Cybersecurity, Vulnerabilities Not Priorities for Most Hospitals

August 12, 2021 - Most hospital IT teams say that cybersecurity is not a high investment priority, despite a growing number of cyberattacks in the healthcare industry, according to a report conducted in by CyberMDX in partnership with Philips, emailed to HealthITSecurity.  

The partners surveyed health IT and information security (IS) executives, along with biomedical technicians and engineers with an average of 15 years of experience. Almost half of respondents reported being forced to shut down operations in the last six months due to a cyber threat.

Large hospitals reported having to shut down for an average of 6.2 hours at $21,500 per hour. But midsize hospitals were hit hardest, shutting down for an average of 10 hours at a rate of $45,700 per hour.

Despite the exorbitant costs and frequency of cyberattacks, only 11 percent of respondents said that cybersecurity is a high priority spend. Two out of three respondents said they did not track return on investment (ROI) for cybersecurity spending.

Annual IT budgets for midsized hospitals averaged $3.5 million, and large hospitals averaged $3.1 million. Annual medical device and IoT cybersecurity spending averaged $293,000 for midsized hospitals and $329,000 for large hospitals.

In addition, the report found that the industry as a whole is experiencing a cybersecurity talent shortage and is struggling to fill jobs within 100 days of posting new roles.

Two-thirds of health IT teams said that they were sufficiently staffed for cybersecurity, and just over half of biomedical teams said that more staffing is needed.

As employees are stretched thin, vulnerabilities continue to increase. Over half of respondents admitted that their hospitals were unprotected against the common Bluekeep vulnerability. Additionally, 64 percent of hospitals were unprotected against WannaCry, and 75 percent for NotPetya, some of the most common cybersecurity vulnerabilities.

Just under half of respondents said that their compliance budgets were insufficient, averaging annually $617,000. Compliance had a moderate to high impact on respondents’ roles on average. The 58 percent of respondents that reported compliance having a high impact said that they almost always test and search for medical devices that comply with cybersecurity standards.

Most respondents reported that they largely rely on manual operations to calculate medical device inventory. Additionally, respondents from 13 percent of large hospitals and 15 percent of midsized hospitals said that they have no reliable way to determine the number of active or inactive medical devices in their networks at any given time.

The report validated a multitude of other analyses that found that many hospitals are unprepared for cyberattacks. Unchecked cybersecurity vulnerabilities can result in financial losses, system-wide shutdowns, and even patient outcomes, all of which became reality for many hospital systems across the country this year.

Another recent report published by CynergisTek confirmed that “most hospitals critically lack the ability to secure their supply chain systems.”

Hospital systems are struggling to keep cybersecurity under control across the supply chain and have little insight into the cybersecurity practices of their third-party vendors.

In addition, the industry saw an uptick in healthcare data breaches during COVID-19. The continuing stress of COVID-19 leaves hospitals with little extra time and resources, creating a perfect storm for attackers.