The negative impact on patients after a data breach is more than identity theft and fraud. A recent report released by Cynerio and Ponemon revealed that 53% of healthcare providers surveyed said that they believe a single cyber attack increased mortality rates of their patients. Additionally, 26% of respondents indicated that cyber attacks created a dangerous hindrance on appropriate patient treatment and therapy. The report revealed several concerning trends in cyber attacks targeting the healthcare industry and a number of vulnerabilities on IoT (Internet of Things) and IoMT (Internet of Medical Things) devices.
Most healthcare providers know that IoT and IoMT devices increase the risk of a data breach, but these devices are a mainstay in the industry. Anything from personal patient devices to highly advanced medical equipment are connected to corporate networks, and many of them contain unknown vulnerabilities and insecurely transfer patient data using Wi-Fi and the cloud. Without the right security testing in place, hospitals and other healthcare providers are unaware of the vulnerabilities introduced to their environment, even if they are aware of the risks.
A majority of providers that take time to scan their IoT/IoMT devices say that they do not consider their cybersecurity activities to be fully effective and do not take an inventory of IoT/IoMT devices that they scan. This means that shadow IT devices could be introduced to the organization’s environment. Shadow IT devices are unknown and potentially attacker-controlled hardware that could silently eavesdrop and steal patient data; in many cases, they exist within the corporate network without administrators even them.
Vendors and Manufacturers of IoT/IoMT are Equally Responsible for Data Breaches
Most people would think that the healthcare providers themselves are to blame for these data breaches, but they are only responsible for about a third of the blame. According to the Cynerio report, 30% of data breaches are instead the responsibility of third-party vendors, while another 28% are from manufacturer errors. Still, the majority of survey respondents blamed the C-suite executive responsible for overseeing IT security, namely the CIO/CTO.
A common response to these incidents is for executives to increase their security budgets, but increased spend does not always correlate with increased security. A higher budget does not necessarily reduce risks if the right auditing, monitoring, testing, and manufacturer vetting are not carried out. Most respondents claimed that they spent $25-$50M on their IT budgets with $5M dedicated specifically to IoT/IoMT security; regardless, security incidents continue to persist at a high rate.
Ransomware is Healthcare’s Biggest Threat
Ransomware has long been reported as healthcare’s biggest issue, but Cynerio’s report indicates that the issue has only continued to spiral out of control with ransomware incidents doubling as of 2021. Not only are ransomware attacks more common in healthcare, but 76% of respondents indicated that they experienced multiple attacks in a short period of time. These numbers reflect the persistence of cyber threat actors, trying several angles of attack until finally one works. In total, 47% of these organizations suffered from a successful ransomware attack with 32% of them deciding to pay the ransom. On average, ransom payments ranged from $250,000 to $500,000 per incident.
Common trends seen in recent ransomware attacks include phishing and additional extortion, where cyber criminals threaten to expose protected health information (PHI) to the public if a ransom is not paid. The goal is to intimidate a targeted victim into paying the ransom or risk further damaging their brand reputation and possibly suffer from additional litigation costs. In many cases, the extortion threats work, especially if the organization does not have the necessary backups and disaster recovery plan to respond effectively to the incident.
Financial Impact from Fines and Penalties
Unveiling PHI is just one pain point for healthcare organizations that suffer from a cyber attack. Other aspects to consider are the compliance fines and penalties that go along with reports and investigations into the severity of a data breach. The 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act and Health Insurance Portability and Accountability Act (HIPAA) apply hefty fines when cyber criminals successfully steal and expose patient records. As for the matter in question, the Cynerio report indicates that 88% of these reported data breaches targeted IoT and IoMT devices, proving that oversights in cybersecurity are costly to say the least.
Both HITECH and HIPAA violations result in financial penalties, varying based on the severity of a data breach, meaning that the fines are determined by the number of patient records stolen. The smallest data breaches cost organizations a total of $1M-$5M, but larger data breaches are reported to cost up to $13 million. In total, 13% of respondents paid upwards of $25M-$50M in fines and other compromise-related costs.
Threat Intelligence and Third-Party Risk Management
Over half of the risks related to IoT/IoMT devices are from the manufacturers leaving vulnerabilities unremediated on their devices and third-party vendors introducing vulnerabilities of their own. These risks should be proactively managed using threat intelligence that monitors various dark corners of the web, as well as scanning IoT/IoMT devices for any vulnerabilities that could be the result of a manufacturer's security oversight. With IoT/IoMT being a primary target and often leaving healthcare companies vulnerable, it is important that cybersecurity and risk management be a primary focus when dealing with these devices.
Access Point Consulting's Supply Chain Risk Management services can help by providing an individual and aggregate risk profile for all vendors and third parties to help determine the efficacy of these vendors’ security programs and reduce the risk of compromise. As a leading cybersecurity provider, we are here to help healthcare organizations lower their risk of ransomware attacks, data breaches, and hefty non-compliance penalties.
To find out how we can help your team protect itself from IoT/IoMT-related threats, meet with a subject matter expert today.
Sources
¹ https://www.cynerio.com/insecurity-of-connected-devices-in-healthcare-2022?submissionGuid=af64acb1-eef1-4d57-a060-a9ec2d230a7e
