Lack of well-defined responsibilities affects IoMT

Alarming rates of cyberattacks on healthcare companies worldwide have been in the news recently. It is true that other industries have also been the target of large scale intrusions, particularly those in critical infrastructure. However, in the case of hospitals and clinics, any security breach can lead to fatalities and not only financial losses.

It is not unknown that this is also an industry that has low levels of protection for systems, networks and, more recently, for Internet of Things (IoT) and Internet of Medical Things (IoMT) devices. A report jointly prepared by the Ponemon Institute and Cynerio, based on data provided by 517 healthcare experts in leadership roles in hospitals and health systems in the United States, presented in number the most common risks faced by healthcare facilities and their professionals.

More than half of the organizations surveyed (56%) had experienced one or more cyberattacks in the past 24 months involving IoMT/IoT devices, with an average of 12.5 attacks in the period. Because of the intrusions, 45% of respondents reported adverse impacts on patient care, and 53% of that group (24% overall) reported impacts that resulted in increased mortality rates.

As bad things can also get worse, another fact identified in the study is that attackers often run long-term operations with repeated attacks. Of the 56% of respondents cited above who suffered at least one cyberattack in the past 24 months, 82% were the victims of an average of four or more attacks in the period. In particular, ransomware attacks had nearly similar rates, with 43% of respondents having experienced one attack and 76% of that set having experienced an average of three or more.

And speaking of ransomware, hospitals are increasingly considering ransom payments as a viable option to speed data recovery – 47% of those who experienced this type of attack ended up paying the ransom, and 32% of ransoms paid were in the $250,000 to $500,000 range. Those who did not pay the ransom generally attributed their decisions to an effective backup strategy (53%) and company policy (49%).

Reselling patient data continues to have value, as cited by 43% of respondents who have experienced at least one data breach in the past 24 months. Of those, 65% experienced an average of 5 or more data breaches in the period, with IoT/IoMT devices involved 88% of the time. The average cost of the largest data breach involving this IoT/IoMT devices, including direct expenses and indirect costs and lost business opportunities, was estimated at $13 million for the organizations represented in the survey.

Main cause

One reason for insecurity comes from a lack of well-defined responsibilities. When respondents were asked which area is primarily responsible for ensuring the security of at-risk devices, no single function received more than 18% of the answers. Even the top answers varied widely, including everything from CIOs/CTOs (18%), operational leaders (14%), CISOs/CSOs (14%) and network leaders (11%).

When it comes to the level of security risks generated by IoT/IoMT devices, 71% of respondents rated it as high or very high, but only 21% reported being at a mature stage of cybersecurity proactivity. In about half of cases (46%), there is basic verification of devices, but two-thirds of respondents (67%) do not track the resulting report.

The good news is that budget holders have been fighting for more resources to protect their environments. Typical IT investments are estimated to average $145 million for the fiscal year, with 17% of that focused on security. Of the security spending, an average of 20% was directed at IoT/IoMT devices.

As is the case in industries other than healthcare, weaknesses such as staff shortages and lack of knowledge in the area of IoT/IoMT device security are exploited by attackers. Among the top threats to IoT and other connected devices that respondents expressed the most concern about, lack of visibility into IoT networks (45%), phishing (45%), zero-day attacks (41%) and ransomware (39%).