A two-year report analyzing cybersecurity in healthcare calls patient health “extremely vulnerable” and the industry itself “in turmoil.”

Conducted by Baltimore-based Independent Security Evaluators, the report assessed 12 healthcare facilities, two healthcare data facilities, two active medical devices from one manufacturer and two web applications, from January 2014 through January 2016. The researchers performed hands-on analyses of the systems, tools and budgets, and conducted interviews with hospital, data center and devicemaker employees.

The researchers identified the following two major flaws with healthcare’s threat model:

• An almost exclusive focus on protection of patient records.
• Most measures taken address "unsophisticated adversaries" and aim to stifle "blanket, untargeted attacks."

"As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered," according to the report.

Little to no control is exercised over the parties responsible for remote access to hospital networks resulting in access that often is too broad. "Without control of the remote networks and systems, it is exceptionally problematic [if not impossible] for hospital IS or IT to ensure that those connected systems are safe, and not infected with malware or opening the door for an advanced threat to launch an attack," the researchers say.

The report also identifies insufficient funding, a lack of security personnel and poor training as the sources of hospital security issues.

Read the full report.