Healthcare organizations “are in the crosshairs” of cyber attackers, suffering one hack per month over the last year, with about half experiencing an incident involving the loss or exposure of patient information and another third unsure whether or not data was exposed, according to a new report.
Conducted by the Ponemon Institute for security software company ESET, the report questioned 535 IT security practitioners from a variety of healthcare organizations, including private and public providers as well as government agencies, and found an industry beset by security breaches of all kinds.
“With cyber attacks against healthcare organizations growing increasingly frequent and complex, there is more pressure to refine cybersecurity strategies,” the report’s authors wrote.
“The State of Cybersecurity in Healthcare Organizations” also found that organizations struggle to deal with a variety of threats, including system failures (79 percent), unsecure medical devices (77 percent), cyberattackers (77 percent), employee-owned mobile devices or BYOD (76 percent), identity thieves (73 percent) and unsecure mobile devices (72 percent).
Despite citing unsecure medical devices as a top security threat, only 27 percent of respondents said their organization has guidelines for medical devices as part of its cybersecurity strategy.
The most common security incident sited was the exploitation of existing software vulnerabilities greater than three months old, according to 78 percent of respondents. Web-borne malware attacks were named by 75 percent of respondents. Following next were exploits of existing software vulnerability less than three months old (70 percent), spear phishing (69 percent) and lost or stolen devices (61 percent), according to the study.
What’s more, participating organizations were only partly effective at preventing attacks.
Almost half (49 percent) said their organizations experienced situations when cyberattacks have evaded their intrusion prevention systems (IPS), but many respondents (27 percent) were unsure. Another 37 percent said their organizations have experienced cyber attacks that evaded their anti-virus (AV) solutions or traditional security controls but 25 percent were unsure. On average, organizations have an APT incident every three months. Only 26 percent of respondents say their organizations have systems and controls in place to detect and stop advanced persistent threats (APTs) and 21 percent are unsure. On average, over a 12-month period, organizations had an APT attack about every 3 months (3.46 APT-related incidents in one year), the survey said.
As for the consequences of theses breaches, 63 percent of respondents said the primary consequences of APTs and zero day attacks were IT downtime, followed by the inability to provide services (46 percent), while 44 percent said these incidents resulted in the theft of personal information.
In addition, DDoS attacks have cost organizations on average $1.32 million in the past 12 months, the survey said.
Healthcare organizations in the report spend an average of $23 million on IT and approximately 12 percent is allocated to information security.
“Since an average of $1.3 million is spent annually just to deal with DDoS attacks, the business case can be made to increase technology investments to reduce the frequency of successful attacks,” the report said.