It's already a well-known fact: cybersecurity constitutes a major challenge for connected healthcare operations, regardless of their unique organizational structures and processes. When each cyberattack costs healthcare organizations an average of $1.4 million to recover, it is critical that any and all gaps in network defenses are quickly identified and filled.
The potential costs — which are related to lost productivity, reputation damage, and service and patient care disruption — have spurred boardrooms in hospitals across the nation to bring cybersecurity to the top of the agenda. However, good cybersecurity cannot be achieved through top-down planning alone.
Effective cybersecurity requires the involvement of every department within a hospital, from doctors and nurses, to lab staff, to biomedical engineers, IT personnel, compliance professionals, C-level, and administrators of all kinds. Maintaining a cooperative interdepartmental approach guided by good training, smart tooling, and standardized best best practices can help healthcare organizations begin to fill these gaps.
Of course, when the rubber meets the road and you begin working on the particulars of your cybersecurity program, good intentions and a sound approach alone won't get the job done. Every decision can go one of multiple ways, each setting your healthcare organization down a different route. Many of those possible routes may have potholes, or worse, pitfalls. It's important to keep an eye out for impediments to successful cybersecurity projects.
In this blog post, I'll be calling your attention some of the most common problems hospitals face and mistakes made in pursuit of comprehensive clinical cybersecurity. But first, let me offer some background.
Hospitals Are Mindful of Security Gaps Yet Continue to Struggle
Increased awareness among hospital leadership of the growing cyber threats facing their networks has done little to improve cybersecurity within the industry. According to a study conducted by the healthcare cybersecurity consulting firm CynergisTek, 54% of healthcare organizations lack the resources needed — whether technology, people, or funds — to adequately address cybersecurity challenges.
Compounding that problem is a lack of communication between hospital leadership; 40% of hospital executives report being unsure whether or not board members are increasing their focus on cybersecurity, per the same study.
The breakdown in communication could come from a variety of sources. Cybersecurity is a rapidly-evolving space, making it difficult for hospital leadership to adapt at the needed pace. Sometimes, the challenges are related to trying to teach an old industry new tricks. More confusion abounds when considering vendor and end-user responsibility. At what point does a vendor's job for securing a device end and a user's journey begin? Without clear expectations, key responsibilities can fall through the cracks.
Half of hospital executives identified connected devices associated with the Internet of Things (IoT) as the top vulnerability in their networks today. Older connected devices, for example, are often perfectly functional when it comes to their clinical purpose, but their software is so out-of-date that they can be easily exploited.
Without an end-of-life process in place for these devices, they might go on operating connected to the network, creating a massive opportunity for malicious actors. Additionally, many hospitals might not even have a clear picture of every device connected to their network. Without a real-time inventory of connected devices, many vulnerabilities could remain undetected for indeterminate periods.
Of course, hospitals can hardly be blamed for struggling to keep up. Monitoring and managing sprawling deployments of connected devices, and the treasure trove of data they collect, is a nigh impossible task without the proper resources. This is especially true for labor-intensive manual processes, such as the configuration and maintenance of virtual local area networks (VLANs).
Yet, despite the challenges, hospitals have no choice but to improve their cybersecurity defenses. Attackers are only becoming more sophisticated, and as hospitals regularly add more connected devices to their network, preparation and readiness become evermore important.
Avoiding Common Pitfalls In Hospital Cybersecurity Planning
Addressing cybersecurity challenges can be hard enough, but common pitfalls make changing the status quo even more difficult. These are four of the most common problems hospitals face when working to improve cybersecurity:
- Taking a passive approach to securing vendor-supplied devices
Every device acquired and connected to the hospital's network must be scrutinized and configured in accordance with a cybersecurity strategy. It would be a very big mistake to presume pre-market guidance sufficient to ensure that your clinical technologies were procured in a satisfactory state of design and configuration security. Likewise, it is naive to wait for government and regulatory agencies to take action that forces manufacturers and hospitals to adopt better security standards.
Instead, hospitals should have a security-centric on-boarding process for every single device that is added to the network. In addition to proper device configuration, all connected medical devices should be added to a real-time inventory database that can be used to monitor the entire network.
- Relying on an incomplete frame of reference in decision-making
Cybersecurity in hospitals requires a comprehensive view of organizational operations. When board members or executives make all the decisions related to cybersecurity, they may fall victim to groupthink or they may lack the on-the-ground perspective needed to devise practical and effective solutions; they simply don’t know what they don't know about day-to-day operations.
Developing a more complete frame of reference for decision-making involves regular and effective communication between all stakeholders in the organization, as well as consulting with parties outside of the organization who have relevant expertise or experience in such cybersecurity projects.
Only a complete understanding of the devices on the network, the way in which they are used, who has access to them, and what all that means can lead to informed decision-making that aligns with and supports an accurate concept of how the hospital works.
- Failing to prioritize specific individual steps in a broad program
The cyber threats facing hospitals are so severe it can be overwhelming to think about and daunting to tackle. The feeling of being surrounded by problems can lead to paralysis — it being difficult to pick one issue to begin working on while a host of others still hound you.
On the flip side, when stakeholders do manage to act, they too often try to fix all their problems at once. Unfortunately, both of these reactions — incapacitation and frenzied dis-focus — are equally recipes for failure. Hospitals must prioritize specific projects and then take steps toward incremental improvement.
Every hospital is different, so this approach should be dynamic and adaptable. However, it is wise to begin by securing any devices or equipment directly related to patient safety. This means protecting equipment such as infusion pumps, for example, from the potential of hijack by malicious actors.
The next priority should be identifying and securing the risk factors most likely to be exploited and most likely to result in significant collateral damage across your network. This would include any devices that are unpatched and subject to known vulnerabilities and located within large or permissive VLANs/security groups. In such cases, you can refer to the CVSS scores and factor in your own environmental and temporal metrics for more tailored prioritization guidance.
You'll then want to ensure that all connected devices subject to regulatory requirements are compliant with the relevant standards. This means protecting any devices that collect and transmit data, as well as the databases they feed into. Compliance experts and IT staff will be essential in navigating this step.
It's also important to keep in mind "solvability" as you endeavor to tackle specific issues. Each step of a smartly prioritized approach requires some degree of dynamism — capable of expressing circumstantial flexibility with respect to the steps prior or next.
If, for example, you're having difficulty completely locking down an unlikely-to-be-exploited security component of an otherwise high-risk device — and at the same you have a fleet of other devices possessing an easy-to-fix compliance issue — it would normally make sense to quickly knock out the compliance issue before returning back to the more difficult problem. In this way, keeping the principle of solvability at the top of your mind will ensure you continue to make progress even when you inevitably hit an obstacle.
Once these issues —issues of patient safety, followed by issues of high event probability and high network impact, followed by compliance issues — have been attended to (to the extent feasible), you can begin looking at interventions aimed more generally at prevention, process improvement, and general business interests.
- Pursuing an unrealistic standard of 100% security
Finally, it's important not to let the perfect become the enemy of the good. Many hospital leaders hear the statistics about cyberthreats and want 100% security. While it's understandable that you want to perfect your defenses, it is also patently unrealistic.
This ties back into the principle of “solvability” mentioned above. With cybersecurity, as with most other things, there are diminishing marginal returns that need to be considered. Expressed simplistically, it’s better to bring your entire network up to 80% security than to obsess over achieving 100% security at your first point of intervention.
Typically, 100% security is not possible, but more importantly, if you’re spending weeks adding a relatively small degree of security to endpoints or VLANs that are already largely secure when you could be adding much more security to less protected areas of your network, you’re making a mistake.
Managing Cybersecurity Improvements
While each and every hospital has a unique organizational makeup, they still face many of the same problems. That’s definitely the case when it comes to closing their cybersecurity gaps, and building out a more proactive cybersecurity program.
There is no silver bullet that will improve network security overnight, just a series of right moves that, taken together, will lead to wholesale improvements. It's important to keep an eye on the four common pitfalls listed above and take the appropriate steps to avoid them.
Leverage the knowledge of your hospital staff, incorporate smart technological solutions, and take a methodical, persistent approach to plugging the gaps in your defenses. In a short time, that approach is the one that will pay off.