[BreachExchange] 26% of Orgs Would Pay Ransomware After Healthcare Cyberattack

[Audrey McNeil]

https://healthitsecurity.com/news/26-of-orgs-would-pay-
ransomware-after-healthcare-cyberattack

While the majority of healthcare IT and security professionals in the UK
and US are confident in their organization’s ability to respond to a
healthcare cyberattack, there are still some that are not sure their entity
can properly respond, according to a recent survey.

Twenty-three percent of UK healthcare IT professionals said they are not
confident in their organization’s ability to respond to a cyberattack,
reported Infoblox's Cybersecurity in Healthcare: The Diagnosis.

Furthermore, 26 percent of UK and US respondents said that their
organization would pay a ransom demand. Of those, 85 percent of those
surveyed in the UK said there was a plan in place for this situation and 68
percent of US respondents said the same.

"The healthcare industry is facing major challenges that require it to
modernize, reform and improve services to meet the needs of ever more
complex, instantaneous patient demands,” Infoblox Western Europe Director
Rob Bolton said in a statement. “Digital transformation presents a massive
opportunity to support the doctors and nurses who work tirelessly – but
these new technologies also introduce new cyber risk that must be
mitigated.”

“The widespread disruption experienced by the NHS during the WannaCry
outbreakdemonstrated the severe impact to health services that can be
caused by a cyberattack,” he continued. “It's crucial that healthcare IT
professionals plan strategically about how they can manage risk within
their organization and respond to active threats to ensure the security and
safety of patients and their data."

Nearly one-quarter of UK and US respondents said that Windows 7 was present
at their organization, which report authors noted was the exploited
operating system in the WannaCry attack. Twenty percent of respondents also
stated that their network runs Windows XP, which has been unsupported since
April 2014, researchers said.

“With the cyber threat landscape evolving dramatically fast, it is
essential that IT and security professionals patch everything as soon as
possible when new threats are discovered,” the report stated. “This poses a
significant challenge and risk to those organizations still running
outdated operating systems, including Windows XP, as the patches aren’t
produced and so the devices cannot be updated to patch security flaws,
leaving them open to attack.”

In terms of system updates though, 15 percent of the healthcare IT
professionals said they can’t update systems or don’t know if they can
update them. When an entity has more than 500 employees, that number
increases to 26 percent, according to the report.

Healthcare IoT and connected device security is also a critical issue, the
researchers pointed out. Approximately 20 percent of respondents said they
had over 5,000 devices on their network. Even so, 15 percent of UK
healthcare IT professionals and 11 percent of US respondents don’t believe
that their current security policy for newly connected devices is effective.

“Security policies for IoT devices should assure the authentication layer
of an IoT device, which is used to verify the identify information of that
entity; its authorization controls manage the device's access across the
network fabric, and ensure IT teams have complete visibility and control
over the entire IoT ecosystem and its data,” the researchers wrote.

More organizations are increasing their cybersecurity spending in response
to the ever-evolving threats. Eighty-five percent reported they are
spending more in cybersecurity, with 12 percent of respondents stating
their cybersecurity spending increased by over 50 percent.

Sixty percent of respondents said anti-virus software was their top
cybersecurity investment, followed by firewalls (50 percent). Half of US
healthcare IT professionals added that their company invests in encryption
software, while 36 percent of UK respondents said the same.

Approximately one-third (37 percent) of US and UK respondents stated their
organization invested in application security to secure web applications,
operating systems, and software. Those surveyed also said their company is
investing in employee education (35 percent), email security solutions (33
percent) and threat intelligence (30 percent).

“Across the UK and US, healthcare IT professionals are facing growing
challenges in securing their networks and devices, with our research
highlighting diverse issues ranging from vulnerabilities in medical devices
to outdated operating systems and unenforceable security policies,” the
research team explained. “However, cybersecurity investment is increasing
across the board, providing the opportunity for great improvement if
deployed effectively.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171121/36248453/attachment.html>