The rapid fire spread of the WannaCry ransomware, which infected thousands of organizations globally, is one of the most significant cyberattacks in recent digital history. The impact was particularly damaging to the healthcare sector, with the UK’s National Health Service (NHS) being one of the first and most adversely affected victims, causing numerous patient services to be shut down, including emergency services.
Though this type of cyberattack is one long forewarned by security professionals, in a recent B2B technology survey of 455 U.S.-based companies across nine vertical markets, ABI Research finds that healthcare respondents show the least concern regarding security out of all sectors surveyed.
“Cybersecurity within the healthcare sector has been traditionally poor, at best,” says Michela Menting, Research Director at ABI Research. “Most organizations limit themselves to box ticking exercises, as required under data protection legislation for patient privacy. A true understanding of the risks and the requirements of comprehensive, multi-layered cybersecurity implementation is sorely lacking. When ranking barriers to technology adoption, we find that 82% of healthcare respondents did not rank privacy and data protection as a concern, and 58% did not rank cybersecurity at all.”
For privacy and data protection, this high dismissal rate could be attributed to healthcare organizations’ complacency regarding existing data protection frameworks. The number of health records breached in the sector alone have numbered in the millions since 2010, and ransomware has been the bane of healthcare organizations, with more than 50% of global attacks targeting the sector in the past two years. “Belief that healthcare providers are experienced in data protection due to compliance with existing regulation can provide a false sense of security when faced with new technology adoption,” continues Menting.
Similarly, more than half of healthcare B2B technology survey respondents did not consider cybersecurity to be an obstacle. This inattention can be attributed to several factors: lack of specific cybersecurity legislation and guidance, belief that data protection regulation could address the problem, low awareness and limited understanding of risks, and the perceived unlikelihood of widespread cyberattacks.
“Complacency in risk mitigation is dangerous, as the WannaCry ransomware attack sadly revealed,” concludes Menting. “Healthcare organizations should treat cybersecurity as a living process, rather than as a static checklist, especially when considering new technology adoption. Connected medical devices and hospital equipment increasingly form part of care provisioning, and are highly vulnerable to cyberattacks. This is even more critical as basic IT cybersecurity seems to be dangerously unattended in the industry. Ransomware will continue to be a popular cyberattack, attracting an ever-growing number of malicious actors, keen to cash-in on the vulnerabilities riddling healthcare organizations.”