Healthcare remains one of the most commonly targeted industries for threat actors. The lower average spend on protecting critical information compared to other industries – healthcare organizations tend to allocate only around 6% of their IT budget to cybersecurity – plus minimal staff able to dedicate time to security creates a perfect storm of cyberattack risk. 

Threat actors have taken notice of the limited staff and light focus on security controls. Data from the U.S. Department of Health and Human Services showed that 531 healthcare organizations were breached in 2023. The top 11 reported attacks resulted in the personal data of more than 70 million people getting exposed. By contrast, the top 11 breaches of 2022 only resulted in the loss of data on 21 million people. 

Any data loss among healthcare companies is problematic, of course. Threat actors can use the personal health information (PHI) and personally identifiable information (PII) that healthcare companies possess for identity theft or to sell on the dark web to other brokers. Beyond the raw number of attacks, which is likely to increase, Ponemon Institute found that 89% of healthcare organizations experience almost one attack per week for an average of 43 attacks in the past 12 months. 

As this situation becomes more standard, and healthcare cybersecurity teams need to ensure they’re prepared for threats, it’s worthwhile understanding the state of play in terms of the security landscape in 2024. 

Hospital Financial Statistics Paint a Depressing Picture

Hospitals have extremely thin operating margins in the post-COVID era. According to research from Becker’s Hospital Report, the average hospital’s operating margin was 1.4% in July 2023. As of January 2024, Syntellis found that the median operating margin was 5.2% year to date. This was an increase of 2.9% from the December year-to-date margin of 2.3%, so financial results are minimally improving. 

Unfortunately, cash on hand is down 3.1% year on year and 27.4% down from January 2022. Although operating margin may have improved, the reduction in cash on hand means that emergency situations like a cyberattack can still have outsized impacts on hospitals of all sizes. With the average cost of a healthcare breach rising to $10.93 million according to IBM data, the reduction in cash on hand means that a single cyberattack can easily drive smaller facilities out of business. 

In fact, according to Becker’s Hospital Review, 646 rural hospitals are currently at risk of closure already. This is 30% of all rural hospitals nationwide. A single cyberattack directed at one of these facilities could result in a closure that limits access to critical medical care for an entire county or region. Hospital IT security and health technology management (HTM) teams need to understand the very real impact that a financial crisis like a cybersecurity incident can have on their employer. 

Healthcare Cybersecurity Planning: Tech Challenges, Skills Shortage Create Substantial Risks 

In terms of direct cybersecurity challenges, some of the biggest risks facing hospitals arise in the form of an expanding attack surface in healthcare. The increasing use of connected medical devices, tablets, smartphones, and other internet-accessible equipment in the average hospital has resulted in more possibilities for threat actors to compromise hospital systems. According to Ponemon’s research from 2022, 12% of attacks originated with the Internet of Things (IoT) devices. 

The same research from 2023 found that only 47% of hospital IT security teams include attacks on medical devices in their cybersecurity planning, while 53% expressed concern about insecure medical devices. This is problematic given that there are an average of 6.2 vulnerabilities per medical device with recalls issued for critical devices such as pacemakers and insulin pumps with known security issues. More than 40 percent of medical devices at the end-of-life stage offer little to no security patches or upgrades. 

Even if patches were available, hospitals often lack the in-house staff to resolve vulnerabilities efficiently and defend critical systems. The cybersecurity skills shortage that persists despite massive recruitment drives, resulting in more than 4 million unfilled openings, has led to significant negative impacts on clinical productivity. A recent HIMSS survey found that 55% claimed resolution time on errors and issues has increased, negatively impacting staff productivity across the organization.

In terms of the most common attacks, ransomware remains among the biggest concerns in healthcare cybersecurity. Recent research from Ponemon has 64% of healthcare IT professionals concerned about their vulnerability to ransomware attacks, with 77% experiencing between 1 and 5 ransomware attacks over the previous two years. 

Ransomware also has a hugely negative impact on patient care, with 48% noting longer stays and 28% noting an increase in patient mortality from such attacks. Further, 59% said ransomware caused procedural delays that resulted in poor outcomes. Paired with the lack of skilled professionals to protect the organization, it’s clear that ransomware remains a major threat to hospitals and healthcare more broadly. 

Healthcare cybersecurity is further challenged by the rise of third-party threats. Cybercriminals have found that targeting vendors is an effective method of breaching hospitals and exfiltrating health data. Of the 40 million healthcare records exposed in the first eight months of 2023, nearly 50% were exposed due to attacks aimed at healthcare providers’ third-party business associates.

This combination of factors makes it imperative for hospitals to adopt an approach to security that empowers them to more effectively defend their patients’ data and ensure better patient outcomes. 

Hospitals Need a New Approach to Cybersecurity

Hospitals need a new approach to cybersecurity – one that is adaptable to a complex threat landscape and able to secure critical systems with minimal staff. The answer is to adopt a risk-based approach to security, which removes the most risk with the least effort. A risk-based approach includes conducting regular vulnerability scans of network-accessible infrastructure to identify weaknesses, as well as prioritizing the discovered weaknesses to ensure that the riskiest issues are resolved first. 

Asimily is designed to help hospitals defend their connected devices and critical systems with a risk-based methodology. With key capabilities around inventory management for connected medical devices, as well as risk-based prioritization of discovered vulnerabilities, Asimily empowers security teams with a risk-based security methodology that will make them safer immediately and over the long term. 

Hospitals face substantial information security headwinds in the market today. Between tight operating margins, skill and resource constraints, and a flood of cyberattacks, the average healthcare organization has a lot of challenges to consider. A risk-based, holistic approach to securing this infrastructure empowers hospitals with cost savings, a better security posture, and an overall more resilient infrastructure. 

The modern healthcare cybersecurity landscape challenges even the most adept security team. For hospitals with limited resources, the rise in attacks makes the situation even more challenging. Asimily customers can be confident that they’re empowered with some of the most effective insight into their connected devices and risk-based insight to improve their security. With Asimily, hospitals can defend themselves more efficiently in 2024. 

To find out how Asimily can help minimize the risk of connected devices at your organization, download our white paper: IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper. To get started immediately, contact us today.