Healthcare is the most cyber-targeted industry, with a full third of all US data breaches happening in hospitals and the problem is only getting worse. 15,085,302 individual medical records were breached globally in 2018 — representing a 3X increase over the year prior. In 2019, things are looking even bleaker, with that figure having more than doubled — reaching nearly 32 million breached records — in the first half of the year alone!
Despite this dire state of affairs and the ample attention given to it, it's exceeding difficult to get a full view of the situation. This is because all the relevant data points and statistics are scattered across thousands of sources. Take in a few healthcare technology facts and figures here and there and you begin to get a notion of the whole; yet the picture remains extremely blurry and the more data points you come across, the more earlier one fades from your line of sight.
Pulling all the most relevant data points into a single frame of reference helps to shift a bigger picture into focus and allows you to connect the dots to form a more complete understanding of where the industry stands, how your organization stacks up, and what changes are needed to accelerate progress.
It's with this in mind, that CyberMDX undertook to compile the most complete compendium of health IT statistics within a single factbook. In addition to highly credible third-party sources, CyberMDX also included findings from its solutions in the field as well as a survey sent to healthcare executives, IT experts, and biomedical professionals.
Per the survey, conducted over the first half of 2019, cybersecurity concerns in the medical community continue to chiefly revolve around connected devices. This is evidenced in the breakdown of responses given to the question of the biggest healthcare cybersecurity challenge, reproduced below.
Outside of the general issue of “preventing cyber attacks,” respondents zeroed in on connected devices as a serious cause for concern, with 19% reporting difficulties profiling and segmenting device traffic as their largest issue, and another 17% citing device visibility as their main challenge.
With the average US hospital maintaining around 19,300 connected medical devices and clinical assets, properly managing those endpoints across their various security, lifecycle, and maintenance needs is both crucial and profoundly difficult.
Strong security begins with full visibility of your endpoints and, by extension, a well-charted map of your attack surface. While 51% of respondents said their organization tracked their networked devices, a very large percentage (25%) claimed they did not.
In addition to the 25% who responded that their hospitals did not keep a full accounting, another 13% admitted they were not confident in the accuracy of their device inventorying and a further 11% said they weren't sure if their organizations maintained any sort of central asset database. That means while half of the organizations claim a full accounting, the other half either didn’t, wasn’t confident in the accounting, or wasn’t sure.
Obviously, you can’t protect what you don’t know you possess — raising serious cause for concern. That concern is further substantiated by CyberMDX findings in the field, showing that hospitals, on average, have lost track of 30% of their networked medical devices!
Even more concerning is the notion that much of the problem boils down to a combination of inadequate and impotent efforts at redress.
When asked about device profiling, the largest group of respondents (34%) simply said they don’t monitor their assets, while the next largest group (21%) admitted to doing so manually.
Of course, when considering security, it's not just clinical assets that count, but also the devices we carry around in our pockets. Shockingly, more than 10 years deep into the era of the smartphone, over a third of healthcare organizations still lack any type of formal BYOD policy.
Known vulnerabilities are publicly disclosed by researchers, vendors, and supervisory agencies (hopefully each in coordination with the other). While this ensures relevant managers are informed of threats and provided with the necessary instructions for patching/mitigation, it also gives hackers a sort of playbook for low-hanging exploits; making it all the more important that once a vulnerability is published, healthcare organization waste little time in covering their exposed flanks.
Unfortunately, that is not the reality.
While 21% said they monitor continuously for known vulnerabilities, 32% said they never monitor for these flaws, while a further 30% said they monitor on a yearly basis.
This lackadaisical approach accounts for the vast majority of most medical centers’ attack surface. For example, per CyberMDX field data, around 55% of imaging devices run deprecated or otherwise unpatched versions of Windows ostensibly vulnerable to exploits such BlueKeep or DejaBlue.
Another example can be found in the fact that there are still roughly 1 million computers vulnerable to WannaCry. This several years after the ransomware hobbled the NHS for days and inflicted over $100 million worth of damages.
Planning for Progress
With the increasing threats to medical devices, hospitals and medical institutions need to become more organized and invested on an institutional level.
The first step toward that is putting a devoted professional on the task. While CIOs and Heads of IT have held this responsibility (in addition to their other tasks) in the past, security is now too large a task to be an add-on. Hospitals need a dedicated CISO to handle the unique challenges of securing hospital networks and devices.
Here too, the healthcare technology facts on the ground raise considerable cause for concern, with an equal number of medical centers having and lacking dedicated CISOs.
In this type of threat landscape, that’s just not enough. Hospitals similarly miss the mark when it comes to institutional investment in the form of staff training. The old adage “you’re only as strong as your weakest link” holds particularly true for cybersecurity and with 40% of hospitals lacking cyber training programs, the basic building blocks of cybersecurity are too often absent.
While the factbook does an excellent job painting a clear picture of the healthcare industry in terms of connected technology management practices and pitfalls, it's not a very pretty picture. Cyber attacks in healthcare are more frequent and more costly than in any other industry, and they show no sign of abating. The issue can no longer be considered one of operational efficiency or future-proofing alone.
The problem is real and the problem is known, and yet somehow, paradoxically even, very little is being done to meet the challenge head on and with gusto. Perhaps with this factbook putting those issues in such clear focus, that will change. In the past, administrators have acknowledged the issue but related to it in mostly general and abstract terms. The hope is that with a strong backing in facts and data, the discussion can become more concrete and take a more scientific approach.
The goal is to not only better understand the issues, but to better quantify the issues, so that conscientious CIOs can benchmark their organizations' projects and KPIs against industry standards, their competitors, best practices, and their own past performances.
As evidenced by the recent study linking hospital cyber attacks and breaches to an uptick in patient fatalities, the cybersecurity of medical facilities speaks fundamentally to their ability to effectively and reliably deliver a high quality of care. And that’s precisely why conscientious executives need to have all the healthcare technology facts at their disposal as they plan their cyber journeys.