New report quantifies hospitals’ IoT and IoMT cybersecurity risk – Technologist

Healthcare Delivery Organisations (HDOs) have a low tolerance for service interruptions to network-connected devices and equipment because of their crucial role in patient outcomes and quality of care.

Resource-constrained HDO security and IT teams continue to face operational difficulties in sufficiently securing critical systems from increasingly sophisticated attacks, as their vast and heterogeneous IoMT device fleets complicate management and, left unchecked, offer a broad attack surface.

Asimily’s Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk report highlights the unique cybersecurity challenges that healthcare delivery organisations (HDOs) face and the true costs of their IoT and IoMT security risks.

Key findings

Emerging cybersecurity trends and challenges: The report reveals the top cyberattack strategies impacting HDO medical devices right now: ransomware attacks that spread to devices and disrupt services, third-party-introduced malware that impacts device performance, and devices communicating with unknown IP addresses to enable remote breaches.

Cyberattacks on healthcare providers have become remarkably common: the average HDO experienced 43 attacks in the last 12 months. Unfortunately, many of those attacks are successful, with 44% of HDOs suffering a data breach caused by a third party within the last year alone.

The high cost of doing nothing: For HDOs, today’s high-failure status quo can be catastrophic. Cyberattacks cost HDOs an average of US$10,100,000 per incident. Worse, cyber incidents are directly responsible for a 20% increase in patient mortality. 64% of HDOs also reported suffering from operational delays, and 59% had longer patient stays due to cybersecurity incidents.

Those financial and operational burdens are pushing many HDOs to the brink: the average hospital operating margin sits at 1.4% in 2023. Currently, more than 600 rural U.S. hospitals risk closure, in an environment where a single cyberattack can put a smaller HDO out of business.

Poor device health leads to poor outcomes: HDO security and IT teams face a high-risk environment where the average medical device has 6.2 vulnerabilities. Adding to this challenge, more than 40% of medical devices are near end-of-life and poorly supported (or unsupported) by manufacturers.

Cybersecurity resources and staffing are limited: Even when device vulnerabilities are recognised, HDO security teams can fix only 5-20% of known vulnerabilities each month.

Cyber insurance is no longer enough: As ransomware attacks and breaches have skyrocketed in recent years, cyber liability insurers are introducing coverage limits and capped payouts, making it a less and less effective recourse for HDOs. At the same time, cyber insurance also fails to address the costly reputational damage an HDO suffers following a breach.

The report concludes that adopting a holistic risk-based approach is the most cost-efficient and long-term-effective path for HDOs to secure their critical systems and IoMT devices.