10Hospital Cyber Resiliency Initiative: Landscape Analysis |
1. Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and
growing cyber threat to hospitals. Since 2021, primary intrusions used to cause disruption and
damage increased across all sectors and industries by 50%. Ransomware is currently the largest
threat to this sector and deserves immediate attention – especially considering the impact the non-
availability of services can have on patient care and safety.
2. Variable adoption of critical security features and processes, coupled with a continually
evolving threat landscape can expose hospitals to more cyber-attacks
¡ Multi-Factor Authentication (MFA): Adoption of MFA is taking place in
over 90% of surveyed hospitals; however, data suggests that MFA may
not be utilized consistently across key systems and critical entry points,
creating additional risk of exploitation. For instance, 84% of Virtual
Private Networks (VPNs) are protected with MFA, and 88% of email
systems protected with MFA. Given a lack of full adoption on critical
assets, it can be concluded that single credential theft through phishing
attacks can lead to successful compromises.
¡ Vulnerability Assessments: 89% of the hospitals surveyed indicated
that they were conducting regular vulnerability scanning at least on a
quarterly basis; however, they also indicated that their use of advanced
forms of testing such as penetration, red team, purple team, and
tabletop exercises was 20% or lower
4
. Additionally, 70% of hospitals surveyed state they are
conducting vulnerability scans against websites, which are exposed to the internet. Despite
this scanning activity, only 53% of surveyed hospitals stated they have a documented plan for
addressing the vulnerabilities identified. Vulnerability management that is solely comprised
of regular scanning is not sufficient - partly due to the typical scope of scanning and lack of
corresponding processes to prioritize and address any identified issues. Through conversations
with hospitals, it was understood that vulnerability results were fairly easy to acquire through
existing tools, however prioritization and resource constraints were raised as challenges for
mitigating the vulnerabilities identified.
¡ Training & Outreach: 86% of the hospitals surveyed responded that
their users are informed and trained on performing their cybersecurity-
related duties and responsibilities. However, data suggests there may
be considerable variability in the training provided to hospital staffs
across the sector. Additionally, little data was available on the dequacy
and effectiveness of training and outreach efforts. During the interviews,
participating hospitals regularly raised education and training as a
desired means of achieving higher levels of cyber resiliency. A few
hospitals indicated that scenario-based training (where results are shared near real-time) is an
effective way to improve cyber hygiene, as well as training that is targeted to high-risk groups
(e.g., executives) who might be targets of cyber-attacks.
4 A red team is a team of offensive security professionals, such as penetration testers, ethical hackers, and other
skilled professionals who look to uncover flaws and vulnerabilities. A purple team is a team of blue (defense) and red
(offense) team who exercise in coordination to promote greater understanding of how to uncover and defend against
cyber-attacks. Tabletop exercises are simulated events whereby a scenario is created, and a response team tests
their response playbooks.
MFA is leveraged in
over 90% of surveyed
hospitals; however,
data suggests that MFA
may not be utilized
consistently across
key systems and critical
entry points, creating
additional risk of
exploitation.
Hospitals regularly
raised education and
training as a primary
means of achieving
higher levels of
resiliency.