Healthcare Facilities Targeted by Cyberattacks at “Alarming Rates”

With cyberattacks against healthcare facilities becoming more frequent, authorities and security experts warn about the vulnerabilities of medical devices. When exploited, they might result in increased mortality rates.

In their latest report, IT services company Cynerio and research organization the Ponemon Institute surveyed 517 healthcare experts in leadership positions at hospitals and healthcare systems throughout the US.

According to the report, cyberattacks against healthcare facilities have been increasing “at alarming rates.” More than half (56%) of respondents said their organizations experienced at least one cyberattack in the past 24 months involving IoMT/IoT devices. On average, they experienced 12.5 attacks during the period.

IoMT/Iot (Internet of Medical Things/Internet of Things) devices connect to healthcare IT systems via Wi-Fi. Healthcare organizations have an average of more than 26,000 network-connected devices, such as remote patient monitoring devices, infusion pumps, hospital robots, etc.

Seven out of ten respondents (71%) said they believe that “very high security risks” are created by IoT/IoMT devices, despite their substantial medical benefits.

Adverse impacts on patient’s care

Almost half (45%) of respondents in the Cynerio/Poneman Institute survey reported “adverse impacts on patient care” from these attacks, such as inability to provide patient services, theft of patient records, or inappropriate therapy and treatment delivered to the patient.

Of those reporting adverse events, 53% (24% in total) said the impacts of these attacks resulted in increased mortality rates.

Recent warnings from the federal agencies echo the report. Earlier in September, the Federal Bureau of Investigations (FBI) issued recommendations for healthcare facilities to address vulnerabilities posed by unpatched medical devices.

The US Food and Drug Administration (FDA) alerted patients using MiniMed 600 Series Insulin Pump System, for example, MiniMed 630G and MiniMed 670G, that unauthorized people might access the pump system and compromise the pump’s insulin delivery.

For some cyber threat actors, motivation is money. Nearly half of respondents (43%) in the Cynerio/Poneman Institute survey have experienced at least one ransomware attack, with 47% of those paying the ransom. One-third of the ransoms paid fell in the range of $250k - $500k.

Among those who did not pay the ransom, effective backup strategy and company policy were the most common reasons to do so.

“A low priority”

More than half (54%) of respondents said that senior management did not require assurances of properly addressing IoT/IoMT device risk. Meanwhile, two-thirds (67%) said they don’t believe devices in their organization are being patched in a timely manner.

Another report from a software company Proofpoint Inc. and the Ponemon Institute, is based on a survey of 641 healthcare IT and security practitioners. According to the report, 89% of the surveyed organizations experienced an average of 43 cyber attacks in the past 12 months.

The report says that even though more than 20% of affected healthcare organizations reported increased patient mortality rates due to cyberattacks, “cybersecurity is a low priority in the healthcare sector.”

However, the healthcare sector itself might see the situation differently. John Riggi, a national advisor for cybersecurity and risk at the American Hospital Association (AHA), questioned the claim about increased mortality as the report does not examine medical data.

According to Riggi, hospitals provide significant resources to support their cyber technical defenses, increase cybersecurity budgets, and train their staff, among other efforts to protect themselves from cyberattacks.

“Thus, to imply that all hospitals that become victims of a cyberattack are presumptively negligent in some manner, is simply inaccurate. It also fails to reflect the reality that no organization is completely immune from cyberattacks, regardless of the number of resources devoted to cybersecurity,” he wrote on the AHA blog.

A worldwide problem

Cyberattacks in the healthcare sector are not limited to the US. Sophos, the UK-based security software and hardware company, surveyed 5,600 IT professionals, including 381 healthcare respondents, across 31 countries. The survey found that 66% of healthcare organizations were hit by ransomware last year, up from 34% in 2020.

“This is a 94% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale,” the report says.

Despite being under constant cyber assault, healthcare seems to be doing better at protecting itself than some other sectors.

“In terms of data encryption rate, healthcare, with a 61% encryption rate, performed better than the global average of 65%, indicating that healthcare was better able to stop data encryption in a ransomware attack,” the report says.

Resources:

Cynerio. The Insecurity of Connected Devices in Healthcare 2022.

FBI. Private Industry Notification.

Proofpoint. New Ponemon Institute Study Finds that Cyberattacks Cause More Than Twenty Percent of Impacted Healthcare Organizations to Experience Increased Mortality Rates.

Proofpoint. Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care.

American Hospital Association. Proofpoint Press Release on Cybersecurity Survey does a Disservice to Health Care Providers.

Sophos. The State of Ransomware in Healthcare 2022.

Leave a comment

Your email address will not be published. Required fields are marked