As treasure troves of sensitive patient data and providers of many crucial services, healthcare entities face significant and continued cyber risks from threat actors seeking to land a payday or cause disruption. This article takes a look at some of the prevailing cybersecurity issues in healthcare along with proposed ways to deal with them at both the government and organization levels.
First, it’s worth looking at some recent statistics to give a snapshot of the current cyber threat landscape in healthcare. A 2022 IBM report found that healthcare is the 6th most attacked industry (up one place from 7th in the previous year). This increase in attacks is interesting when contrasted with the fact that total breaches along with individuals affected declined in the first half of 2022.
Data breaches might be on the decline, but it’s clear that healthcare continues to face significant cyber risks. Let’s now take a deeper dive into some of the current cybersecurity issues in healthcare.
The same IBM report referenced in the introduction to this section found that ransomware accounts for a far higher percentage of cyberattacks (38%) in healthcare than in most other industries. Ransomware is not going away as one of the dominant cybersecurity issues in healthcare because threat actors perceive healthcare providers as far more likely to pay up.
Double extortion tactics can prove particularly fruitful in healthcare. Before encrypting files, threat actors exfiltrate sensitive patient data and hold them to ransom with the threat of publishing the data on the dark web or reselling it if the provider doesn’t pay up.
Some gangs have even moved on to triple extortion where the threat of a DDoS attack adds more incentive to give in to ransom demands. Healthcare providers have a low tolerance for downtime in their critical IT systems because operations and even human safety can depend on these systems being online. The crux of the story is that ransomware attacks on healthcare providers aren’t going away any time soon.
Account compromise is a growing problem that increases in line with the number of different applications, services and IT resources that healthcare employees require access to. The human element in cyberattacks plays a prominent role, with compromised accounts providing access to any and all of the resources belonging to the owner of a specific account. These compromises come from brute force hacks, phishing scams that dupe people into disclosing passwords, and the use of stolen credentials purchased or downloaded from dark web data leak sites.
In the perennial battle between security and user experience, the latter often wins the day in healthcare, where workflow disruptions for healthcare professionals can cause delays in patient treatment. What then happens is that employees get granted blanket access to resources without any contextual risk-based restrictions. Potential account compromises in an IT environment of lax access controls are data breaches waiting to happen.
A worrying recent cybersecurity issue in healthcare is a shift in the focus of cybercriminals toward smaller healthcare companies and specialty clinics. These smaller entities could include small physiotherapy clinics, ophthalmologists or even business associates that handle healthcare data (such as software vendors).
There are several possible reasons for targeting smaller healthcare providers; the most obvious being a perception of weak cyber defenses versus larger providers that are likely to invest more heavily in their cybersecurity programs.
Another factor potentially at play is that hitting a small local company with only a few patients is not going to garner as much media or law enforcement spotlight as more high-profile breaches. Eye Care Leaders, a software provider for eyecare practices, suffered a data breach that impacted over two million people, and this incident attracted a lot of media attention. Expect this trend to continue going forward as smaller healthcare companies with less cybersecurity expertise get targeted.
Medical device security continues to pose headaches for technology executives at healthcare companies. One concern is that many companies rely on legacy medical devices that never had any security built into them in the first place. These legacy devices could be exploited during a cyberattack, with implications for patient health.
Another concern is the proliferation of medical Internet of Things (IoT) devices within healthcare IT environments. These devices can transmit useful information about the state of important systems such as MRI scanners. Other IoT devices such as IoT pumps are used at patients’ bedsides to precisely deliver drugs and fluids; security flaws could endanger patients. A shocking finding exemplifying this threat is that 53% of connected medical devices have critical security vulnerabilities.
So, what’s being done to address healthcare’s dominant modern cybersecurity challenges? Here are four proposed solutions that cover both government input and strategies that healthcare providers can enact autonomously.
With healthcare being designated as one of the United States’ 16 Critical Infrastructure Sectors by CISA, its protection from cyber threats is clearly a national priority. An interesting development is a new proposed bill, the Healthcare Cybersecurity Act of 2022. This bill directs a collaborative effort between CISA and the U.S. Department of Health and Human Services to reduce cybersecurity attacks and data breaches in healthcare and public health.
Along with its mandate for collaboration between CISA and the HHS, the bill also requires CISA to conduct a comprehensive study outlining key cybersecurity risks facing the healthcare sector. In coordination with private sector experts, CISA also must provide training to asset owners and operators on cybersecurity risks and ways to mitigate them.
Another important directive in the bill is for CISA to assess healthcare cybersecurity workforce shortages and offer recommendations for addressing these shortages. Overall, this act is a significant move toward enhancing cybersecurity across healthcare from the top down.
Another important development during 2022 was the release of FDA medical device cybersecurity guidelines. The documentation provides manufacturers with principles on which to base the design of cyber-secure medical devices for today’s interconnected healthcare environments containing more devices than ever. Even for devices that don’t require pre-market submission to the FDA, healthcare providers should refer to these guidelines when procuring medical devices for use within their environments.
The full guidance is quite substantial, but the main principles outlined for robust medical device security are:
The publication of this guidance is a vital development in minimizing the risks to healthcare environments in light of the proliferation of diverse medical devices and the frequent electronic exchange of medical device-related health information.
To cope better with considerable account compromise risks, healthcare organizations, (particularly large providers) should consider migrating to zero trust architecture. This architecture removes any implicit trust given to users on the network and assumes a threat actor is always lurking.
With zero trust, access to resources is dynamically and continually authenticated based on the identity and context of each request. A policy engine typically makes access request decisions on a per-session basis by calculating a trust score (via an algorithm). Implementing zero trust in healthcare environments reduces the threat of account compromise and associated breaches of sensitive patient records, medical devices, and applications.
Since threat actors have turned more of their attention to smaller and midsize healthcare providers, outsourcing security operations is a path worth exploring. The ability to cope with growing cyber threats is hampered by resource constraints that larger providers don’t suffer from as much. Other pressing business priorities can further limit the attention that cybersecurity gets in smaller organizations.
Outsourcing security operations can provide the necessary detection and response capabilities required for deterring and mitigating cyber threats. Managed providers use teams of experts to run their own security operations centers, fine-tune SIEM systems and monitor IT environments (endpoints, firewalls, etc.) at scale. Augmenting in-house security with outside resources that would otherwise be too costly or unavailable provides the best chance of giving smaller organizations the proactive initiative in dealing with cyber threats to their systems.