Healthcare Orgs Struggle With IIoT, OT Security Project Implementation

July 12, 2022 - The healthcare sector is struggling with industrial internet of things (IIoT) and operational technology (OT) security project implementation, a report commissioned by Barracuda and conducted by Vanson Bourne found.

Researchers surveyed 800 senior IT managers, IT security managers, and project managers responsible for IIoT and OT in their organizations to get their input on security projects, implementation issues, and the current cyber threat landscape.

More than 60 percent of healthcare respondents reported being “fairly concerned” about the current threat landscape and geopolitical situation in terms of how it could impact their organizations, and 32 percent reported feeling “very concerned.”

“From web application attacks to distributed denial-of-service (DDoS) attacks and everything in between, global businesses are dealing with a wide range of potential cybersecurity risks,” the report stated.

“In addition, respondents are also concerned about the impact that the current threat landscape and geopolitical situation could have on their organizations. While that largely sits outside an organization’s control, it impacts them in some shape or form and is a concern.”

READ MORE: House Panel Probes Health Apps to Protect Reproductive Health Data Privacy

While safeguarding information technology (IT) systems is crucial to maintaining healthcare cybersecurity, OT and IIoT systems are also everywhere and must be similarly prioritized.

OT and IIoT security are becoming increasingly important as organizations begin to leverage cyber-physical systems that incorporate IT elements into OT devices and infrastructure. This incorporation can enhance efficiency, but increased interconnectedness also means that threat actors could use IT cyberattacks to gain access to OT systems.

“Understandably, concern is more prevalent in sectors likely to feel the effects of the current threat and geopolitical landscape,” the Barracuda report noted.

“Government respondents are the most likely to be very concerned. The overall level of concern, when looking at those who are both very and fairly concerned, is also high among other critical sectors, including oil and gas and healthcare. Critical sectors will be on high alert during periods of uncertainty, as any impacts could have wide-reaching implications.”

More than 40 percent of healthcare respondents said that their most significant security incident in the last 12 months had a “moderate impact,” which meant that “a large number of devices or several locations were impacted.”

READ MORE: FBI: North Korean Cyber Actors Using Maui Ransomware to Target Healthcare

For healthcare, any disruptions to critical systems could impact patient care by causing EHR downtime, ambulance diversions, and appointment cancellations.

On average, healthcare respondents said that their most significant security incident of the last 12 months impacted their organizations for 1.94 days.

“Experiencing a complete shutdown of all devices and locations for this length of time can have catastrophic implications for organizations, and it’s a situation that can be avoided by making relatively modest investments in security,” the report continued.

Despite these disruptions and the frequency of security incidents in the sector, only 17 percent of healthcare respondents reported completing some IIoT and OT security projects. However, nearly half of healthcare respondents said they were currently in the process of completing IIoT and OT security projects, and 25 percent said they would be starting a project in the next three months.

“In the current threat landscape, critical infrastructure is an attractive target for cybercriminals, but unfortunately IIoT/OT security projects often take a backseat to other security initiatives or fail due to cost or complexity, leaving organizations at risk,” Tim Jefferson, SVP, engineering for data, networks and application security at Barracuda, said in an accompanying press release.

READ MORE: CISA, FBI, FinCEN Warn of MedusaLocker Ransomware Cyber Risks

“Issues such as the lack of network segmentation and the shocking number of organizations that aren’t requiring multifactor authentication leave networks open to attack and require immediate attention.”

Survey results showed that organizations that had implemented technologies such as industrial protocol detection and enforcement, web application firewalls (WAF), anomaly detection, and advanced threat protection had successfully reduced the impact of adverse security events.

However, 93 percent of total surveyed organizations from all industries had failed an implementation project, largely due to issues with technology, timing, and costs. For healthcare, scalability and connectivity proved to be the biggest implementation challenges.

As new attack vectors surface, healthcare organizations will have to continually reassess their security architectures and account for new threats to IT, OT, and IIoT systems. The report indicated that many organizations have at least begun the process of enhancing security in these areas, signifying a step in the right direction.

“Fortunately, effective solutions to IIoT security challenges are available, including secure endpoint connectivity devices and ruggedized network firewalls, all centrally deployed and managed via a secure cloud service,” the report concluded.

“These solutions can enable effective network segmentation and advanced threat protection, provide multifactor authentication, and even implement Zero Trust Access. In addition, web application firewall services can be deployed to protect the infrastructure from web application and DDoS attacks.”