New York-based medical device cybersecurity provider CyberMDX announces the release of the Perspectives in Healthcare Security Report. The report, done in collaboration with Philips, examines attitudes, concerns, and impacts on medical device security as well as cybersecurity across large and midsize healthcare delivery organizations. Insights include how they correlate and diverge.
Healthcare is one of the most targeted industries. A recent report from the U.S. Department of Health and Human Services cited a total of 82 ransomware incidents so far this year worldwide with 60% of them impacting the United States health sector. Recent headlines from notorious gangs such as REvil or Conti contribute to the impact where hospitals now account for 30% of all large data breaches and at an estimated cost of $21 billion in 2020 alone.
“With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security,” says Azi Cohen, CEO of CyberMDX. “Hospitals have a lot at stake—from revenue loss; to reputational damage; to, most importantly, patient safety. Our new report provides a critical look into the current state of medical device security and will help raise awareness of key issues and disconnects healthcare organizations are facing with their cybersecurity.”
The study, conducted by global market research leader Ipsos, surveyed 130 hospital executives in information technology (IT) and information security (IS) roles, as well HTM professionals. The respondents, who averaged 15 years of experience in their fields, provided insight into the current state of medical device security within hospitals as well as highlighted the challenges their organizations face.
Below are several key findings:
- Ransomware is attacking the bottom line: 48% of hospital executives reported either a forced or proactive shutdown in the last six months due to external attacks or queries.
- Midsize hospitals feeling more pain: Of respondents who experienced a shutdown due to external factors, large hospitals reported an average shutdown time of 6.2 hours at a cost of $21,500 per hour while midsize hospitals averaged nearly 10 hours at more than double the cost, or $45,700 per hour.
- Cybersecurity investment not a high priority: Despite continuing cyberattacks against healthcare and roughly half of respondents experiencing an externally motivated shutdown in the last six months, more than 60% of hospital IT teams have “other” spending priorities and less than 11% say cybersecurity is a high priority spend.
- Dangerous vulnerabilities persist: When asked about common vulnerabilities, such as BlueKeep, WannaCry and NotPetya, most respondents said their hospitals were unprotected. Moreover, 52% of respondents admitted their hospitals were not protected against the Bluekeep vulnerability, and that number increased to 64% for WannaCry and to 75% for NotPetya.
- Lack of automation creates gaps in security: 65% of IT teams in hospitals rely on manual methods for inventory calculations, with 7% still in full manual mode. In addition, 15% of respondents from midsize hospitals and 13% from large hospitals admitted that they have no way to determine the number of active or inactive devices within their networks.
- Is there a staffing disconnect? While two-thirds of IT teams believe they are adequately staffed for cybersecurity, more than half of biomed teams believe more staff is needed. Conversely, the industry has been experiencing a cybersecurity talent shortage and 100-plus-day lag to fill jobs.
- Cyber-insurance and compliance are popular options: 58% of IT teams consider compliance “almost always” and rate it a high impact on their jobs. Similarly, 58% also said they had cyber insurance.
“No matter the size, hospitals need to know about their security vulnerabilities,” says Maarten Bodlaender, Philips’ head of cybersecurity services. “Proper cybersecurity begins with a clear understanding of the evolving landscape, and this survey is part of our ongoing efforts to provide insight into cybersecurity needs across healthcare organizations.”
The report is a continuation of the partnership between Philips and CyberMDX announced in November 2020 and represents their joint commitment to provide solutions to protect connected medical systems and devices.