An industry report by Ipsos and sponsored by CyberMDX and Philips said that healthcare is one of the most targeted industries in the cybersecurity space. The study polled 130 hospital executives in Information Technology (IT) and Information Security (IS) roles in addition to biomedical technicians and engineers. Those surveyed averaged 15 years of experience in their respective fields.
The report found healthcare organizations are at risk for cybersecurity attacks, though their budgets do not reflect it. In particular, the survey reported that hospitals comprise 30% of all large data breaches. In the six months prior to the report, 48% of hospitals surveyed had a shutdown related to an external hack or query in the last six months. Despite that high number, the report indicated that only 11% of hospitals listed cybersecurity as an area of high-priority requiring investment.
That could be penny wise and pound foolish, not to mention the added intangible cost of reputation risk.
The report found midsize hospitals were hurt the most financially by cybersecurity threats. Specifically, larger hospitals indicated an average of 6.2 hours per shutdown, with a cost of $21,500 per hour. In contrast, midsize hospitals’ shutdowns lasted closer to 10 hours and cost almost double, at $45,700 per hour, according to the report.
“Given the number and severity of cyber-attacks against hospitals over the past couple of years, it was surprising to see that only 11% had cybersecurity as a priority in their IT spend,” said Azi Cohen, CEO of CyberMDX in an email.
The report indicated common security vulnerabilities, including BlueKeep, WannaCry, and NotPetya Hospitals reported they did not have protection against the Bluekeep (48%), WannaCry (64%), or NotPetya (75%) vulnerabilities respectively.
A Deep-dive Into Specialty Pharma
A specialty drug is a class of prescription medications used to treat complex, chronic or rare medical conditions. Although this classification was originally intended to define the treatment of rare, also termed “orphan” diseases, affecting fewer than 200,000 people in the US, more recently, specialty drugs have emerged as the cornerstone of treatment for chronic and complex diseases such as cancer, autoimmune conditions, diabetes, hepatitis C, and HIV/AIDS.
The report attributed gaps in security to a lack of automation. Over 60% of the HDOs surveyed relied on manual methods for inventory of their devices and assets. Specifically, 65% of hospital IT teams reported using manual methods for inventory calculations. Of note, 7% of those in the report said they use a fully manual mode for inventory. Additionally, percentages of those from large and midsized hospitals, 15% and 17% respectively, reported not having a way to determine the number of inactive and active devices in their networks.
The manual inventory methods noted in the report raised concern as such methods prove time consuming and less accurate compared to AI-based tracking, according to Cohen. Further, if devices are missed in the manual inventory, they cannot be protected.
It’s not just a lack of technology that are leaving healthcare organizations vulnerable. Lack of proper staffing is also a concern.
According to the report, 2/3 of IT teams reported they had sufficient staffing for cybersecurity. However, almost half of biomed teams said they needed additional staff. To complicate matters, the report noted a cybersecurity talent shortage of 100+ days of lag to fill jobs.
The pandemic has proved to be a serious challenge for hospitals at a time of strains on revenue. But CyberMDX is hoping to provide some relief through one or a combination of its automation solution for hospitals and other healthcare organizations.
“Hospitals have very tough decisions when it comes to their budgets, especially is smaller organizations. Investing in cybersecurity means that perhaps they cannot buy another device for patient care,” said Azi Cohen, CEO of CyberMDX in an email. “The realization motivated us to create these new offers to ensure that any healthcare organization, regardless of size or budget, could start implementing at least basic cybersecurity into their clinical networks.”
Photo: Traitov, Getty Images
