Hospital cybersecurity is a pressing problem with unique challenges and incalculable stakes. The healthcare industry’s accelerating adoption of sophisticated networks, connected devices, and digital records has revolutionized clinical operations and patient care but has also left modern hospitals acutely vulnerable to cyberattacks. Recent high-profile hacks have brought these mounting threats sharply into focus. However, despite increasing efforts and awareness, a number of technological, cultural and regulatory issues complicate healthcare cybersecurity.
Security solutions built for the typical business enterprise fall short when they’re applied to the complex world of hospital IT, leaving an urgent, unfilled need for industry-specific innovation. The next frontier of cybersecurity will be in advancing traditional enterprise security to solve the systemic, pressing challenges facing hospitals today – especially as it relates to the emerging Internet of Things (IoT).
US healthcare spending is projected to reach 20 percent of GDP (a staggering $5.5 trillion) by 2025. And, according to Deloitte, the global healthcare IoT market is expected to grow with a 12.5 percent CAGR to $136 billion by 2021. However, this growing market faces a growing threat. According to a report in the Journal of the American Medical Association, healthcare breaches have spiked significantly since 2010. Healthcare delivery organizations (HDOs) were the fastest growing targeted group, accounting for over 70 percent of the 2,149 breaches tracked. Another study found that HDOs were the victim of 88 percent of all ransomware attacks in US industries last year and that 89 percent of studied organizations had a breach.
The fact that healthcare organizations are so vulnerable to breaches already makes them very tempting targets. And on top of that, the value of the data they possess attracts attackers even more. There is high demand on the black market for patient medical records, which can fetch prices 20-50 times higher than personal financial information. Hackers can also use ransomware to hold vital healthcare systems and records hostage. This became frighteningly clear during last year’s WannaCry attacks, which disrupted a third of the UK’s National Health Service organizations and infected large numbers of unsecured connected medical devices around the world.
Compounding the issue is the fact that hackers only need to compromise the weakest-link device in order to pivot into a full network breach.
Both device manufacturers and HDOs seem to be aware of the issue. But research shows this knowledge is not yet inspiring the degree of action one would hope. According to a 2017 study by the Ponemon Institute, 67 percent of device manufacturers and 56 percent of HDOs believe an attack on one or more of their medical devices is likely. However, just 17 percent of manufacturers and 15 percent of HDOs are taking significant steps to prevent such attacks. These facts are cause for alarm. In June 2017, a congressional task force “Report on Improving Cybersecurity in the Healthcare Industry” gave the following diagnosis: “Healthcare cybersecurity is in critical condition.”
Understanding the Root of the Problem to Make Hospitals More Secure
It’s clear that cybersecurity within the healthcare industry is in need of serious attention. And understanding the root of the industry’s ailments is a critical first step to developing a cure.
Healthcare’s lagging cybersecurity is in part a result of its rapid but uneven adoption of new technologies. Even as recently as 2009, wireless pacemakers were still novelties that made headlines, and adoption of electronic health records (EHRs) stood below 10 percent. Less than a decade later, 96 percent of hospitals have adopted EHRs and an estimated 3.7 million networked medical devices store and manage records, monitor patient health, administer medication and provide critical care. While these innovations have been a boon for patients and providers, security, in most cases, has been an afterthought. This rapid tech adoption has opened glaring vulnerabilities within hospital security and created irresistible incentives for malicious cyber attackers.
Connected medical devices are far more difficult to secure than their conventional IoT counterparts. These devices often run on antiquated, legacy systems not originally meant to be networked. In addition, the fact that the medical devices are mission critical and typically based on embedded operating systems makes software patching more complicated and cumbersome than in other industries. Medical devices are also designed for durability, meaning many devices built 20 years ago or more – when Windows 95 was considered the latest technology – are still in service today. As a result, vulnerabilities remedied long ago in other industries still threaten connected medical devices; either because the devices are too outdated and difficult to patch, or are deemed too critical for patient care to even risk the attempt.
Outdated and legacy systems are not the only issues. Healthcare IoT devices present unique security challenges that require clinical context to ensure the full visibility needed to meet them. According to a KLAS survey published September, the top organizational factor causing medical device security issues – with 49 percent consensus amongst participants – is lack of asset visibility. Medical devices’ opaque systems, proprietary protocols and complex interactions make them far harder to account for and secure than enterprise IoT devices. In order to achieve even basic visibility, a healthcare IoT solution must be able to identify each connected device with great granularity (including manufacturer protocols) and provide up-to-date information on risk ranking, device utilization, software maintenance and compliance data. Specialized knowledge of each device and its clinical context is essential.
Securing such a unique category of devices also requires a more specialized set of rules and configurations designed to govern device behavior. A dedicated healthcare IoT solution will be able to detect anomalies at the device level and prioritize threats based on clinical workflows. With hospitals averaging 10-15 connected medical devices per bed and counting, the ability to automatically catalog, track and monitor inventory is vital. Most hospitals frankly lack the staffing, resources and inter-departmental alignment to ensure ongoing security any other way.
Today’s growing attack surface, evolving threat landscape, fickle regulations and systemic challenges demand a dedicated, innovative approach to securing connected medical devices. Hospitals are the next frontier of cybersecurity innovation because traditional IoT security alone is simply not enough.
Ofer Schreiber is Partner at YL Ventures. Jonathan Langer, CEO of Medigate, contributed to this article.
First publication: Help Net Security