Healthcare organisations notoriously lax over computer security, charge researchers
- WannaCry ransomware attack was an incident waiting to happen, say researchers
- Adylkuzz' now on the way, with yet more attacks expected after that
- Health professionals lulled into false sense of security by constant box-ticking exercises
The (very) recent rapid spread of the WannaCry ransomware on Friday felled hospitals, health clinics and the like in the UK. Various services, including A&E, were affected right across the country, operations were postponed, clinics went back to paper records and no appointments (patients were told to just turn up and wait) for a day or so. It was, for an instant, back to the 90s.
As everyone knows, this was about the most significant single global cyberattack yet, although at the time of this writing the experts are warning that another attack is on the way - one they are calling Worldwide 'Adylkuzz' - and one which they expect will be even larger and more damaging than WannaCry.
It’s all turning out to be rather embarrassing for the UK’s National Health Service (NHS) which appears to have largely disregarded warnings and advice around computer security, perhaps on the unspoken conviction that a giant strapped-for-cash health service, already under pressure to maintain front-line services, is unlikely to be viewed favourably by the public if it appeared to be letting patients die in favour of updating its computer software.
ABI Research claims that the number of health records breached in the sector alone have numbered in the millions since 2010 and ransomware has been the bane of healthcare organizations, with more than 50 per cent of global attacks targeting the sector in the past two years.
The researchers charge that healthcare operations the world over have long been guilty of a cavalier attitude to security despite being warned by security professionals to up their game.
In a recent B2B technology survey of 455 US-based companies across nine vertical markets, ABI Research found that healthcare respondents showed the least concern regarding security out of all sectors surveyed.
“Cybersecurity within the healthcare sector has been traditionally poor, at best,” says Michela Menting, Research Director at ABI Research. “Most organizations limit themselves to box ticking exercises, as required under data protection legislation for patient privacy. A true understanding of the risks and the requirements of comprehensive, multi-layered cybersecurity implementation is sorely lacking. When ranking barriers to technology adoption, we find that 82% of healthcare respondents did not rank privacy and data protection as a concern, and 58% did not rank cybersecurity at all.”
“Belief that healthcare providers are experienced in data protection due to compliance with existing regulation can provide a false sense of security when faced with new technology adoption,” continues Menting.
Similarly, more than half of healthcare B2B technology survey respondents did not consider cybersecurity to be an obstacle. This inattention can be attributed to several factors: lack of specific cybersecurity legislation and guidance, belief that data protection regulation could address the problem, low awareness and limited understanding of risks, and the perceived unlikelihood of widespread cyberattacks.
“Complacency in risk mitigation is dangerous, as the WannaCry ransomware attack sadly revealed,” concludes Menting. “Healthcare organizations should treat cybersecurity as a living process, rather than as a static checklist, especially when considering new technology adoption. Connected medical devices and hospital equipment increasingly form part of care provisioning, and are highly vulnerable to cyberattacks. Ransomware will continue to be a popular cyberattack, attracting an ever-growing number of malicious actors, keen to cash-in on the vulnerabilities riddling healthcare organizations.”