Health professionals ignoring security despite ransomware attacks
May 25, 2017
In the wake of the global WannaCry ransomware virus that was particularly damaging to the healthcare sector, with the UK's National Health Service (NHS) being one of the first and most adversely affected victims, ABI Research has found that healthcare respondents show the least concern regarding security.
The rapid fire spread of the virus, which infected thousands of organisations globally, is one of the most significant cyber attacks in recent digital history. The impact caused numerous patient services to be shut down, including emergency services. Though this type of cyber attack is one long forewarned by security professionals, in a recent B2B technology survey of 455 US-based companies across nine vertical markets, ABI found a lack of concern in the healthcare industry.
"Cyber security within the healthcare sector has been traditionally poor, at best," said Michela Menting, research director at ABI Research. "Most organisations limit themselves to box ticking exercises, as required under data protection legislation for patient privacy. A true understanding of the risks and the requirements of comprehensive, multi-layered cyber security implementation is sorely lacking. When ranking barriers to technology adoption, we find that 82 per cent of healthcare respondents did not rank privacy and data protection as a concern, and 58 per cent did not rank cyber security at all."
For privacy and data protection, this high dismissal rate could be attributed to healthcare organisations' complacency regarding existing data protection frameworks. The number of health records breached in the sector alone have numbered in the millions since 2010, and ransomware has been the bane of healthcare organisations, with more than half of global attacks targeting the sector in the past two years.
"Belief that healthcare providers are experienced in data protection due to compliance with existing regulation can provide a false sense of security when faced with new technology adoption," said Menting.
Similarly, more than half of healthcare B2B technology survey respondents did not consider cyber security to be an obstacle. This inattention can be attributed to several factors: lack of specific cyber security legislation and guidance; belief that data protection regulation could address the problem; low awareness and limited understanding of risks; and the perceived unlikelihood of widespread cyber attacks.
"Complacency in risk mitigation is dangerous, as the WannaCry ransomware attack sadly revealed," said Menting. "Healthcare organisations should treat cyber security as a living process, rather than as a static checklist, especially when considering new technology adoption. Connected medical devices and hospital equipment increasingly form part of care provisioning, and are highly vulnerable to cyber attacks. This is even more critical as basic IT cyber security seems to be dangerously unattended in the industry. Ransomware will continue to be a popular cyber attack, attracting an ever-growing number of malicious actors, keen to cash-in on the vulnerabilities riddling healthcare organisations."