HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cybersecurity in Healthcare Report Highlights Sorry State of Security

Infoblox has released a new cybersecurity in healthcare report which has revealed many healthcare organizations are leaving themselves wide open to attack and are making it far too easy for hackers to succeed.

The cybersecurity in healthcare report was commissioned to help determine whether the healthcare industry is prepared to deal with the increased threat of cyberattacks. Healthcare IT and security professionals from the United States and United Kingdom were surveyed for the report

The report highlighted the sorry state of cybersecurity in healthcare and revealed why cyberattacks so commonly succeed. Devices are left unprotected, outdated operating systems are still in use, many healthcare organizations have poor visibility into network activity, employees are not being trained to identify threats, and there is apathy about security in many organizations.

The Poor State of Cybersecurity in Healthcare

The use of mobile devices in hospitals has increased significantly in recent years. While the devices can help to improve efficiency, mobile devices can introduce considerable risks. 47% of the large healthcare organizations that were surveyed were using more than 5,000 devices on their networks. Securing so many devices and ensuring they are kept up to date and fully patched is a major challenge for healthcare IT and security professionals, but many organizations are unaware of all of the devices that are connecting to their networks.

Ransomware is a major issue for the healthcare industry. The scale of recent ransomware attacks has put many healthcare organizations on alert, and most hospitals are now in a much better position to deal with attacks when they occur. In the United Kingdom, 15% of respondents said they do not have a plan that could be implemented in the event of a ransomware attack. The lack of planning can result in far greater disruption when an attack occurs.

One in five respondents said devices were in use that were running on Windows XP, even though the operating system has been retired and has not been supported since April 2014. 22% said they were still using Windows 7, which had vulnerabilities that were exploited in the WannaCry attacks. Only 57% of organizations said they were patching their systems at least once a week.

18% of respondents said they had medical devices with unsupported operating systems. Infoblox drew attention to the fact that 7% of respondents didn’t know what operating system that their medical devices are running on, and out of those who do, 26% of large organizations said that they either don’t know or don’t care if they can update those systems.

Those findings make it no surprise that attacks like WannaCry occurred and hit the healthcare industry in the UK so hard.

Cybersecurity Spending is Increasing, but Money is Not being Spent Strategically

The report shows that healthcare organizations are responding to the elevated threat of cyberattacks by investing more heavily in security. 85% of healthcare organizations have increased cybersecurity spending in the past year, and 12% say they have increased spending by more than 50%.

The two technologies that are most commonly chosen are anti-virus solutions (61%) and firewalls (57%), with half of surveyed organizations also having invested in network monitoring technology to identify malicious network activity. Application security solutions are also a popular choice, chosen by 37% of organizations, while one third have invested in DNS security solutions to block data exfiltration and disrupt DDoS attacks.

In the United States, approximately half of healthcare professionals said they had started encrypting their data, compared to 36% in the UK.  Healthcare organizations are now realizing the benefits of providing security awareness training to staff, although worrying, only 35% do. PhishMe reports that more than 90% of cyberattacks start with a phishing email, yet only 33% said they had invested in email security solutions.  Signing up to threat intelligence services can help organizations be more proactive about cybersecurity, yet only 30% of respondents said they had signed up to receive threat intelligence reports.

Recommendations to Improve Cybersecurity in Healthcare

Based on the findings of the report, Infoblox made several recommendations for healthcare organizations to help them mitigate the threat of cyberattacks.

Those recommendations include planning to update operating systems to supported versions. The short-term issues that software updates create are far better than the widespread disruption caused by cyberattacks that exploit vulnerabilities on those outdated systems.

Organizations were advised to know their networks better – the operating systems in use, the devices that are allowed to connect to the network, and the importance of monitoring network activity to detect intrusions.

Organizations must plan for ransomware attacks to minimize disruption. 15% of healthcare organizations still do not have a plan in place to respond if ransomware is installed, even with the elevated threat of attacks on healthcare organizations.

IT security budgets may be increasing, but those budgets must be spent wisely. Investing more money in traditional defenses may not be the best use of budgets.

“Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated,” said Rob Bolton, Director of Western Europe at Infoblox. “It’s crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.