Cyber threats could overwhelm the healthcare industry
Healthcare organizations average about one cyber attack per month and almost half say they have experienced an incident involving the loss or exposure of patient information during the last year, leaving patients at risk of identity theft.
According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old. Advanced persistent threats are a problem too, respondents experienced an APT attack about every three months during the last year. The primary consequences of APTs and zero-day attacks were IT downtime (63 percent) followed by the inability to provide services (46 percent). Yet despite these attacks only half of respondents say they have an incident response plan in place.
Attackers are most interested in patient's medical records according to 81 percent of respondents. Also a majority (52 percent) say that legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things, increase security vulnerabilities for patient information. Respondents also expressed concern about the impact of employee negligence (46 percent), and the ineffectiveness of business associate agreements mandated by HIPAA which are designed to ensure patient information security (45 percent).
"The concurrence of technology advances and delays in technology updates creates a perfect storm for healthcare IT security," says Stephen Cobb, senior security researcher at ESET. "The healthcare sector needs to organize incident response processes at the same level as cyber criminals to properly protect health data relative to current and future threat levels. A good start would be for all organizations to put incident response processes in place, including comprehensive backup and disaster recovery mechanisms. Beyond that, there is clearly a need for effective DDoS and malware protection, strong authentication, encryption and patch management".
More information is available in the full report which can be downloaded from the ESET website.