How to boost healthcare cybersecurity

The ongoing wave of digital transformation in the healthcare sector — driven by advancements in interconnected medical devices and clinical processes — has given rise to cybersecurity threats that often outweigh the benefits to patient care.

As adversaries grow more sophisticated in their attacks and the consequences of cyber incidents evolve, healthcare organisations are faced with a unique set of security challenges.

A contributing factor is the Extended Internet of Things (XIoT), a holistic umbrella term that encompasses all cyber-physical devices connected to the internet — including connected medical devices, or the Internet of Medical Things (IoMT).

Despite its undeniable benefits, the XIoT’s escalating cyber-physical connectivity has brought a myriad of cybersecurity challenges by expanding the attack surface. Threat actors are not only targeting IT systems but have now set their sights on cyber-physical systems (CPS) — from IoMT devices to building management systems (BMS) such as elevators and HVAC systems — which are considered critical to maintaining a safe environment for patient care. Furthermore, the impact of an incident involving healthcare IoT is not just financial: downtime or disruptions to any of these devices or systems can negatively impact patient outcomes and, in the worst-case scenario, cause patient harm or death. This is a harsh reality for professionals in the healthcare sector charged with mitigating cyber risk.

A recent independent study of 1100 full-time professionals in cybersecurity, engineering, IT and network management within the healthcare industry revealed valuable insights into how healthcare institutions are currently addressing the cybersecurity challenges brought about by digital transformation.

Key highlights of the report include:

Cybersecurity incidents are causing serious issues with cyber-physical systems (CPS), with the research revealing a noticeable uptick in ransomware payments:

• Globally, at least 78% of respondents experienced a minimum of one cybersecurity incident over the last year.
• 47% cited at least one incident that affected cyber-physical systems including medical devices and/or building management system devices.
• Financial ramifications were mainly within the USD100,000–1,000,000 (or AUD160,000–1,600,000) range.
• 26% of respondents reported paying ransoms, despite the practice being largely discouraged by government authorities and many cybersecurity industry experts.
   

Promisingly, companies are showing a willingness to increase their cybersecurity budgets in order to address the growing threat landscape:

• Globally, 51% of respondents reported increased security budgets.
• Patching vulnerabilities in medical devices is a top priority, followed by asset inventory management, and segmentation of medical devices.
   

The recruitment of capable cybersecurity professionals has proven to be a challenge, making cost-saving measures imperative:

• More than 70% of organisations are looking to hire cybersecurity professionals; however, 80% of those say finding qualified candidates is difficult.
• Respondents reported that optimising device utilisation was the biggest opportunity to trim down their costs.
   

A growing emphasis placed by organisations on cybersecurity regulations and standards has been instrumental in advancing the field.

• Regulatory developments, such as mandatory incident reporting, are cited as the most important external factor that influences organisations’ overall cybersecurity strategy.
• In Australia, all organisations are recommended to implement essential mitigation strategies from the Australian Cyber Security Centre, known as the Essential Eight.
• Globally, respondents found the NIST and HITRUST Cybersecurity Frameworks to be the most important to their organisations.

Three recommendations to bolster security

The survey highlights that healthcare institutions are increasingly focusing on cybersecurity compliance; however, given the prevalence, diversity and impact of cyber attacks, there is still room for enhancing security initiatives to bolster cyber and operational resilience.

Fortunately, as the study reveals, healthcare organisations are on an encouraging course correction towards maximising their cybersecurity and operational resilience with effective leadership, comprehensive security initiatives, and compliance with guidelines and frameworks provided by regulatory authorities.

1. Gain full visibility into all connected devices in the clinical environment

It is impossible for healthcare organisations to protect their assets if they can’t see or understand them. But gaining this visibility is one of the most fundamentally important yet challenging tasks, largely because new assets/devices are being connected to healthcare networks daily, many times without proper authorisation.

Thorough asset inventory management is crucial to spotting and reducing any potential threats. Given every healthcare environment is unique, and most contain complexities that render certain device discovery methods ineffective, it is critical to ensure security solutions offer multiple, highly flexible discovery methods that can be mixed and matched to deliver full visibility in the manner best suited to distinct needs.

2. Integrate existing IT tech stack and workflows

Healthcare organisations already use a number of solutions and tools in their cybersecurity program. Rather than expanding an already extensive tech stack, it is important to find CPS security solutions that integrate with them. By extending existing tools and workflows from IT to CPS, you can safely uncover risk blindspots without endangering patient outcomes.

3. Extend existing IT security controls and governance into the clinical environment

Unlike their IT counterparts, most XIoT environments lack essential cybersecurity controls and consistent governance. That’s because many medical devices were designed for functionality over security and were not initially intended to be connected to the internet. The rise of interconnectedness has caused these previously “air-gapped” devices and systems to become converged with IT networks — which have not been designed to be connected and managed in the same way.

The rapid adoption of digital transformation, and remote and hybrid working environments, have left security teams with a lack of awareness and understanding about the unique challenges of these newly interconnected XIoT environments. Without a dedicated security team or help from a solution that specialises in securing CPS, healthcare organisations will suffer from a lack of consistent governance and controls.

*Leon Poggioli is ANZ Regional Director of Claroty.

Image credit: iStock.com/Just_Super