Armis HIMSS 2019 Survey

Healthcare Professionals Lack Confidence in Medical IoT Security; Majority Incapable of Stopping Cyber Attack

For healthcare organizations, cyber security continues to be a major priority, and this was evident in the sessions and discussions at HIMSS in Orlando this week. This makes sense, given 82% of hospitals surveyed in the 2019 HIMSS Cyber Security Survey reported experiencing a significant security incident in the last 12 months. HIMSS 2019 showcased more than 120 sessions related to security, from guidance on detecting and blocking phishing and malware attacks and keeping data safe in the cloud, to practical tips for how to recover from a cyberattack and how to fend off nation-state attacks.

Medical Device Security Is Critical

The need for information and practical advice is growing every year as more Internet-connected medical devices like MRI and CT scanners, X-rays, glucose monitors, IV drips and many other types of life-saving and critical machines turn up in emergency rooms, doctor’s offices, prenatal nurseries and in telemedicine and e-records systems. Last year, healthcare suffered more breaches than any other industry, according to the 2018 Verizon Data Breach Investigations Report.

WannaCry Continues To Hit HDOs

Even more concerning is that Healthcare Delivery Organizations (HDOs) are still being targeted by WannaCry, the unprecedented ransomware attack that infected more than 300,000 Windows computers in over 100 countries when it first hit in 2017. It’s the first widespread malware that directly put people’s lives at risk — it delayed surgeries, forced ambulances to reroute and shut down diagnostic equipment in hospitals, as well as held medical data hostage, some of which was never recovered.
To better understand which medical device and IoT (MIoT) concerns are top of mind for healthcare professionals, Armis surveyed 90 IT professionals attending the conference. Below are the key findings:

Healthcare Leaders Not Confident with Their Current MIoT Security

One message that rang clear from the survey is that healthcare professionals don’t feel their IT departments are equipped to deal with all of the security threats they face today. While nearly three-quarters of respondents (73 percent) reported they currently use connected devices to support or supplement their healthcare staff, they aren’t feeling optimistic about it from a security standpoint. Forty-four percent don’t feel confident that they have adequate budget allocated to securing MIoT, and about the same number don’t have confidence in their current MIoT security controls.

Figure 1: Healthcare organizations don’t feel confident about their budgets for MIoT security

Figure 2: Respondents don’t feel confident with their current MIoT security controls

Patient Personal Data and Physical Safety Most at Risk

When asked what outcomes would be most detrimental in the event of a cyber attack, their top concerns were: stolen patient data (27 percent); physical safety of patients (20 percent); ransomware disrupting operations (19 percent); medical devices transmitting unencrypted patient data (19 percent); and a patient’s medical device becoming infected by malware (16 percent).

Figure 3: Scenarios most concerning in the event of an attack

Organizations Not Confident in Their Ability to Stop an Attack

Asked if their organization was capable of stopping an attack on an MIoT device, more than half of respondents (57 percent) said they do not feel confident in their current abilities.

Figure 4: Respondents don’t feel equipped to stop an incoming cyberattack

Ransomware a Growing Issue in Healthcare Organizations

Fourteen percent of respondents reported that they have been impacted by ransomware, such as WannaCry, in the last year. Though some of the buzz about ransomware has slowed down since WannaCry, the threat still persists today.

Figure 5: Organizations have been impacted by ransomware last year

Through its work in the field, Armis has found that healthcare organizations today have three main goals when it comes to MIoT:

1. Protecting patient identifiable data (PII and PHI)
2. Reducing operational disruption
3. Ensuring patient safety

However, the survey data shows they don’t feel as prepared as they should be to prevent or stop attacks, and some are already being affected with ransomware that can disrupt services and endanger patients if not mitigated appropriately.

As chilling of a reality as it may sound, there are steps healthcare institutions can take to protect their systems. Armis provides technology that helps organizations see all the managed and unmanaged devices on all of their networks, monitor every device to detect compromised behavior, and protect by quarantining devices automatically that are behaving suspiciously or maliciously.

To read more about how Armis is helping HDOs secure medical devices in the MIOT age, check out our White Paper “Medical and IoT Device Security for Healthcare.”