Healthcare organizations at risk: The attack surface is expanding
Armis released data showing the increased security risk faced by healthcare organizations and patients as an increase in connected devices creates an expanded attack surface, putting the patient journey at risk.
The survey, in conjunction with Censuswide, looked at perspectives of over 2,000 potential patients in various industries and 400 IT professionals working in healthcare organizations from across the United States.
The pitfalls of an expanded attack surface for healthcare organizations
- Increased cyber risk: 85% of IT professional respondents agreed they have seen increased cyber risk over the past 12 months.
- Ransomware on the rise: Ransomware alone has hit organizations hard, with 58% of IT pros in healthcare stating that their organization has been hit with ransomware.
- Potential patients are not paying attention: The data also shows that while patients are concerned about security, and acknowledge the impact that an attack could have on their care — there is a shocking unawareness about recent cyberattacks. Despite major media headlines around vulnerabilities in pneumatic tubes, technologies used in HVAC systems, to vulnerabilities in two types of B. Braun infusion pumps and REvil attacks on healthcare organizations, 61% of potential patients stated they had not heard of any cyberattacks in the healthcare industry in the past 24 months.
- Breaches guide potential patient decisions: This lack of awareness is striking, given 49% of potential patients said that they would change hospitals if their healthcare organization was hit by a ransomware attack.
From the moment a patient schedules their appointment online, to the time they walk into the doctor’s office or hospital and to the time they spend in the hospital room itself, the patient journey is vulnerable.
There are 430 million connected medical devices already in deployment worldwide, with the number continuing to rise, creating an expanded attack surface. According to the survey, 33 percent of potential patients stated that they have been the victim of a healthcare cybersecurity attack.
But the survey also shows a disconnect between the concerns of patients and the concerns of IT professionals working in healthcare.
Additional findings
IT Pros are most concerned about data breaches: Data breaches resulting in loss of confidential patient information was a top concern for healthcare IT pros (52%), followed by attacks on hospital operations (23%), and ransomware attacks (13%).
Critical infrastructure attacks were seen as the riskiest: Security risks in a hospital’s infrastructure topped the list of the biggest risks (49%), followed by the risk of inputting information into an online portal (31%) and staying in a hospital room with connected devices (17%).
Building systems were seen as the riskiest devices: Healthcare IT professionals said building systems such as HVAC, electrical, etc. (54%), Imagine machines (43%), Medication dispensing equipment (40%), Kiosks for check-in (39%), and vital sign monitoring equipment (33%) were the riskiest devices.
Potential patients concerned about impact of security on quality of care: 73% of potential patients surveyed recognize that an attack could impact their quality of care. Privacy issues associated with online portals (37%) topped the list of concerns for potential patients, and 52% said they were worried about an attack shutting down hospital operations and potentially affecting patient care.
Potential patients trust their best friend more than their healthcare provider: 66% of potential patients believe their healthcare provider is doing enough to protect their personal information. In fact, 30% of U.S. patients trust their best friends more with their sensitive healthcare information than they do healthcare organizations (23%).
Healthcare organizations are taking steps toward a more secure environment: 86% of respondents stated that their organization has a CISO, and 95% of IT healthcare professionals believe their organization’s connected devices are up-to-date with the latest software.
Recent attacks are a catalyst for change: 75% of IT healthcare professionals agree that recent attacks have had a strong influence on decision-making at their health organization.
Organizations are putting their money where their mouth is: 52% of IT healthcare professionals believe their healthcare organization is allocating more than sufficient funds to secure its IT systems.
But there is still a long way to go: 63% of IT healthcare professionals said that their organization has had to submit a cyber insurance claim.
Despite the strides the industry has made, there is still a long way to go when it comes to securing the patient journey. 63% of IT healthcare professionals said that their organization has had to submit a cyber insurance claim, and that number is expected to rise along with the expanding attack surface.
“Continuous visibility, context and alignment of security analytics to enterprise risk is the beacon to which we need to move to improve how we view device and asset management,” said Oscar Miranda, CTO for Healthcare at Armis.
“It is critical for healthcare organizations to take the entire patient journey into consideration when thinking about security. A strong healthcare security strategy is multi-faceted and requires a holistic view.”