- While the majority of healthcare IT and security professionals in the UK and US are confident in their organization’s ability to respond to a healthcare cyberattack, there are still some that are not sure their entity can properly respond, according to a recent survey.
Twenty-three percent of UK healthcare IT professionals said they are not confident in their organization’s ability to respond to a cyberattack, reported Infoblox's Cybersecurity in Healthcare: The Diagnosis.
Furthermore, 26 percent of UK and US respondents said that their organization would pay a ransom demand. Of those, 85 percent of those surveyed in the UK said there was a plan in place for this situation and 68 percent of US respondents said the same.
"The healthcare industry is facing major challenges that require it to modernize, reform and improve services to meet the needs of ever more complex, instantaneous patient demands,” Infoblox Western Europe Director Rob Bolton said in a statement. “Digital transformation presents a massive opportunity to support the doctors and nurses who work tirelessly – but these new technologies also introduce new cyber risk that must be mitigated.”
“The widespread disruption experienced by the NHS during the WannaCry outbreak demonstrated the severe impact to health services that can be caused by a cyberattack,” he continued. “It's crucial that healthcare IT professionals plan strategically about how they can manage risk within their organization and respond to active threats to ensure the security and safety of patients and their data."
Nearly one-quarter of UK and US respondents said that Windows 7 was present at their organization, which report authors noted was the exploited operating system in the WannaCry attack. Twenty percent of respondents also stated that their network runs Windows XP, which has been unsupported since April 2014, researchers said.
“With the cyber threat landscape evolving dramatically fast, it is essential that IT and security professionals patch everything as soon as possible when new threats are discovered,” the report stated. “This poses a significant challenge and risk to those organizations still running outdated operating systems, including Windows XP, as the patches aren’t produced and so the devices cannot be updated to patch security flaws, leaving them open to attack.”
In terms of system updates though, 15 percent of the healthcare IT professionals said they can’t update systems or don’t know if they can update them. When an entity has more than 500 employees, that number increases to 26 percent, according to the report.
Healthcare IoT and connected device security is also a critical issue, the researchers pointed out. Approximately 20 percent of respondents said they had over 5,000 devices on their network. Even so, 15 percent of UK healthcare IT professionals and 11 percent of US respondents don’t believe that their current security policy for newly connected devices is effective.
“Security policies for IoT devices should assure the authentication layer of an IoT device, which is used to verify the identify information of that entity; its authorization controls manage the device's access across the network fabric, and ensure IT teams have complete visibility and control over the entire IoT ecosystem and its data,” the researchers wrote.
More organizations are increasing their cybersecurity spending in response to the ever-evolving threats. Eighty-five percent reported they are spending more in cybersecurity, with 12 percent of respondents stating their cybersecurity spending increased by over 50 percent.
Sixty percent of respondents said anti-virus software was their top cybersecurity investment, followed by firewalls (50 percent). Half of US healthcare IT professionals added that their company invests in encryption software, while 36 percent of UK respondents said the same.
Approximately one-third (37 percent) of US and UK respondents stated their organization invested in application security to secure web applications, operating systems, and software. Those surveyed also said their company is investing in employee education (35 percent), email security solutions (33 percent) and threat intelligence (30 percent).
“Across the UK and US, healthcare IT professionals are facing growing challenges in securing their networks and devices, with our research highlighting diverse issues ranging from vulnerabilities in medical devices to outdated operating systems and unenforceable security policies,” the research team explained. “However, cybersecurity investment is increasing across the board, providing the opportunity for great improvement if deployed effectively.”