Cyberattacks increase in healthcare, but sector unprepared
Cyberattacks on healthcare organisations around the world are on the rise. Last year, the UK’s National Health Service (NHS) was targeted with almost 140k phishing emails, designed to lure the recipient into handing over confidential data. NHS Digital later announced that more than 100 inboxes had been compromised and were sending out malicious emails to contacts.
The impacts of cyberattacks can be devastating. In June 2020 a ransomware attack on a hospital in Colorado left five years’ worth of patient records inaccessible.
Unfortunately despite the increase in these attacks, especially since the COVID-19 pandemic began, the healthcare sector isn’t prepared for them. A new survey by security software firm Irdeto found that 88% of US-based medtech leaders do not believe their organisation is prepared for a cyberattack.
The survey was carried out amongst senior level corporate and product executives at Fortune 1000 medical device manufacturers, digital and mobile health companies and telehealth providers. They were asked about existing cybersecurity policies and processes, their hopes and fears for connected health – from compromised health data to direct attacks on the patient – and potential solutions to the growing vulnerabilities, risks and threats. Among the key findings were:
- 80% have suffered at least one cyberattack in the past five years, including ransomware, malware, phishing, spoofing and DDoS, with customer databases, employee information and even R&D being targeted
- Only 18% believe the security built into their medical device products is strong, while 80% rate their organization’s cybersecurity products as just adequate, or not robust
- 80% of respondents believe that regulatory compliance is the biggest business benefit of implementing a strong cybersecurity strategy, yet only 28% rated themselves very aware/knowledgeable about forthcoming EU and US regulations, such as US FDA pre-market guidelines or EU Medical Device Regulation (MDR).
- Only 13% of IoMT leaders believe their business is very prepared to mitigate future risks; while 70% believe that they are only somewhat prepared at best. One fifth (17%) stated that their firm was not prepared at all.
Interestingly, 53% of IoMT leaders report handling cybersecurity in house, while the others outsource all or parts of the security strategy to partners. However, 80% of IoMT leaders rate their organization’s cybersecurity products as just adequate, or not robust, and only 18% believe the security built into their medical device products is strong.
The study found that respondents unanimously reported concern over attackers’ ability to gain access to an environment where software is running, ranking the most significant vulnerabilities as security misconfiguration and broken authorization protocols, insecure network connections (including automatic guest wi-fi connection) and lack of defenses within API layers, among other risks.
Irdeto’s report concludes that while cybersecurity threats are ‘skyrocketing’, vendors must be aware of issues arising from both emerging threats and new regulation, ultimately promoting the value of their products to medical teams and their patients.
This applies to cybersecurity around the world. Speaking about the attacks on the NHS, Chris Ross, SVP International at Barracuda said: “With the global pandemic putting a huge strain on hardworking doctors, nurses, and clinical staff, it’s absolutely vital that email systems are properly protected from outsider threats, to block malicious emails before they reach the inbox.
“It is equally important for [hospital] Trusts to issue the necessary guidance about the risks associated with phishing attacks, so that staff are aware of the techniques used and can think twice before handing over important information to suspicious third parties.”
The full report from Irdeto can be read here