Healthcare remains firmly in hacker crosshairs. A recent survey finds that four out of five healthcare operators in the past year experienced at least one cybersecurity incident. Adding to the concern, 60 percent of those incidents had a “moderate or substantial” impact on patient care, and an additional 15% reported a “severe” impact.
The repercussions of a health hack extend far beyond financial losses. This makes it all the more important to secure health networks and devices to keep out bad actors. Going forward, the sector must be more strategic in setting cyber defenses and protecting its most valuable asset: patients.
The dual dangers of health hacks
When it comes to cybersecurity, healthcare organizations are mainly worried about insider threats, ransomware, and supply chain attacks. In each of these threat vectors, cyber-physical devices connected to the internet remain the prime security weakness. About half (47 percent) of respondents cite at least one incident that affected cyber-physical systems such as medical devices and building management systems, and 30 percent say that sensitive data like protected health information (PHI) was affected.
For providers and operators, the impact of such hacks is two-fold. First, financial. Last year, for example, cybersecurity breaches cost healthcare organizations an average of $10 million each. Moreover, hospitals are more susceptible to big ransom payouts. This practice is typically discouraged by government authorities and cybersecurity industry experts but hospitals often see it as the fastest way to resolution. Of course, downtime can be a matter of life and death for patients in critical condition.
This brings us to the second impact: healthcare delivery. This was evident in a ransomware attack last year that forced CommonSpirit Health – the second-largest nonprofit hospital chain in the United States – to divert ambulances, shut down systems, and reschedule patient appointments. The hack affected more than 100 facilities across 13 states. In Washington, St. Michael Medical Center was even forced to delay critical procedures including a CT scan to check on a brain bleed. Healthcare workers at the time reported a “serious impact” on charting, lab results reporting, history gathering, and more.
Therefore, stopping hackers isn’t just about protecting healthcare networks and bottom lines, it’s vital to protecting patients.
Bigger budgets, known threats
The good news is that healthcare is responding to this serious threat in kind. More than two-thirds of health stakeholders are “very” or “somewhat concerned” about attacks on their organizations. As a result, they’re fighting back by identifying problem areas and increasing cybersecurity budgets.
As mentioned, the sector knows what it’s up against. Insider threats, for example, like phishing attacks or mishandled credentials are all too common. Likewise, ransomware is an ongoing problem, with successful attacks forcing providers to rely on paper records or sometimes close locations entirely. Lastly, supply chain attacks occur far too often against connected medical devices. In this type of attack, hackers attempt to damage an organization by targeting less secure portions of their supply chain. This is usually an out-of-date or unprotected medical device. For this reason, 78% of respondents say that patching vulnerabilities in medical devices is the biggest gap in their defenses.
Additionally, the sector now sees that cybersecurity requires more resources. In the five years between 2022 and 2027, the market for healthcare cybersecurity is predicted to double to $37 billion. With this money, the sector will need to better patch vulnerabilities in medical devices as well as improve asset inventory management and network segmentation.
Recommendations to protect devices and networks
First, the sector must gain better visibility into its assets. Unified endpoint management platforms, for example, oversee hardware and software through a single interface. Integrating an endpoint security solution, such as extended detection and response, further enhances protection by automating the detection of emerging threats and initiating appropriate responses. As a result, it’s possible to patch and secure a network of devices at once.
Second, assign devices to a separate network. Unfortunately, some healthcare operators remain at or below basic levels of network segmentation. This creates potential exposure to risk, especially when it comes to unpatched devices or hackable default settings. Storing devices on their own network means that successful hacks cannot move laterally into the larger ecosystem.
Additionally, strengthen this posture by adhering to zero trust principles. This means configuring the network to continually validate credentials and provide devices with the least level of privilege. Done right, zero trust provides a comprehensive architecture that incorporates access based on individual identity, detailed network segmentation, ongoing surveillance, and security measures that focus on data protection.
In the ongoing battle against healthcare hacks, patient safety remains paramount. Recent incidents underscore the dire financial and health consequences of lapses in cybersecurity. While the industry is responding with increased budgets and awareness, a proactive approach is crucial to safeguarding both patients and healthcare systems. The sector must therefore remain vigilant to protect its devices, networks, and ultimately, patients.
About Apu Pavithran
Apu Pavithran is the founder and CEO of Hexnode. Recognized in the IT management community as a consultant, speaker, and thought leader, Apu is a strong advocate for IT governance and information security management. His company, Hexnode, is a one-stop solution to secure and manage connected devices.