of US healthcare IT professionals don’t believe that their current security policy for newly connected devices is effective. This could suggest that hospitals and health centers are rapidly adopting new connected devices without due care and attention towards security policies.
Patching outdated operating systems is impossible for the 7 percent of IT professionals responding that they don't know what operating systems their medical devices are running on. Even when the operating system these devices run on is known, a quarter (26 percent) of large organizations either can't or don't know if they can update these systems.
However, those that can patch these systems are quite effective in doing so, with 57 percent of healthcare IT professionals patching systems at least once a week.
One positive trend indicated by the survey results is that 85 percent of healthcare IT professionals reported that their organization has increased cybersecurity spending in the past year, with 12 percent of organizations increasing spending by over 50 percent. Traditional security solutions are the most popular, with anti-virus software and firewalls the solutions most invested in over the past year, at 61 percent and 57 percent respectively.
What’s more, half of organization have invested in network monitoring to identify malicious activity on the network; one third have invested in DNS security solutions, which can actively disrupt Distributed Denial of Service (DDoS) attacks and data exfiltration; and 37 percent have invested in application security to secure web applications, operating systems and software.
Encryption is being deployed more regularly in the US than UK, with half of US healthcare IT professionals reporting that their company invests in encryption software, compared to 36 percent of those in the UK. Similarly, roughly one third of healthcare IT professionals indicated that their company is investing in employee education, email security solutions and threat intelligence (35 percent, 33 percent and 30 percent respectively), with just one in five healthcare organizations investing in biometrics solutions.
With the increasing number of attacks on healthcare organizations, it’s essential that CIOs and IT leaders strategically plan their cybersecurity defenses to protect both patient and employee data, and against disruption to services.
The report authors make a number of recommendations:
- Understand what devices are on your network and what operating systems those devices are running on is essential to ensure that vulnerable endpoints are patched and not leaving healthcare organizations exposed
- Network monitoring can notify IT professionals in real time of any anomalous behavior on the network that may be an indicator of malicious activity.
- Healthcare IT professionals must introduce a plan to update operating systems to supported versions. This may cause short term issues in terms of the running of certain software and/or devices, however, but it is better to manage that anticipated inconvenience, rather than wait until it is maliciously exploited as this will ultimately result in a far greater cost to the organization, either through significant disruption of services or the loss of sensitive data.
- Organizations need a plan of action to deal with a ransomware attack, whether they wish to pay or not.
- Healthcare organization need to employ strategic cyber spending. CIOs and IT managers need to plan their cyber defenses to protect against evolving threats, such as through DNS security and threat intelligence.