In a country where 26% of healthcare organisations are willing to pay ransom to hackers and 23% of IT professionals are not confident in their organisation’s ability to respond to a cyber-attack, one may deduce that the healthcare sector is virtually losing the battle against cyber criminals.
Add to that the fact that 20% of networks at healthcare organisations run legacy operating systems like Windows XP which has been unsupported since April 2014, as well as the fact that only 36% of healthcare organisations in the UK are investing in encryption software to protect their IoT devices from malicious actors. It’s a perfect recipe for disaster.
These figures were revealed by a survey conducted by Infoblox to understand the ability of healthcare organisations to respond to cyber-attacks, be it DDoS attacks, ransomware attacks, phishing attacks or malware injections.
The poor state of IoT security
The Infoblox survey revealed that healthcare organisations are now employing thousands of IoT devices and connected medical equipment without appreciating the security concerns that such devices pose to an organisations.
Infoblox added that despite Microsoft urging organisations to update all legacy systems to the latest version of Windows, many hospitals and health centres continued using outdated operating systems for fear of disruption to patient care. Such institutions feared that that specialised legacy software will not run on the more modern releases.
Nearly one in five healthcare IT professionals who took part in the Infoblox survey revealed that medical devices on their organisation’s network are currently running on Windows XP. 7% of such professionals don’t know what operating systems their medical devices are running on and 15% of them either can’t or don’t know if they can update these systems.
This is despite the fact that several healthcare organisations now have thousands of devices on their networks. 37% of healthcare IT professionals from organisations with over 500 employees admitted having over 5,000 devices on their network at the time of the survey.
The survey further noted that 15% of healthcare IT professionals in the UK don’t believe that their current security policy for newly connected devices is effective, suggesting that ‘hospitals and health centres are rapidly adopting new connected devices without due care and attention towards security policies’.
There’s light at the end of the tunnel
Despite the bleak state of cyber security at healthcare organisations in the UK, things have started to change, albeit slowly. Last week, thanks to a new Custom Support Agreement with the NHS, Microsoft pledged to offer exclusive support for older systems run by NHS organisations until the latter migrate to more up-to-date operating systems.
As per the agreement, a dedicated Microsoft team will monitor the cyber landscape and develop software patches as soon as new threats emerge. This would ensure that Microsoft would proactively prevent malware, ransomware and other kinds of worms from infecting legacy systems owned by the NHS, rather than belatedly issuing security patches once the damage is done.
As part of the agreement, Microsoft would also support the migration of all legacy systems, including those running Windows 7, to Windows 10 in the near future. Microsoft is set to withdraw general support for Windows 7 devices from 2020.
As per the survey by Infoblox, as many as 57% of healthcare IT professionals are now patching their systems once every week to guard against the latest threats. At the same time, 85% of healthcare organisations have increased their cyber security spending over the past year, with 12% of them increasing their investments by over 50%.
Aside from investing in anti-virus software and firewalls, organisations are also investing in network monitoring to identify malicious activity, DNS security solutions to guard against DDoS attacks application security to secure web applications, operating systems, and software.
One in every three healthcare IT professionals also stated that their organisations are investing in employee education, email security solutions, threat intelligence, while one in five professionals confirming investments in biometrics solutions.
‘With the increasing number of attacks on healthcare organisations, it’s essential that CIOs and IT leaders strategically plan their cybersecurity defenses to protect both patient and employee data, and against disruption to services,’ noted Infoblox.
‘Across the UK and US, healthcare IT professionals are facing growing challenges in securing their networks and devices, with our research highlighting diverse issues ranging from vulnerabilities in medical devices to outdated operating systems and unenforceable security policies. However, cybersecurity investment is increasing across the board, providing the opportunity for great improvement if deployed effectively,’ it added.