Despite the health care sector remaining a prime target for threat actors, many provider organizations don’t see cybersecurity investment as a priority and few name cyber as a high priority spend, according to a new report from CyberMDX in collaboration with Philips.
The Perspectives in Healthcare Security Report sheds light on the attitudes and impacts of cybersecurity and medical device security across large- and midsized health care delivery organizations based on surveys of 130 hospital IT and information security executives and BioMed technicians and engineers.
The findings show 48% of respondents faced an externally motivated shutdown in the last six months. However, 60% of hospital IT teams don’t prioritize cybersecurity and have other spending priorities. Fewer than 11% said cybersecurity was a high-priority spend within their organization.
Midsize hospitals face the greatest impact after a ransomware attack, reporting double the costs and downtime length as larger hospitals. While the large hospitals that reported shutting down after a cyberattack saw an average shutdown time of 6.2 hours at a cost of $21,500 per hour, midsize hospitals face nearly 10 hours of shutdown time at $47,700 per hour.
For a real-world comparison, the September 2020 ransomware attack that shut down 400 care sites of Universal Health Services cost $67 million in lost revenue and recovery costs. Scripps Health faced a similar incident and four-week downtime across just four hospitals in May 2021: its costs were $112.7 million.
Lack of automation
Despite the financial impact and the Department of Health and Human Services estimate of 82 global ransomware incidents this year, so far, with the majority impacting U.S. health care providers, there’s a serious disconnect between the reality of the threat landscape and how it’s viewed by leadership.
For one, vulnerabilities and a lack of automation are hindering security improvements in a number of organizations. The majority of respondents reported that their hospitals were unprotected from some of the most common vulnerabilities, like BlueKeep.
A staggering 65% of hospital IT teams said they rely on manual processes for inventory calculations. And 7% said their inventory is completely manual. In fact, 15% of respondents from midsize hospitals and 13% of large hospitals said they have no way to determine the number of active or inactive devices within their network.
Security researchers have repeatedly warned that it’s impossible to successfully accomplish inventories with manual processes and fail to account for thousands of devices in their networks.
“No matter the size, hospitals need to know about their security vulnerabilities,” said Maarten Bodlaender, head of cyber security services at Philips, in a statement. “Proper cybersecurity begins with a clear understanding of the evolving landscape, and this survey is part of our ongoing efforts to provide insight into cybersecurity needs across health care organizations.”
As Motti Sorani recently told SC Media, gaining visibility into device inventories is essential to understanding the concurrent cyber risk posture of an organization, and that includes a complete list of all connected assets. Not only do manual processes not work, traditional security tools can’t understand the “diverse language and protocols of the medical devices, and therefore can not identify the devices to create a complete inventory.”
“The inability to identify and understand medical protocols also prevents these traditional solutions from understanding ‘normal’ behavior in the network and so distinguishing between benign behavior and potential danger becomes an issue,” said Sorani.
Secondly, the report showed that the annual IT spend for midsize entities is $3.5 million and larger organizations reported spending $3.1 million. When compared with the medical device security and IoT cybersecurity spend of $293,000 for midsize and $329,000 for larger organizations, there’s a clear disparity.
Further, the report shows two-thirds of respondents don’t track for return on investment, which stakeholders have previously stressed is a key element for obtaining increased cybersecurity budgets from the board.
For those that do track ROI, the metrics primarily track logging of major, averted events, the amount of time saved, and the total critical vulnerabilities found by the team.
“With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security,” Azi Cohen, CyberMDX CEO, said in a statement. “Hospitals have a lot at stake — from revenue loss, to reputational damage, and most importantly patient safety.”