The challenges of securing the healthcare sector [Q&A]
The healthcare sector is particularly attractive to cybercriminals due to the amount of personal data held and the critical nature of many systems.
We spoke to Shankar Somasundaram, CEO of IoT risk management platform Asimily, to discuss healthcare systems and the challenges involved in securing them.
BN: What makes healthcare IoT devices and equipment particularly challenging to secure?
SS: Healthcare delivery organizations (HDOs) are up against a perfect storm of IoT security challenges right now. Connected-device deployments within hospitals and other healthcare systems are just a different animal from those in other industries. Take retail by comparison, where an array of largely homogenous IoT sensors deploy across a supply chain. There’s a smaller and more manageable attack surface, generally fewer vulnerabilities to address, and devices are relatively straightforward to replace when they have irreconcilable security issues.
Contrast that with healthcare, where much more heterogeneous medical IoT device fleets are deployed with an especially wide breadth of functionality. With that device functionality very much responsible for patient care quality and health outcomes, taking an at-risk device offline often isn’t an option. Clinicians rightfully have the last word on whether to discontinue using devices that HDO security teams flag as high-risk. Those security teams must then abide by those decisions, securing devices with active, known vulnerabilities as best they can. These factors illustrate why the healthcare industry has such a low tolerance for service interruption to IoT devices.
Our recently released report, Total Cost of Ownership Analysis on Connected Device Cybersecurity Risk, puts numbers behind the challenges HDOs face right now, and highlights the stark need for security teams in this space to adopt risk-based approaches to cybersecurity. Unfortunately, HDOs also suffer from a shortage of cybersecurity talent -- often from tight IT budgets that prioritize purchases over security. Becker's Hospital Report finds that HDO operating margins only returned to profitability in March 2023 following deep deficits during the pandemic. For almost a third of rural hospitals, a single cybersecurity incident would likely force them out of business. Given this environment, holistic risk-based strategies offer the most cost-efficient and effective path for HDO cybersecurity teams, enabling them to recognize, prioritize, and remediate the most dangerous vulnerabilities and threats to their medical IoT devices.
BN: Why are healthcare organizations particularly ripe targets for attackers?
SS: Healthcare data is inherently sensitive -- the kind that gives cybercriminals significant monetization opportunities. The broad attack surface offered by an HDO's countless connected devices, coupled with security weaknesses made worse by reduced IT budgets and cybersecurity staffing, only entices more breaches. Medical IoT devices are particularly vulnerable: a recent FBI study determined that the average medical device includes 6.2 vulnerabilities.
Compounding this issue, more than 40 percent of medical devices in use at HDOs have reached their product end-of-life, and no longer receive manufacturer security patching or support. HDOs don't have the budgets to rapidly replace end-of-life devices performing essential duties, and HDO cybersecurity teams have the bandwidth to fix just five to 20 percent of their known vulnerabilities each month. That limitation points to why risk-prioritization strategies that help cybersecurity teams target the most dangerous vulnerabilities with their limited capacity are so effective in preventing negative outcomes for HDOs.
Protected patient health data is also particularly inviting to attackers because of its permanence. While an exposed credit card can be canceled and bank information can be changed, patients can't so easily repair the damage of an exposed street address or social security number or even their health details. For this reason, ransomware has become the tool of choice for targeting HDOs. Ransomware easily spreads across vulnerable devices, interrupting services. HDOs then face the prospects of reputational damage and negative patient outcomes, which attackers leverage to incentivize paying their ransoms. Sophisticated attackers now even size their demands to what an HDO can afford to pay. Other attack strategies that impact connected devices include introducing malware that causes poor device performance, and forcing devices to connect with unknown IP addresses to enable remote breaches.
These factors continue to reinforce that healthcare organizations are far-too-opportune targets for cyberattacks. According to a recent Ponemon study on Cybersecurity in Healthcare, 89 percent of HDOs reported experiencing an average of 43 attacks over the course of 12 months. Within the last year, 44 percent of HDOs experienced a data breach caused by a third party, showing that those attacks are too often successful.
BN: What does the quantifiable risk look like for an insufficient security strategy here?
SS: Incidents that impact patient care are HDOs' top concern. The worst-case scenario occurred in 2019 at Springhill Medical Center in Alabama, where a baby born with a severe brain injury potentially died as a direct result of a ransomware attack on the hospital’s computer system. In another case, an Illinois medical center hit by ransomware had its computer systems rendered useless for months, preventing it from completing billing claims and leading it to shut down. Ponemon finds that ransomware attacks caused 59 percent of affected HDOs to experience longer patient stays, and 64 percent to experience testing and procedure delays. The same study finds that 88 percent of these cyberattacks on HDOs exploit IoMT devices, while 12 percent leverage IoT devices.
BN: How do security issues affect patient care? Is there a direct connection?
SS: Healthcare organizations should be aware: a 20 percent increase in patient mortality is directly attributable to cybersecurity incidents. The data makes it clear that ineffective connected device cybersecurity strategies lead to tragic results.
The average hospital in 2023 has a 1.4 percent operation margin, while the average cyberattack costs an HDO $10,100,000 per incident. Functionally, a successful cyberattack can easily mean the end of all patient care at a facility.
BN: What role does cyber insurance have in protecting healthcare organizations from security incidents?
SS: Cyber insurance is adapting to the recent increase in ransomware and data breach incidents. As insurers cap payouts and add coverage limits, HDOs can no longer count on cyber insurance to protect them from cybersecurity failures. At the same time, there’s no insurance that covers the reputational damage that comes with allowing a breach. HDOs' best and only true protection is to develop an effective risk-based cybersecurity strategy, one that optimizes the efficiency with which security teams target and mitigate medical IoT device vulnerabilities.
Image credit: PeopleImages.com/depositphotos.com