Tracking endpoints and ensuring device security a vexing problem for healthcare CIOs

The consequences of security incidents in hospitals can be life-or-death, but security practices lag behind other industries.

Healthcare organizations are high-value targets for cybercriminals, due to the proliferation of network-attached endpoint devices from a diverse group of vendors, and issues stemming from regulation preventing timely development and deployment of security patches. Ransomware has plagued hospitals for the past several years, while data breaches are growing yearly—over 15 million individual medical records were reached globally in 2018, a figure that doubled in the first half of 2019, according to CyberMDX's Healthcare CIO Factbook, published Wednesday.

Because of the markedly different landscape of security in healthcare, addressing the entire attack surface is a significant and multi-tiered undertaking, though one that healthcare CIOs are struggling with, per the report. While 25% of respondents cited "preventing cyber attacks" generally as the biggest challenge facing healthcare, 19% reported difficulties "profiling and segmenting device traffic," with 17% citing device visibility.

SEE: The NHS and technology: How innovation is revolutionizing healthcare (free PDF) (TechRepublic)

There is ample room for improvement, as device visibility goes, as only 51% of respondents said their organization has a full accounting of networked devices, while 26% do not. A further 13% expressed a lack of confidence in their database of devices, with the remaining 11% unsure if their organization catalogs devices. 

For device profiling, 34% of respondents indicate that they take no measures, while 21% claim to do so manually. Not relying on a programmatic result provides ample opportunity for the spectre of shadow IT to pop up, which further complicates the security posture of hospitals and other healthcare facilities. Of those using tool-assisted solutions, 17% use UDI solutions, 15% used CMMS, and 13% rely on a cybersecurity solution for device profiling.

The report paints a rather bleak picture for addressing patches for known vulnerabilities, with 32% of respondents never auditing medical device deployments, and 30% doing so yearly. These would not be acceptable figures in any other industry, and given the mission-critical, or perhaps life-and-death consequences that accompany breaches of these devices, this should be a serious concern to anyone who relies on healthcare services. Relatedly, a report first covered in October by PBS found that ransomware and data breaches are linked to an increase in heart attack fatalities

"This lackadaisical approach accounts for the vast majority of most medical centers' attack surface," the report states. "For example, per CyberMDX field data, around 55% of imaging devices run deprecated or otherwise unpatched versions of Windows ostensibly vulnerable to exploits such BlueKeep or DejaBlue. Another example can be found in the fact that there are still roughly 1 million computers vulnerable to WannaCry. This several years after the ransomware hobbled the NHS for days and inflicted over $100 million worth of damages."

Also see

Senior male doctor is thinking.

Image: Getty Images/iStockphoto