60 percent of healthcare industry cyber incidents impact patient care

A new survey from Claroty of 1,100 cybersecurity, engineering, IT, and networking professionals from healthcare organizations finds 78 percent of respondents experienced a minimum of one cybersecurity incident over the last year.

Perhaps more concerning is that 60 percent of those incidents had a moderate or substantial impact on patient care and 15 percent had a serious impact that compromised patient health and/or safety.

In addition 47 percent cite at least one incident that affected cyber-physical systems such as medical devices and building management systems, and 30 percent say that sensitive data like protected health information (PHI) was affected.

Of the respondents that were victims of ransomware attacks, more than a quarter say they made ransom payments. Also more than a third of those experiencing incidents in the past year incurred costs from the attack of more than $1 million.

Part of the problem is a lack of visibility into a proliferating range of IoT devices, says Ty Greenhalgh, healthcare industry principal at Claroty. "The IoT and the medical devices all speak in proprietary communication protocols, so security software can't read the protocols to do a passive scan -- like go to get the packets of information and see what the devices are -- because they don't speak the communication language. And then they can't do vulnerability management or endpoint detection, so you end up with all these devices, you don't know what they are, in a lot of cases you don't they know where they are, really all you're seeing is a network interface. You then have the problem of how do you manage that? How do you know what radiology systems need to talk to? So if you're going to get network segmentation, what are you going to lock in? What are you going to lock out?"

The findings show that regulation is lacking too, nearly 30 percent of respondents say current government policies and regulations require improvement or do nothing to prevent threats. The NIST (38 percent) and HITRUST Cybersecurity Frameworks (38 percent) were selected by the most respondents as important to their organizations. 44 percent name regulatory developments such as mandated incident reporting as the most influential external factor to an organization's overall security strategy.

The skills shortage is also a factor, more than 70 percent of healthcare organizations say they are looking to hire in cybersecurity roles and 80 percent of those hiring say it's difficult to find qualified candidates.

The full report is available from the Claroty site.

Image credit: PeopleImages.com/depositphotos.com