Fouad Khalil, VP of compliance at SecurityScorecard, discusses the top costs of poor cyber risk management in healthcare, as well as the proactive steps hospitals can take in order to protect their assets and their patients.
Hospitals and other healthcare settings have long been in the crosshairs of cyber criminals because of the large amount of protected health information they maintain – a source of easy cash on the black market. Healthcare providers are also more vulnerable to disruptive cyberattacks such as ransomware, and callous criminals will bank on their victims’ desperation to pay the ransom and restore vital, often life-saving systems.
With healthcare providers around the world coming close to cracking under the pressure during challenging times, it has become even more apparent just how vulnerable healthcare infrastructure is to the risk of disruptive cyberattacks.
Unfortunately, the current crisis has done little to dissuade cyber attackers. For example, a ransomware attack recently disabled a medical research centre that was on standby to assist with working on solutions.
Exacerbating this, the network environment in a healthcare setting is complex, hosting a plethora of connected equipment from a wide variety of sources. This means that medical devices have long been the weak link when it comes to maintaining security and privacy in a healthcare setting. With the pressure mounting, the healthcare sector must ensure it is able to keep its systems safe and operational.
The impact of a medical data breach
The most common impact of a medical data breach is the theft of sensitive patient data. In the U.S., 70% of healthcare organisations have reported their security being breached, outstripping any other sector, and most of these cases involve data theft. Medical records serve as a popular form of currency on the dark web, and personal information can be used to facilitate fraud and further attacks.
While the risk of patients – many of whom may be seriously ill – being exposed to cybercrime and fraud is bad enough, healthcare cyberattacks can also directly threaten human life. Malware attacks such as ransomware can heavily disrupt or disable both specific devices, and the entire network infrastructure. This means that critical medical devices such as insulin pumps, MRI machines and pacemakers are all at risk of interference.
This threat is even more stark in the current health crisis, with disruption to essential equipment such as databases and ventilators interfering with testing and treating COVID-19 cases.
Getting control of healthcare infrastructure
As the saying goes, “you don’t know what you don’t know.” One of the biggest issues with securing medical technology is the tendency to lose track of connected devices. As equipment is updated with newer models or replaced due to faults, old and unused devices may be placed into storage and forgotten about – but without being disconnected from the network.
Each of these connected devices represents a potential attack vector – and indeed pose a greater potential threat than equipment that is still being used, as software updates and security patches will not be applied.
With this in mind, the first step to implementing effective medical device security is to conduct a thorough audit of all existing equipment. This needs to cover every device that is capable of any level of network connectivity. Initially, this should focus on the most essential equipment, including items such as ventilators which have undergone renewed importance in recent months. Eventually however, every single device should be covered.
This inventory should ensure that all devices are fully compliant with security and privacy requirements. Any equipment that has reached its end-of-life should be properly disconnected from the network.
Achieving continuous compliance
As with all things relating to security and privacy, this audit is not a one-and-done activity. Once every device has been thoroughly catalogued and secured, the next step is to implement a procedure of continuous compliance.
There should be processes in place to ensure that any time a replacement device is added to the network, the obsolete item is removed before going into storage. Meanwhile, all active devices should be checked for their functionality and security on a regular basis. After all, you wouldn’t check that the back door to your house was secure once a month – you do it every single time you leave the house or go to bed.
While this sounds like a very labour-intensive process, in reality it’s very straightforward once a system has been put in place. For the most part, medical devices have basic and predictable functionality which will not change from one day to the next. Once the criteria for a fully functional and secured device have been established, it will become a simple routine to check them regularly.
Looking beyond the walls
One security issue that is overlooked by organisations in all sectors is that cyber threats frequently originate from outside the network. Most businesses operate as part of a vast web of suppliers, partners and other third parties, with healthcare no exception. Every piece of medical technology used by a practitioner will have come from a third party and may represent a security risk if the supplier is not properly secured. If a supplier is breached for example, attackers may gain access to the healthcare network through connected medical devices, and in some cases, manufacturers will even have left backdoors in the software that can be exploited.
This all means that, alongside ensuring that all connected medical technology is up to scratch for security and privacy requirements, organisations should also look at their network of suppliers and acquire intelligence on their security standing as well.
As the pressure mounts on the healthcare system, providers must take all possible steps to ensure that their devices will be secured and operational when they are needed most. By starting with a thorough internal inventory and working back to their supply chain, organisations can be assured that their frontline staff will have access to safe and secure equipment.