Story image

Healthcare organisations buckle under pressure of cyber attacks

02 Mar 16

The healthcare sector is slow to update technology and as such is woefully unprepared for an oncoming onslaught of cyber attacks, according to a recent report.

The ESET and the Ponemon Institute report 'The State of Cybersecurity in Healthcare Organisations in 2016', suggests healthcare agencies currently average about one cyber attack per month. Furthermore, almost half (48%) of respondents say their organisations have experienced an incident involving the loss or exposure of patient information during the last 12 months. However, despite these incidents, only half indicated their organisation has an incident response plan in place, the study shows.

"The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security," says Stephen Cobb, ESET senior security researcher.

"The healthcare sector needs to organise incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organisations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms.

“Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management,” Cobb says.

Key findings of the survey are as follows:

Exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78% of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.

On average, organisations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. In fact, 63% said the primary consequences of APTs and zero-day attacks were IT downtime followed by the inability to provide services (46% of respondents), which create serious risks for patient treatment.

Hackers are most interested in stealing patient information. The most attractive and lucrative target for unauthorised access and abuse can be found in patients' medical records, according to 81% of respondents.

Healthcare organisations worry most about system failures. The study found 79% of respondents said that system failures are one of the top three threats facing their organisations. This is followed by cyber attackers (77%) and unsecure medical devices (77%).

Technology poses a greater risk to patient information than employee negligence. The majority (52%) of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information. Respondents also expressed concern about the impact of employee negligence (46%) and the ineffectiveness of HIPAA-mandated business associate agreements designed to ensure patient information security (45%).

DDoS attacks have cost organisations on average $1.32 million in the past 12 months. The survey showed 37% of respondents say their organisation experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage, the study found.

Healthcare organisations need a healthy dose of investment in technologies. On average, healthcare organisations represented in this research spend $23 million annually on IT; 12 percent on average is allocated to information security. Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks.

"Based on our field research, healthcare organisations are struggling to deal with a variety of threats, but they are pessimistic about their ability to mitigate risks, vulnerabilities and attacks," says Larry Ponemon, The Ponemon Institute chairman and founder.

"As evidenced by the headline-grabbing data breaches over the past few years at large insurers and healthcare systems, hackers are finding the most lucrative information in patient medical records. As a result, there is more pressure than ever for healthcare organisations to refine their cybersecurity strategies,” he says.

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”