According to the “2017-2018 Global Application & Network Security Report” from Radware, the healthcare industry saw a rise in the likelihood of cyberattacks from 2016 to 2017 due to the healthcare industry’s low preparedness levels and valuable confidential data. The value of medical records in the dark market now exceeds the value of credit card information, according to the report.
Radware conducted a vendor-neutral survey of the security community and collected 605 responses from companies in various industries and of differing sizes across the world.
In the past two years, companies reporting financially motivated cyberattacks has doubled over the past two years to 50%, according to the report. The number of companies that reported ransomware attacks in which hackers use malware to encrypt data, systems, and networks until a ransom is paid—increased 40% from the 2016 survey.
Despite one in four (24%) businesses reporting cyberattacks daily or weekly, nearly 80% of surveyed organizations have not come up with a calculation for the cost of attacks, and one in three lack a cybersecurity emergency response plan, according to the report.
“This report confirms and elaborates on what publicized and costly attacks like WannaCry hinted at: the healthcare industry is not prepared to handle today’s cyberthreats, even as attacks targeting health organizations rise,” says Carl Herberger, vice president of security at Radware. "With the rise of mHealth, Internet-of-Things [IoT] technology, and patients demanding more mobile apps, there is an increased number of digital touchpoints which provide more avenues for cyberattacks. This report indicates gaps in cybersecurity and gives a guide on where organizations should focus their energy and resources.”
The report also found:
- When hit with a cyberattack, businesses are most concerned with their data. Respondents noted that data leakage was their top business concern, followed by reputation loss and service outages
- 51% of public cloud users rely on cloud providers’ security services and add them into the bundle even though these providers may not be security-focused companies
- One in six businesses suffered a Distributed Denial-of-Service (DDoS) attack by an IoT botnet
- Respondents are not quite sure who is responsible IoT security. When asked who needs to take responsibility for IoT security, there was no clear consensus among security executives. Responses pinned responsibility on the organization managing the network (35% of responses), the manufacturer (34%), and even consumers using these devices (21%)
- One in four organizations do not run a periodic employee education programs on information security risks and conduct
Based on the report, Herberger shares four best practices to help healthcare executives better prepare for cybersecurity breaches:
- Take the time to perform an audit and to identify potential inefficiencies in their cybersecurity. This includes evaluating their emergency response plan or developing one, according to Herberger. “Healthcare executives should also ensure they have at least one dedicated cybersecurity professional for their organization; as technology continues to integrate itself into health plans, cybersecurity needs to remain top of mind and a priority for the healthcare industry,” he says.
- Ask third-parties they partner with or plan to partner with about their cybersecurity measures. “Even if an organization has strong security, their vendors and partnerships might have less stringent security measures, leading to a security gap,” says Herberger. “While this isn’t the case with every partner, executives should be aware of the risk and prepare accordingly.”
- With the rise of ransomware campaigns that often encrypt data and networks, make sure the organizations’ systems are regularly being backed up. Should an organization fall victim to a ransomware attack, having a backup to pull from can minimize service disruption, says Herberger. “Especially in healthcare, the less time it takes to get back online with valid and accurate data, the better,” he says.
- Educate their employees on basic cybersecurity. “From the C-suite to new hires, employees who are not educated on information security could unintentionally open their organization up to phishing and other hacks,” he says. “Periodically reminding employees what a threat looks like and how to respond will improve how the organization handles potential security incidents.”