Blog / 6 min read
Threat actors don’t discriminate among sectors, but healthcare seems to be a prime target. The 2021 HIMMS Healthcare Cybersecurity Survey finds that 67% of respondents indicate their healthcare organizations experienced significant security incidents in the past 12 months, with the most damage resulting from phishing and ransomware attacks. And attacks show no signs of slowing. In the first half of 2022 alone, the healthcare sector suffered about 337 breaches, affecting more than 19 million records.
We all know the cost of these attacks on the healthcare sector. The results of a successful breach, including the disruption to operations, violation of patient privacy and safety, and erosion of confidence and reputation, can have substantial financial consequences. For 12 years running, the healthcare industry has had the highest average data breach cost of any industry, with the average total cost in 2022 hitting a record high of $10.10 million. That’s a 42% increase since 2020. So, it’s more important than ever that healthcare delivery organizations (HDOs) do all they can to minimize their exposure and manage their risks.
Unfortunately, there is no simple answer, no single silver bullet that can give you the protection you need against all the risks in your organization. For each healthcare system, there is a unique combination of people, processes, and technologies that need to be in place to ensure appropriate governance and risk mitigation efforts align with the organization’s desired business outcomes.
A lack of visibility, communication, and coordination between all the security, biomedical, clinical engineering, and business stakeholders within an HDO creates gaps that make good governance difficult and effective risk mitigation almost impossible. Once your team begins to identify and understand these gaps, you can start to fill in the gaps to ensure everyone and everything is working together. It starts by establishing a “single source of truth” for your environment – one that provides a common language and understanding that can help bridge operational disconnects and divides. A single system of record can help everyone, from cybersecurity to biomed to business stakeholders, see what’s going on in the clinical networks and start to make effective decisions that will improve the organization’s operations and care.
Medigate by Claroty provides this foundational visibility to organizations large and small to help see and understand not only what is in their clinical networks, but also what these devices, including connected medical devices and other Extended Internet of Things (XIoT) devices, are doing (and whether or not they should be doing it). At a granular level, HDOs must know the devices they are dealing with, including the:
Modality – type, make, and model
Version – OS type and version
Software – embedded software and protocols used
Unique Identifiers – serial number, hostname, MAC address
Locations – SSID, access point (AP), AP location
This level of detail gives stakeholders a foundation upon which to collectively establish operational and security frameworks for their clinical setting in line with their tolerance for risk. Powerful visibility and insights can be used to inform successful risk management programs which, based on our experience working with leading healthcare systems, include the following six components:
Within healthcare organizations, risks need to be considered within the context in which they exist, including the likelihood that a given threat is capable of exploiting a given vulnerability, and the severity of the impact. Not all risks are created equal. Knowing which are the most critical, enables teams to prioritize efforts and actions. This requires a combination of cybersecurity and clinical expertise to accurately identify whether something is tolerable (and even necessary) or a risk to the connected health system. A healthcare-specific risk framework can make these nuanced determinations, identifying and scoring risks based on granular visibility and context, so they can be appropriately evaluated, prioritized, and addressed to keep patients and care safe.
Because devices are often involved in care, risks have to be managed much differently from traditional IT to ensure dependencies are respected and operations kept intact. Health systems need to apply a clinical lens to their vulnerability management to ensure activities, such as scanning and patch management, can be carried out swiftly and without risk to the patient care protocols. This requires the ability to monitor the ongoing connectivity of devices to see when the device is not in use or not connected to anything that could impact delivery of care, identify and coordinate with the organizational owners and those who will apply the update or patch, and quickly locate every device in order to apply the fix quickly when the time is optimal.
Shutting down devices or blocking communications can have dire consequences within a clinical network, so it is important cybersecurity is inserted when and where it will be able to protect, without impacting care. If a patch is not available or can’t be applied, then the best way to manage risk may be to identify compensating controls and choose the best ones for each scenario. Considering actions within their clinical context allows healthcare organizations to start to enforce policies and risk abatement strategies – through network-based control points (e.g., firewalls, NACs, etc.) – that can prevent attack propagation and minimize attack impacts, without interfering with ongoing operations or the delivery of care.
To prevent the spread of threats within clinical networks, health systems need to constantly discover, assess, and manage the cybersecurity risks that connected medical, clinical, and other unmanaged XIoT devices introduce to the clinical network. Given the complexity of clinical settings, which contain an ever-expanding number of devices, protocols, and workflows involved in HDOs’ efforts to deliver real-time, high-value care, HDOs must remain vigilant when it comes to good cyber hygiene. Gaps must be continuously identified and closed if the health system is to maintain a security stance for their clinical settings in line with their tolerance for risk.
More and more smart connected health systems are building out or partnering with smaller care facilities to deliver specialized services, urgent and even primary care within patient neighborhoods. While these facilities are smaller, they still face the same requirements for privacy and security that is expected of their larger hospital counterparts. All types of health systems, from large HDOs to clinics, need to ensure the same rigor is being applied throughout their distributed facilities and ecosystem to keep their operations and patient care operating as it should. This includes being able to address the increase in XIoT devices and sensors connected to a clinic’s network digital infrastructure and that enable them to interoperate within a larger healthcare system. All these connected devices and their relative risk must be understood and included in the risk management program to maintain acceptable risk levels.
The dynamic nature of healthcare means security is never done. In today’s hyperconnected environment, new devices are continuously being purchased and connected to the network. Knowing which devices pose the greatest risks helps the HDO introduce new security criteria into the procurement process. Additionally, new vulnerabilities continue to emerge and threat actors continuously evolve their methods of attack, so there is no such thing as “set and forget”. Health systems need to identify tools and services that can help automate and operationalize ongoing risk management activities.