According to the study, healthcare organisations average about one cyberattack per month. Almost half (48 percent) of respondents said their organisations have experienced an incident involving the loss or exposure of patient information during the last 12 months. Yet despite these incidents, only half indicated their organisation has an incident response plan in place.
Key findings of the study:
- Exploiting existing software vulnerabilities and web-borne malware attacks are the most common security incidents. According to 78 percent of respondents, the most common security incident is the exploitation of existing software vulnerabilities greater than three months old.
- On average, organisations have an advanced persistent threat (APT) incident every three months. Respondents experienced an APT attack about every three months during the last year. Sixty-three percent said the primary consequences of APTs and zero-day attacks were IT downtime followed by the inability to provide services (46 percent of respondents), which create serious risks for patient treatment.
- Hackers are most interested in stealing patient information. The most attractive and lucrative target for unauthorised access and abuse can be found in patients’ medical records, according to 81 percent of respondents.
- Healthcare organizations worry most about system failures. Seventy-nine percent of respondents said that system failures are one of the top three threats facing their organisations. This is followed by cyber attackers (77 percent) and unsecure medical devices (77 percent).
- Technology poses a greater risk to patient information than employee negligence. The majority (52 percent) of respondents said legacy systems and new technologies to support cloud and mobile implementations, big data and the Internet of Things increase security vulnerabilities for patient information. Respondents also expressed concern about the impact of employee negligence (46 percent) and the ineffectiveness of HIPAA-mandated business associate agreements designed to ensure patient information security (45 percent).
- DDoS attacks have cost organisations on average $1.32 million in the past 12 months. Thirty-seven percent of respondents say their organisation experienced a DDoS attack that caused a disruption to operations and/or system downtime about every four months. These attacks cost an average of $1.32 million each, including lost productivity, reputation loss and brand damage.
- Healthcare organisations need a healthy dose of investment in technologies. On average, healthcare organizations represented in this research spend $23 million annually on IT; 12 percent on average is allocated to information security. Since an average of $1.3 million is spent annually for DDoS attacks alone, a business case can be made to increase technology investments to reduce the frequency of successful attacks.
Full story is available on ESET Ireland Blog