Healthcare is among the top industries in the U.S. and it is one of the few industries that impacts nearly every single person in one way or another. Whether you are a patient, provider, insurer, or other, healthcare has some sort of presence in almost all of our lives. Unfortunately, healthcare also finds itself as the second most targeted industry when it comes to cyber attacks, with attack frequency and severity steadily increasing year after year. Among the threats lurking out there are three major risks that impact this industry significantly — ransomware attacks, IoT device security, and data breaches.
The Sophos report, The State of Ransomware in Healthcare 2022, surveyed 5,600 IT professionals, including 381 in healthcare, from 31 countries. This report found that ransomware was one of the worst attacks for the healthcare sector and that from 2020 to 2021, attacks on healthcare almost doubled from 34% to 66% of healthcare organizations surveyed having been hit by the attack.
According to Kroll, healthcare became the top targeted sector in Q2 of 2022, accounting for 21% of all incidents, compared to only 11% in Q1 2022 – the most common attack hitting the healthcare industry during this time being ransomware. In April of 2022, the FBI actually went as far as to warn the healthcare industry of “exceptionally aggressive” ransomware threats from one particular ransomware group.
The aforementioned Sophos report also found that victims of ransomware in healthcare were the most likely to pay the ransom – 61% of attacked entities ended up paying up; however, less data was actually recovered after paying the ransom as healthcare organizations that paid the ransom got back only 65% of their data in 2021, which was worst than the 69% efficacy seen in 2020.
Cynerio, IoTM (Internet of Medical Things) security company, came out with a report titled The State of Healthcare IoT Device Security 2022 which discovered some of the key risks in the world of healthcare IoT device security – or insecurity. Over half of all connected devices in a hospital setting have “critical” risks present. Specifically, 75% of IV pumps have inherent, unprotected vulnerabilities that could threaten patient well-being if exploited. It is not just the devices themselves that put the industry at risk — 50% of oncology, pharmacology, and laboratory departments are running off of old operating systems, putting them at severe risk, as keeping devices up-to-date is an essential building block of basic cybersecurity.
In 2020, there were 599 data breaches that hit the healthcare industry — the largest of which resulted in 3.3 million records being stolen by cybercriminals. In a report conducted by Fortified Health Security, it was found that there were 337 data breaches in healthcare in just the first half of 2022 — and the actual number of breaches may likely actually be more than this number, as the report only looked at those breaches which resulted in 500 or more individuals being impacted, so smaller breaches are not captured here. If the trend of the first half of the year continues on, the healthcare industry will see an increase of roughly 75 breaches as compared to the 2020 figures seen which is a growth rate of 12.5%.