Healthcare companies quickly fall victim to cyberattacks as a result of continually utilizing out-of-date software and not fixing vulnerabilities immediately. This issue is apparent in the WannaCry ransomware attacks that happened in May 2017. U.S. healthcare companies were fortunate to have survived as opposed to healthcare companies in the U.K. Symantec not too long ago discussed a threat group which has been attacking the healthcare sector for the past 3 years and compromising sensitive data. That is due to the continued use of out-of-date software program that it is simple for attackers to move laterally inside a network.
Action should be taken to deal with the situation of attackers taking advantage of the vulnerabilities because of unpatched , out-of-date and unsupported operating systems. The cyberattacks will continue unless industry players take action. Although there are available options for systems upgrade, there are still a lot of healthcare companies that sill use legacy software and equipment, never fix vulnerabilities and fail to patch systems promptly.
Measures are being considered to solve medical device security; however, progress is slow. The U.S. FDA has the option of requiring companies to update products through the life cycle; however taking care of vulnerabilities is expensive and complicated and even if the FDA were to take action it would take time for healthcare companies to comply. It is not a problem that can be solved overnight.
As it stands, before healthcare companies decide to upgrade systems and address vulnerabilities, they normally perform a cost-benefit evaluation. If upgrading and maintaining devices comes at a high cost, they simply accept the risks that come with using the devices.
The U.S. House Energy and Commerce Committee is aware of the issue and is liaising with industry stakeholders to come up with a solution to deal with the problem and strengthen cybersecurity. It is projected that an organization may possibly spend $400 to $4,000 just fixing one vulnerability. Considering the volume of vulnerabilities tat need to be addressed, the cost could be astronomical. The House Committee on Energy and Commerce is seeking the opinion of healthcare industry stakeholders and other individuals until May 31, 2018 to try to find a workable solution.