The healthcare industry has come a long way in terms of technological advancement. Healthcare IT systems, structures, and standards have transformed modern healthcare and provided hospitals with new opportunities when it comes to patient care.
Driven by connectivity, modern medical technologies also open the door to terrible vulnerabilities that most hospitals are woefully under-prepared to tackle. Existing problems are difficult to address, and new problems keep popping up before old ones are solved. To succeed in this environment, smart organizations use a multi-layered defense architecture and enact improvements incrementally based on a context-aware prioritization strategy.
To ensure network security, hospitals must devise and implement comprehensive cybersecurity plans supported by technological solutions that improve network visibility and threat detection capabilities.
Cybersecurity Risks Associated with Medical Technologies
The threats facing hospitals are many and could result in catastrophic consequences, ranging from the compromise of sensitive patient data to direct harm to patient safety. Some of the most common threats facing hospitals today include:
- Speculative execution attacks: These attacks exploit a capability known as "speculative execution," which is central to the functioning of high-performance computer processors. The most visible speculative execution attacks include Spectre and Meltdown, as well as several other variants identified by researchers.
- Data breaches: Whereas speculative execution speaks to the infiltration mechanism of an attack, there is also the matter of how an attack is used. The most common use of an attack is to illicitly access private information. An attack used in this way is known as a data breach. Since 2009, there have been more than 2,500 healthcare data breaches involving 500 records or more. In total, over the last ten years, there have been nearly 200 million healthcare records breached.
- Ransomware: Another increasingly common consequence of cyber infiltration is the ransomware attack. Ransomware refers to a form of malicious software that restricts access to a technology’s basic functionality unless and until a "ransom" is paid. The SamSam ransomware attacks favored (or perhaps disfavored would be the more appropriate term) healthcare organizations — exploiting a variety of vulnerabilities to gain access to a network and hold sensitive patient data hostage.
- Cryptojacking: A less common motivation for attack but one viewed as a key up-and-comer to watch for is cryptojacking. This refers to a specific form of malware that leverages an infected device's CPU power for purposes of cryptocurrency mining.
Taking a passive or deliberately reactive approach to these threats is not recommended — especially in the healthcare sector where the stakes are so incredibly high. While the industry is far from totally transparent and some attacked organizations might not even realize they’ve been targeted, all the available data suggest that for HDOs, it's not a matter of if an attack will occur, but when and how often.
These risks must be accounted for and mitigated before an issue arises. To do so, hospitals need to have a strong cybersecurity plan that is not only designed to respond to threats but prevent them in the first place.
The Current State of Cybersecurity in Hospitals
There’s little point in putting lipstick on a pig. The fact is that current state of cybersecurity in hospitals is worrying. Many organizations are years behind in terms of cybersecurity best practices. Common issues in hospitals and other healthcare settings include:
- Shortage of cybersecurity talent: A lack of cybersecurity expertise has been a long-standing issue throughout the healthcare industry, leading organizations to heavily rely on third-party providers, software, and hardware to make up for that gap. A survey conducted by Ponemon found that 79% of health IT and security professionals find it hard to recruit cybersecurity talent, while 74% believe they are understaffed.
- Confusing regulatory requirements for real life requirements: A disconnect between the intentions of regulators and the nature of cybersecurity continues to drive vulnerabilities. Regulation is designed to prevent past occurrences from recurring and as such is fundamentally retrospective. Technology on the other hand is changing in real-time, hour to hour, and to be properly secured must be accompanied by similarly evolving and forward-facing cyber architectures, procedures, and tools. The tacit implication that compliance is somehow tantamount to security does a lot of harm.
- Mergers and acquisitions: The healthcare industry is seeing a lot of consolidation right now in terms of mergers and acquisitions, which drives innovation but also serves to exacerbate issues related to security policies, as well as operational and network visibility.
- Software updating and security patching: Updating software and implementing security patches is critical to preventing many cyberattacks and yet device management within the industry is significantly lacking. In fact, 30% to 40% of devices are unpatched, creating an unnecessarily large attack surface.
- Proliferation of connected devices: More connected devices come into hospitals every year and the trend is only growing. More than 400 million connected medical devices are already operational worldwide, with another 125 million or so expected to come online in the next year. No wonder 77% of healthcare providers consider unsecured medical devices a "serious" concern.
The good news is that hospitals can combat these risks by establishing and implementing a comprehensive cybersecurity plan based on a holistic view of the medical technology ecosystem and leverages cutting edge solutions to nimbly manage threats and adapt to new challenges in real-time.
Five Steps to Comprehensive Cybersecurity in Hospitals
The challenges associated with cybersecurity in hospitals can seem overwhelming but developing a comprehensive cybersecurity plan doesn't have to be complicated. These five steps can help any hospital better defend its medical devices and clinical assets against known and unknown threats alike.
1. Identify your MedTech inventory
Understanding what devices are connected to a network, as well as which devices are being added and removed, is the first step toward developing an effective cybersecurity plan. Naturally, updating a sprawling and ever-changing medical technology inventory in real-time is near impossible without an automated solution.
Hospitals should seek a solution that delivers superior device classification, enabling users to view every endpoint and place them within their appropriate operational, network, and vendor technology context.
2. Simultaneously assess risks with a granular and panoptic view
Once a thorough, accurate, and up-to-date medical technology inventory has been captured, hospitals must assess the risks associated with every device; establishing both a device-level cyber risk profile, as well as an overview across the entire network and subnetwork (LAN, VLAN, Security Group, etc.) ecosystems.
Hospital cybersecurity solutions should provide automatic, actionable, and prioritized remediation recommendations based on contextualized insights and a comprehensive risk model that considers the overall impact of a broad range of potential attacks.
3. Detection and prevention
Hospital cybersecurity solutions also must recognize any anomalies in traffic or behavioral patterns that signal a potential threat. Moreover, the system should combine this analysis with any advisories from device vendors, government agencies, and other sources. Anytime suspicious activity is identified, a hospital cybersecurity system should automatically alert decision-makers to initiate the incident response plan and inform them of the relevant evidence needed to best combat the threat.
That being said, it's even better to be prepared for new threats. As such, a comprehensive cybersecurity solution will also help monitor the horizon for new risks and provide options for shoring up defenses before a cyberattack occurs.
4. Incorporate data analytics and contextualized insights
Cybersecurity planning requires a constant stream of information based on data insights that can be difficult for any human team to monitor alone. To that end, hospital cybersecurity systems should automatically detect any suspicious communication or misconfigurations of medical technologies.
Tracking typical device usage and providing utilization benchmarks can help to alleviate bottlenecks that affect device-generated revenues, plan downtime and maintenance to avoid operational disruption, more intelligently plan procurements, and flag suspicious usage scenarios.
5. Take an incremental approach to implementation
Attempting to tackle the full implementation of a cybersecurity program in one fell swoop is unrealistic and likely to lead to project fatigue. Instead, a “crawl, walk, run” approach is the best way to ensure a comprehensive cybersecurity plan is properly implemented. Begin with the establishment of a live inventory and continuous risk analysis.
Once these aspects are established, hospitals can move to identifying the most vulnerable or high-risk device groups and begin detecting threats facing those. From there, the organization is ready to prioritize patching and device configuration, as well as begin a micro-segmentation project.
As more insights are gleaned and the cybersecurity system is expanded, the organization can finally develop a comprehensive incident response plan grounded in data analytics and deep network visibility.
The scope of cybersecurity threats facing hospitals might make developing a plan seem like a daunting task, but combining automation and a strategic, incremental approach can help protect even the most sprawling MedTech ecosystems.
CyberMDX helps hospitals establish a multi-layered and responsive cybersecurity program that reacts to real-time circumstances, as well as providing forward-looking insights that keep organizations ready to respond to the moment-to-moment changes in the cybersecurity landscape.