Third-party vendor risk and medical devices are the biggest cybersecurity threats that keep healthcare IT security executives awake at night, according to a new survey.
However, the action needed to actually address these threats is lagging, the survey found.
Forty percent of healthcare security leaders said third-party risk is the threat that concerns them the most, according to a survey from Austin, Texas-based cybersecurity firm CynergisTek. The survey aimed to identify the greatest perceived threats and current challenges healthcare organizations face in cybersecurity and privacy.
Among emerging threat areas—5G, artificial intelligence, internet of things (IoT) and supply chain—more than 50% of healthcare executives said they were the most concerned about IoT.
Recent major data breaches impacting medical testing companies Quest Diagnostics and LabCorp highlight the ongoing threat of lax data security at third-party vendors. More than 20 million patients may have had their medical and financial information exposed due to a breach at the American Medical Collection Agency, a billing collections firm.
While there is no immediate financial impact for Quest and LabCorp, the breach is credit negative for the companies because it exposes them to reputational risk and shines a spotlight on how they select and assess their vendors, according to a report from Moody's Investors Service.
Recent cyberattacks also have exposed the vulnerability of medical devices. In May, Microsoft took the rare step of releasing a patch for a handful of legacy operating systems it no longer services after finding a critical vulnerability. Microsoft said it is "highly likely" that malicious actors will write an exploit for this vulnerability.
The tech giant said the vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.
The security risks of this vulnerability for healthcare are potentially huge as the industry is still reliant on legacy operating systems, particularly for medical devices, according to cybersecurity experts.
Healthcare organizations lack resources to address cybersecurity
The recent survey findings highlight that the issues healthcare security leaders are most concerned about are the risks associated with IoT, medical devices, third-party vendors and program development and management. However, the survey data also pinpoint some of the barriers or disconnects within the organizations to solve these issues, such as executive leadership buy-in.
Nearly one-third of security executives reported that medical device security is one of the top five risks facing healthcare. But most organizations did not have an effective strategy in place to assess the risks posed by medical devices, the executives said.
Even more alarming, 26% of healthcare organizations don’t have any process in place at all.
Almost half of the organizations reported to have conducted an incident response exercise only one time or to have never done one at all.
More than half (54%) of the executives surveyed said the biggest barrier to meeting privacy and security challenges was lack of adequate resources like technology tools, money or people. Only 13% said senior management buy-in posed the biggest challenge.
In a follow-up question, 40% responded that they didn’t know whether their boards were more or less involved with cybersecurity and privacy programs than they previously had been.
David Finn, executive vice president of strategic innovation at CynergisTek, said the survey results are "extremely troubling."
"The fact that the vast majority of respondents report a lack of resources as a serious constraint against their cybersecurity program and senior management buy-in as the least concern shows there is a huge disconnect happening," he said in a statement.
"If executive leadership truly understood the business risks posed by inadequate cybersecurity and realized the major operational, financial, and patient safety implications a security incident can have, they would ensure any and all resources needed were available," Finn said. "We need to make sure we are effectively communicating these issues to executive leadership so they make cybersecurity a business priority."
Healthcare security leaders also said "culture" was the leading barrier in retaining cybersecurity professionals, more so than compensation or training.