George Gray, Chief Technology Officer, VP of Research and Development, Ivenix, Inc.
In today’s “data is king” world, cybersecurity threats are one of the challenges that keep hospital chief information officers (CIOs) and chief information security officers (CISOs) up at night as both ransomware and data breaches become increasingly prevalent in the healthcare industry.
These surges in ransomware are on the rise and expected to continue. IBM predicted a surge in ransomware injected via connected devices this year, specifically targeting healthcare organizations. Last year, 491 of the 621 successful ransomware attacks were perpetuated against healthcare companies in the U.S.
Data breaches are another top threat and also on the rise. Here in our own backyard, Lawrence General Hospital recently reported a small data breach that forced the hospital offline for 36 hours and led to new software installations and better protections being put in place for its computer systems. Hospitals are uniquely vulnerable to data breaches because of the nature of data they house — Social Security numbers, billing information, specific health concerns — is personal patient information. And with attackers targeting this rich data source in the electronic medical record (EMR), patients are increasingly vulnerable to identity theft.
The first step in defending from these types of attacks is to identify the vulnerabilities that exist within the health system. A hospital network system is only as secure as its weakest link, which for many hospitals today utilize computer systems with outdated operating systems and many unsecure legacy medical devices.
Old and outdated operating systems like Windows 7, for example, can be a simple place to launch an attack (newer operating systems have been designed to better protect against such attacks). Attackers can also penetrate unsecure legacy medical devices, most of which were designed with little to no protections against cyber-attacks. However, once these devices are penetrated by cyber criminals, subsequent attacks can be launched against other networked devices and computers across the entire health system.
These soft attack entry points, coupled with an increased interest in healthcare systems by attackers, means hospitals must be vigilant about identifying vulnerabilities for all network connected devices, monitoring for suspicious network activity and responding to potential attacks. This starts by making sound purchasing decisions and replacing unsecure medical devices not designed to be cybersecure.
Vendors play an important role in hospitals’ security by designing cybersecurity into their products and cybersecurity response into their processes. This begins by assessing possible threats, building in protections against those threats, creating mechanisms to detect when an intrusion has occurred and providing hospitals with tools that help them respond and resolve cyber-attacks. In addition, we must be vigilant in our own monitoring of such threats and be prepared to respond quickly with software security patches and other mitigations when one is identified.
Since we all know the adage “to err is human” – the human element is a vulnerability that must be considered as well. Even under ideal working conditions, attackers often trick unsuspecting users into exposing secure information through phishing attacks and by performing actions that launch a Trojan into the hospital. And though this is a risk in most businesses, healthcare workers can be more vulnerable given the fast-paced, high-stakes environment they work within as well as their regular interactions with complex systems and medical equipment.
Because the stakes are so high, a good security plan must also consider risks created by disgruntled employees who may attempt to provide access to healthcare systems, medical devices and patient information. Today, most hospitals have the ability to limit user’s access and permissions on their computer systems as well as the ability to disable the account of a terminated employee. However, the same is typically not true for most medical equipment that sits on the hospital’s network, making the entire network vulnerable to these kinds of attacks.
Like more advanced computer systems on the hospital network, a user’s access to medical equipment and necessary permissions to use that equipment, must always be restricted to the minimum required to do their job. Providing greater access or more capabilities opens up the organization to increased risk. Like computer systems in the hospital, this has to be considered when designing a cybersecure medical device.
Whether the vulnerability is from human interactions or deficiencies in the underlying technology, having a team who is skilled in cybersecurity and vigilant in defending against attacks is key to securing today’s healthcare system. That said, healthcare has typically under-invested in these areas compared to other industries — a trend that must change as the number of attacks continue to rise. Hiring or developing security experts is step one. But ongoing education is equally important to ensure these experts remain versed in the ever-changing landscape of cybersecurity.
Vendors, including medical device manufacturers, must join forces with these hospital systems, providing more secure solutions, regular security updates and collaborative services that provide the monitoring of and quick response to new cybersecurity vulnerabilities.
Cybersecurity threats need to be top-of-mind in 2021. It’s critical that hospital systems invest in secure medical devices and network security, and it’s up to vendors to help them by developing next-generation devices that help thwart attacks rather than expose vulnerabilities.