Cybersecurity and patient safety: why we need to do better

In February 2021, with the COVID-19 pandemic raging, the Australian Cyber Security Centre (ACSC) issued its 2020 Health Sector Snapshot, saying, “COVID-19 has fundamentally changed the cyber threat landscape for the health sector, with malicious actors increasingly targeting and compromising health networks, which are already under pressure in a pandemic operating environment.”

Taking into account the chronic understaffing currently affecting Australian hospitals, it has never been more essential for health providers to ensure their networks are protected from malicious cyber actors who wish to disrupt essential services or compromise business-critical systems to profit from ransom.

The healthcare sector is not alone among critical organisations experiencing ransomware attacks. According to Claroty’s report, The Global State of Industrial Cybersecurity 2021: Resilience Amid Disruption, 80% of critical infrastructure organisations worldwide experienced a ransomware attack during the year.

Any attack on critical infrastructure can result in public disruption or even life-threatening consequences, but healthcare organisations are particularly vulnerable. A vital life-saving procedure might be delayed, monitoring equipment might fail to report a change in vital signs or transport of a seriously ill patient might be disrupted.

Lessons from Germany

The ACSC report describes a case in Germany where a ransomware attack disrupted a healthcare organisation’s computer systems and, as a result, someone being transported to hospital by ambulance was rerouted to a different hospital 30 kilometres away. They died en route.

In 2021, the Ponemon Institute surveyed 597 IT and OT security professionals to understand how COVID-19 had impacted the way healthcare delivery organisations protect patient care and patient information from increasingly virulent cyber attacks, especially ransomware. Almost one in four healthcare providers reported an increase in mortality rate due to ransomware.

The findings were described as “an urgent wake-up call for the healthcare industry to transform its cybersecurity and third-party risk programs or jeopardise patient lives”.

Healthcare organisations are a primary target for cybercriminals. So what can security teams do to counter these threats and keep their organisations and their patients safe?

Identifying vulnerabilities

An increasing source of vulnerabilities is the Internet of Medical Things (IoMT), referring to the many devices that deliver medications, aid in diagnosis and monitor patients, which are becoming increasingly connected to the internet. Many of these devices are known to have vulnerabilities, but these are difficult, or impossible, to patch. Reliance on old and unsupported versions of Windows is also commonplace.

A recent report from Cynerio found 53% of connected medical and other IoT devices in hospitals had a known critical vulnerability. It also found a third of bedside healthcare IoT devices, which patients depend on for optimal health outcomes, had a known critical risk.

Poor security governance also exacerbates these risks. IoMT devices are rarely part of the overall security governance process and in many cases fall outside the responsibilities of the security team, so are not audited for issues such as weak passwords or default credentials.

IoMT devices are now generally connected to each other and hospital IT systems over a common physical network, but little use is made of network segmentation, which would make it more difficult for an attacker to gain access.

All these issues need to be addressed urgently when the health system is already stretched to its limits by COVID-19. So what can be done? Here are some suggestions that will provide significant security boosts with minimal effort.

Top tips

1. Identify all IoMT devices and add them to the security governance process. This requires purpose-built technology because such devices are often invisible to traditional security tools. If a comprehensive audit is not possible, the most critical devices and processes should at least be prioritised.
2. Identify and remove as many vulnerabilities as possible by patching. Also, implement other tools such as firewalls and access control lists as a second line of defence.
3. Implement network segmentation. Ideally this would be done physically; however, this can take considerable time. As a strong alternative, virtual segmentation can be implemented much faster and also enables suspicious activity to be detected and remediated more easily. In addition, implementing policies that govern network access for certain users, devices and sessions will limit unnecessary, and possibly malicious, connectivity.
4. Monitor all IoMT devices for evidence of malicious activity. Specialised security tools are capable of constantly monitoring the IoMT network in the background and automatically flagging any suspicious activity. By their nature, these tools are far faster and more effective at threat mitigation than any human is capable of.

Australian government bodies offer several resources to help healthcare organisations beef up their cybersecurity. Some key resources include two reports by the Therapeutic Goods Administration, Medical device cyber security guidance for industry and Medical device cyber security information for users.

All Australian healthcare providers must remember that cyber safety equals patient safety. Security professionals in the healthcare sector should take the escalating threat landscape very seriously.

It’s essential that hospitals get the investment required to give their security teams better visibility, and therefore better ability to protect against attacks. This minimises the possibility that lives could be lost due to medical equipment impacted by ransomware or other threats.

Image credit: iStockphoto.com/LeoWolfert