Almost 80% of healthcare organizations experienced cyber incidents in the past year

Photo: Al David Sacks/Getty Images

More than three quarters (78%) of respondents to a new Claroty survey experienced a minimum of one cybersecurity incident over the last year, which impacted a broad range of asset types, including IT systems, sensitive data, medical devices and building management systems.

Alarmingly, more than 60% of respondents reported a moderate or substantial impact on care delivery, and another 15% reported a severe impact that compromised patient health or safety. The financial ramifications mainly fell in the $100,000–$1,000,000 range, with 26% paying ransoms.

According to the report, one of the contributing factors to this trend is the Extended Internet of Things (XIoT), a holistic umbrella term that encompasses all cyber-physical devices connected to the internet – including connected medical devices, or the Internet of Medical Things (IoMT).

Despite some benefits, the XIoT's escalating cyber-physical connectivity has brought a number of cybersecurity challenges by expanding the attack surface. Threat actors are not only targeting IT systems, the report claimed, but have now set their sights on cyber-physical systems (CPS) – from IoMT devices to building management systems (BMS) such as elevators and HVAC systems – which are considered critical to maintain a safe environment for patient care.

Also, the impact of an incident involving healthcare IoT is not just financial: Downtime or disruptions to any of these devices or systems can negatively impact patient outcomes and, in the worst-case scenario, cause patient harm or death, the report found.

WHAT'S THE IMPACT

Among the survey's findings are that a majority (78%) of organizations have clear medical device security leadership in place, with the responsibility most often centralized under IT security. The strategies and technologies organizations use as part of their cybersecurity program span key solution categories, but adoption rates on a global basis are well below 50%.

Organizations are expanding their security budgets in response. On a global basis, 51% of respondents reported an increase in their security budgets. Of their priorities, patching vulnerabilities in medical devices tops the list of gaps to be filled, followed by asset inventory management and segmentation of medical devices.

Globally, respondents found the NIST and HITRUST Cybersecurity Frameworks to be the most  important to their organizations. Regulatory developments, such as mandatory incident reporting, are cited as the most important external factor that influenced organizations' overall cybersecurity strategy.

Meanwhile, more than 70% of organizations are looking to hire – but 80% of those say finding qualified candidates is difficult. 

Respondents pointed to optimizing device utilization as the biggest opportunity to trim costs.

THE LARGER TREND

The numbers may be dispiriting. But with strong security leadership in place, well-rounded security programs implemented, and the adherence to guidelines and frameworks from regulatory bodies, healthcare organizations are on the right track to ensuring cyber and operational resilience, the report found.

Recognizing there is more work to be done, they are also prioritizing investments in people, processes and technologies to build further resilience, and ensure compliance while delivering uninterrupted care.
 

Twitter: @JELagasse
Email the writer: Jeff.Lagasse@himssmedia.com