Healthcare IT Security Budgets Aren't Keeping Pace With IoMT Threats
The impact of ransomware attacks on healthcare is as alarming as it is under-addressed.
These attacks on the United States healthcare system alone are causing an annual burden of nearly $21 billion, including well over $100 million in ransoms. While the financial costs help illustrate the scale of the problem, the true cost is the tragic reality of impacted patient care – including higher patient mortality rates.
For every headline related to cyberattacks, there are likely hundreds more that go unreported. Healthcare-related cyberattacks – including data breaches – almost always involve IoT/loMT devices.
Hospitals have become easy targets for cyberattacks: they are battling a pandemic with exhausted staff, strained resources and limited cybersecurity expertise. Prioritizing an increased budget for IT departments will secure devices, protect valuable information and limit malicious attacks.
The insecurity of connected medical devices
In May 2022, CISA Senior Advisor Joshua Corman documented the rising risks during a Senate HELP Committee hearing. And now, in August 2022, Ivanti’s partner, Cynerio, has teamed with the Ponemon Institute to dive even deeper into the impact of insecure medical devices on hospitals and patients in their Insecurity of Connected Devices in Healthcare 2022 Report.
The report conducted a survey of over 500 hospitals on IoMT threats and security. The report shows:
- 43% of respondents experienced at least one ransomware attack.
- 88% of cyberattacks involve an IoMT device.
- The average data breach cost is well over $1 million.
- Tragically, 24% of attacks result in increased mortality rates.
The report also highlights that reselling patient data is still valuable, as demonstrated by the 43% of respondents who suffered at least one data breach in the prior 24 months.
Of those that suffered a data breach in the prior 24 months, 65% suffered an average of five or more data breaches in that timeframe, with IoT/IoMT devices involved 88% of the time.
Respondents were asked to estimate the total cost of the largest data breach they had experienced involving an IoMT/IoT device, including direct cash outlays, direct expenditures, indirect labor costs, overhead costs and lost business opportunities.
The cost, based on the respondents’ answers, was estimated at $13 million.
Cyberattacks are frequent with a notable impact on patient care
Fifty-six percent of respondents say their organizations experienced one or more cyberattacks involving IoMT/IoT devices in the past 24 months, with an average of 12.5 attacks over the same time frame.
Forty-five percent of these respondents report adverse impacts on patient care from these attacks and 53% percent of those (24% in total) report adverse impacts resulting in increased mortality rates.
Ransomware is a vicious, profitable cycle fueled by frequent hospital payments
Hospital ransomware attacks are crippling to all aspects of a hospital and often present only negative options.
Hospitals are increasingly seeing ransom payments as a viable option for a quick recovery, with 47% choosing to pay.
Thirty-two percent of the ransoms paid fall between $250k - $500k. Those that did not pay the ransom most frequently attributed their actions to an effective backup strategy (53%) and company policy (49%).
Healthcare faces widespread attack types
Staffing shortages lead not only to empty seats but large gaps in knowledge. Attackers have taken advantage of the IoT/IoMT security knowledge gap by unleashing an array of attacks on healthcare environments.
Among the top threats to IoT and other connected devices, respondents expressed the most concern about:
- Lack of visibility into IoT networks at 45%.
- Phishing at 45%.
- Zero-day attacks at 41%.
- Ransomware attacks at 39%.
In September 2020, employees at a Fortune-500 owner of a nationwide network of hospitals reported widespread outages that resulted in delayed lab results, a fallback to pen and paper and patients being diverted to other hospitals.
And a worst-case scenario happened in 2019 at Springhill Medical Center in Alabama, where access to heart monitors disabled by a cyberattack allegedly kept staff from spotting blood and oxygen deprivation that led to a baby’s death.
Hospitals are not spending enough to secure devices
On average, hospitals report spending 3.4% of their IT budget ($5 million annually) to secure devices.
Budget owners often struggle with allocating resources to secure their environments. This will be an ongoing challenge in the IoT/IoMT space for years to come.
The typical IT budget for respondents averages $145 million in the fiscal year, and an average of 17% of that spend is focused on IT security.
Of that security spend, an average of 20% was reported to go towards IoT/IoMT device security – an average of $5 million in the fiscal year – not nearly enough given the potential consequences of a data breach or impact on patient safety.
These numbers will probably vary widely but provide an initial baseline for others to work from.
Perceived risk in IoT/IoMT devices is high, but proactive security actions and accountability are not
Seventy-one percent of respondents rated the security risks presented by IoT/IoMT devices as high or very high, while only 21% report a mature stage of proactive security actions.
Of the 46% who performed well-known and accepted procedures such as scanning for devices, only 33% of these respondents keep an inventory of the devices that were discovered.
A recommended course of action
All IoT/IoMT devices need to be secured and accounted for now, before it is too late.
These devices require industry-specific software based on NIST guidelines such as one that was recently implemented at a large hospital in the Midwestern US.
According to the report, responsibility of loT/loMT is distributed widely between different departments – leading to confusion and finger pointing when issues arise. Consolidation of accountability for all IoT/IoMT devices needs to be within one department of the hospital, not multiple departments as currently.
Lastly, hospitals need to increase their average spend on securing IoT/IoMT devices to 5%-7% of their IT total budget at a minimum – up from the current 3%. This equates to $7.25M-$10.1M in spending, far less than the damages that come with increased mortality rates, ruined reputations and lost productivity.