03 Dec Cliff Notes to 5 Studies about the State of Cybersecurity in Healthcare
Cyberattacks on the healthcare industry have spiked. More than 90% of healthcare organizations have experienced a breach of some sort in the last five years. In 2019, data breaches will cost the healthcare community upwards of $4 billion.
Threats and attacks are clearly part of the challenge, but professionals in the space will also note that culture plays a role too. Cybersecurity teams are competing for a budget in a culture that rightfully holds patient safety above all else – it can be challenging to make the case for security against that benchmark.
Since many of our customers serve the healthcare community, we’ve poured over several reports to help break down the state of affairs. Here are the cliff notes to five studies about healthcare security – along with links to the underlying sources for those interested in reading more.
1) Cyberattacks in healthcare soar in 2019
An analysis of detection data by Malwarebytes found a 60% increase in threats at endpoints across the healthcare community. That spike occurred in just the first nine months of 2019 as compared to the full year in 2018, according to a report titled Cybercrime Tactics and Techniques: the 2019 state of healthcare.
Even more worrisome, the report indicates the pace of growth has continued to surge. Malwarebytes says it has seen a 45% growth in endpoint detections from Q2 to Q3 of 2019. The top methods of attacks the report identified were:
- exploited vulnerabilities in third-party software;
- “taking advantage of weak security postures due to staff negligence, user error and poor patching cadences”; and
- social engineering to deliver malicious files by email.
“[Healthcare] Budgets are diverted to research, patient care, and technology innovation while ignoring necessary staff training and solutions for endpoint and network security,” the report concludes. “Add to this the proliferation of electronic health records and IoT, and you have a prescription for cyber chaos.”
2) Most incidents attributed to BEC, human error and third parties
Nearly three quarters (74%) of respondents to the 2019 HIMSS Cybersecurity Survey said their organization had experienced a “significant security” incident in the past 12 months. Of the 166 respondents to the annual HIMSS survey, the vast majority attributed the initial point of compromise in those incidents to three sources – business email compromise or BEC (59%), human error (25%) and third parties (10%).
Security budgets in healthcare vary widely and cybersecurity is typically buried within the IT budget, according to the survey. About 45% of respondents said security spending ranges from between 1% and 10% of the IT budget. Surprisingly, 26% indicated they are piecing together security spending as there is “there is no specific cybersecurity ‘carve out’ within the IT budget.”
On the bright side, it does appear that as an industry, healthcare is investing more in cybersecurity. “When asked specifically how their organizations’ cybersecurity budgets compared to the previous year, 72% of respondents indicated their budgets increased by 5% or more,” according to the survey.
3) Medical IoT-devices vulnerable
Every new device added to the network widens the surface area for potential attackers and the healthcare community is experiencing this with IoT medical devices. A full 82% of healthcare companies suffered an “IoT-focused cyberattacks in the past 12 months.”
That’s according to the Irdeto Global Connected Industries Cybersecurity Survey which was conducted by the market research firm Vanson Bourne. The survey polled 700 security decision-makers who manufacture IoT devices across the healthcare, transport and manufacturing markets. The report breaks out the results by each vertical.
Among the healthcare vertical, respondents put the financial impact of those attacks at an average of $346,205. However, the impact of attacks can extend beyond just those costs that can be quantified – and include productivity, reputation and safety. When asked about what impacts concerned them the answers tallied up as follows:
- 39% said compromised customer data;
- 20% said compromised end-user safety;
- 12% said stolen intellectual property;
- 10% said operational downtime;
- 10% said brand or reputational damage; and
- 7% said the loss of customers.
Most respondents believed they could boost the security of IT devices their organization manufactured – 38% said they could improve it to a “great extent” and 61% to “some extent.” Just one out of every two IoT device manufacturers (52%) in healthcare said they “update the security of their devices for the device lifetime (beyond warranty).”
4) Payouts for identifying vulnerabilities in healthcare
Threat intelligence research shows stolen healthcare records can be worth 10 times more than a credit card on the black market. To get ahead of this, healthcare companies are paying an average of $1,088.16 to researchers who can help them identify vulnerabilities before adversaries use them to steal data.
That dollar figure was reported in a study by Bugcrowd called the State of Healthcare Cybersecurity. The company says it represents an 83% increase year-over-year. It’s worth pointing out the figure is just an average as healthcare companies are paying as much as $3,425 for vulnerabilities identified as high severity.
“The criticality scale for a vulnerability submission ranges from Priority 1 (P1) to Priority 5 (P5), 1 being the most critical, 5 being the least critical,” according to the report. “Across programs run by healthcare organizations, more than 12% of all submissions are classified by the organization as P1 submissions, the most critical vulnerabilities, and the majority of the vulnerability submissions fall in the P3 level of criticality, just over 42%.”
5) The effects of hospital breaches on patient outcomes
“Health data breaches have significant consequences for patients, providers, and payers and contribute to quality of care problems.” Importantly, it’s not just the breach, but the response to the breach that contributes. Those were the findings of a study by Health Services Research titled, Data breach remediation efforts and their implications for hospital quality.
The study merged data from 311 hospital breaches with “public data on hospital quality measures for 2012‐2016.” It found “breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes.”
The HIPPA Journal broke out the key findings down this way:
“According to the study, the time it took from a patient arriving at the hospital to an electrocardiogram being performed increased by up to 2.7 minutes at hospitals that had experienced a data breach. A ransomware attack that prevents clinicians from accessing patient data will limit their ability to provide essential medical services to patients, so a delay in conducting tests and obtaining the results is to be expected.
However, the delays were found to continue for months and years after a cyberattack was experienced. The study showed that 3-4 years after a breach had occurred there were still delays in providing electrocardiograms to patients. The waiting time for electrocardiograms to patients was found to be up to 2 minutes longer than before the breach occurred.
Hospitals that experienced a data breach also saw an increase in the 30‐day acute myocardial infarction mortality rate. The mortality rate at breached hospitals increased by as much as 0.36%.”
The authors conclude hospitals should be cautious about remediation efforts put in place following a breach “to limit inadvertent delays and disruptions associated with new processes, procedures, and technologies.”
Convincing Leaders in Healthcare to do More
Given the rash of activity in healthcare, how can security professionals drive greater support for cybersecurity?
“The key is getting the business to understand the risks, and I don’t mean using fear tactics,” according to Steve Swansbrough, who has more than 20 years of experience in the field, in a previously published interview.
“What you have to do is present this in a risk mitigation and risk acceptance format. For example, you’ve got to demonstrate that you’ve done an assessment or penetration test on the network, and then list all the vulnerabilities you found. It’s very different when you show the business how an experienced hacker can gain access to the systems in five minutes and have root access to servers within 10.”
* * *
Note: Bricata has simplified the four critical capabilities healthcare organizations need for comprehensive network protection: visibility, threat detection, threat hunting, and post-detection actions. If you’d like to see our solution in action, you are welcome to schedule a live demonstration.
If you enjoyed this post, you might also like:
Cybersecurity Case Study: Securely Integrating a Business Network After a Merger and Acquisition