Bigger business, bigger problems, right? Not necessarily true when it comes to the cost of a cyberattack within the healthcare industry.
A recently published survey brings unexpected results when it comes to comparing large and medium-sized businesses. Surprisingly, medium-sized businesses are hit with cyberattack costs that are nearly 4x that of their larger counterparts at $440,000 compared to the $130,000 of larger businesses. This is broken down by the average cost of a shutdown being 6.2 hours at $21,500 per hour from large hospitals, and the midsize ones reported 10 or more hours at $45,700 as a result of a shutdown. And yet when it comes to being protected against known vulnerabilities, nearly half admitted that they had not yet taken action against known issues such as BlueKeep, WannaCry, and NotPetya.
With 42% of mid-sized practices and 61% of large organizations having unplanned medical device shutdowns due to an external attack in the past 6 months, most respondents still believe they are adequately staffed to handled cybersecurity.
The findings highlight that these attacks are increasing but the facilities have not adapted their cybersecurity programs or staff to meet the rise in attacks. The hope that this rise would subside or at least plateau when the pandemic began to subside is short-lived. Microsoft recently disclosed during a US House of Representatives Subcommittee on Oversight and Investigations hearing that its security services are engaged mostly by the healthcare sector, with 17% of the total. Kemba Walden, who is the assistant general counsel for Microsoft’s Digital Crimes Unit (DCU) said in written testimony that “ransomware is not limited to high-profile incidents. It is ubiquitous and pervasive, impacting wide swathes of our economy, from the biggest to the smallest players.” More of that written testimony from July of 2021 can be found here.
How They Attack
In March the US Department of Health and Human Services reported that attacks against healthcare were attacking many systems at once, then stealing information and data, and then deploying ransomware. They had what they needed but then demanded ransom to return access to the business. This was done increasingly via social engineering as part of the attack. The human element of any business is always the easiest point of entry for cybercriminals and needs to be addressed in an immediate and ongoing manner. The manual processes that are used by many hospitals and healthcare businesses also need to be addressed and replaced with automation that is less likely to be affected by human error. This human element, along with outdated equipment and failure to maintain even software updates, creates an environment with many gaps that provide ample opportunity for attack.
If you aren’t sure of the risks that your healthcare business faces, we can help. PHIshMD, our ongoing security awareness training program will help assess and address your human security risks.