-
Industrial
- Healthcare
-
Commercial
- Public Sector
- Threat Research
- Partners
-
Resources
Featured Content
- Company
Blog / 9 min read
Healthcare cybersecurity refers to the protection of sensitive patient data, internet of medical things (IoMT) devices and assets, building management systems (BMS), and other critical healthcare infrastructure from cyberattacks. This process involves an enterprise-wide commitment to cybersafety and the implementation of purpose-built solutions to help healthcare delivery organizations (HDOs) provide safe, uninterrupted care to patients. Today, however, effective healthcare cybersecurity is exceedingly challenging for many HDOs to attain — and a key reason why is the rise of connected care and, thus, the growing reliance on connected medical devices and other types of cyber-physical systems. While these types of healthcare technologies are undoubtedly enhancing care quality while providing myriad life-saving functions, their underlying connectivity makes them more susceptible to cyberattacks. And as such attacks continue to become increasingly sophisticated and widespread, it is now more important than ever that HDOs focus their efforts on building a stronger, more resilient healthcare cybersecurity strategy.
Healthcare cybersecurity has become increasingly important amid the rise of connected care, which is fueling the convergence of internet-connected information technology (IT) systems with previously “air gapped” clinical networks, systems, and devices. Due to this convergence, HDOs no longer have to contend solely with cyberattacks that target IT systems to steal sensitive patient data and often result in financial losses due to regulatory fines and reputational damage. Now, they also have to protect their organization from attacks on IoMT and other connected medical devices and critical cyber-physical systems, which can result in more severe consequences including disruption of patient care or even loss of life. With robust healthcare cybersecurity controls in place, HDOs can both maintain trust with their patients when it comes to keeping their data safe, and can ensure the continuity of care by protecting against and mitigating the impact of any disruptions.
Healthcare cybersecurity is also essential to remaining compliant with industry regulations and standards — such as the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was designed to protect patient privacy, and ensure the security of their protected health information (PHI). One key provision of HIPAA is the Privacy Rule, which sets standards to address the use and disclosure of PHI for entities subject to the rule known as “covered entities”. The Privacy Rule contains standards for an individual’s rights to understand and control how their PHI is used. Without a strong cybersecurity strategy in place, organizations will struggle to comply with HIPAA regulations, ensure their patients' data is protected, and avoid any costly fines or penalties.
Another key standard, developed to protect medical device security, is Section 405(d) Task Group’s Health Industry Cybersecurity Practices (HICP). The goal of these best practices are to strengthen the healthcare & public health (HPH) sector's cybersecurity posture against cyber threats. The document outlines the top five threats to healthcare organizations and ten mitigating best practices used to fight against cybersecurity threats that can impact patient safety, and further emphasizes why healthcare cybersecurity is so important today. This standard not only provides best practices for securing PHI, but also for ensuring the safety and securing of medical devices and patients. The HICP is closely aligned with the NIST Cybersecurity Framework, and is meant to serve as a reference document for HDOs looking to kick-off or enhance their cybersecurity programs. By following these guidelines, organizations can bring their cybersecurity to the next level, and can help bridge the gap between HIPAA compliance and a cybersecurity framework.
For healthcare organizations, ransomware attacks have become a persistent and increasingly disruptive type of threat that, in recent years, has caused seemingly countless HDOs to lose access to critical patient data, or worse, be unable to deliver critical care services A major ransomware incident that is still spoken about today due to its significant global impact was the 2017 WannaCry attack. This ransomware attack infected an estimated 230,000 computers in 150 countries in just a few hours by exploiting a dangerous vulnerability in unpatched versions of the then-widely used Windows 7 operating system.. In the healthcare sector, the attack began affecting dozens of National Health Service (NHS) facilities, and eventually affected over 60 NHS hospital trusts. During the attack, the infected hospital trusts were locked out of their digital systems and medical devices, which resulted in a significant disruption for patients and healthcare staff. This included staff having to revert back to manual processes, a disruption to radiology services, canceled outpatient appointments, elective admissions, and day case procedure, and emergency ambulances having to be diverted to other hospitals. Overall, the extensiveness and impact of served as a wakeup call on the vulnerability of HDOs to cyber threats, and the importance of a strong healthcare cybersecurity solution & strategy.
Another notable ransomware attack occurred in 2020 against the University of Vermont Health Network (UVMHN). The UVMHM attack affected the healthcare system’s entire clinical network across its multiple hospitals and medical facilities. During the attack, hundreds of employees were unable to perform their job responsibilities, and many patients faced delayed test results, experienced appointment cancellations, and had to reschedule elective medical procedures. According to public reporting on the incident, the health network continued to experience setbacks and financial losses eight months after the initial attack — with incurred costs estimating over $63 million. UVMHN also incurred severe reputational damage, facing scrutiny for its lengthy recovery process, which resulted in delayed patient care. From this incident healthcare organizations learned the unique and lasting ramifications of ransomware attacks, and that no HDO is immune to cyber-related losses. That’s why it is crucial for organizations to implement protection against cyber incidents, adhere to industry regulations and standards, and follow best practices for implementing effective healthcare cybersecurity.
In response to the increasingly disruptive cyberattacks targeting the healthcare industry, the White House has published a National Cybersecurity Strategy. This strategy outlines how the Executive Branch plans to protect our nation’s increasingly interconnected critical infrastructure — and calls for improved sharing of information between the government and private sector regarding vulnerabilities, threats, and risks. By coordinating incident response plans across the federal government and enhancing regulations, the government intends to be better prepared for the protection of our critical infrastructure. The release of the National Cybersecurity Strategy is a step in the right direction for patient safety, and provides a plan to ensure better preventions against attacks like the ones discussed above. By aligning your organizations to White House’s strategy, and following the below best practices, HDOs can strengthen their cybersecurity posture and ensure cyber and operational resilience.
Everyday, new devices are connected to a HDOs network, many times without proper authorization. Although these devices are essential to patient care, they also introduce additional cyber risk. By identifying all assets in the network, organizations can gain a comprehensive understanding of their attack surface, and identify potential security risks. They also will be able to proactively monitor the network for any unexpected activity or unauthorized devices — allowing them to identify and eliminate potential threats. Healthcare device discovery is also essential to enabling organizations to identify and prioritize vulnerabilities, thereby allowing them to take proactive steps towards mitigation.
Once visibility has been achieved, the second best practice is to assess your clinical environment's security posture. By performing a comprehensive, enterprise-wide assessment, organizations can understand their current security status and determine potential loss or exposure from a cyberattack. During this step, it is important to involve security professionals, biomed, and clinical engineering staff to ensure that both traditional and connected care workflows are being accounted for, and that your healthcare is a priority for all teams across the organization.
Every HDO that is connected to the internet is vulnerable to breaches. And, unfortunately in the healthcare industry, there are many reasons why they are prone to attack. The first being that it is common for employees to share their passwords and login credentials with other employees. HDOs also tend to use outdated systems and hardware — both of which cause vulnerabilities within their network security. Without strong access controls in place, such as multi-factor authentication and role-based access, hackers can gain unfettered access to sensitive patient data and systems. Implementation of access control is one the most important best practices HDOs can execute to ensure only authorized personnel have access to sensitive data.
As we’ve discussed, there are so many different types of devices in an HDOs environment, and new devices are being added daily. Aside from the device discovery challenge, HDOs also struggle to keep these devices properly segmented. Once devices are located and detailed, it is important to define network policies and enforce controls to ensure devices are communicating correctly. By gaining accurate device details, HDOs can establish a baseline of allowed behavior and improve their security enforcement — ensuring you set the appropriate policies and enforcing controls without disrupting care.
No healthcare environment is immune to threats. That’s why it's so important to identify anomalies and respond to any suspicious medical device communications. A recommended best practice for accurate threat detection is gaining a precise understanding of manufacturer-intended device behaviors and their clinical workflows. Being able to pinpoint a device’s specific location and deliver its current status provides your security team with the context they need to detect threats and respond efficiently.
The IoMT devices HDOs rely on bring inherent risk due to software vulnerabilities. And, in healthcare settings, device details are often missing, and active device scans can’t be regularly performed as they have the potential to disrupt patient care and impact outcomes. That’s why HDOs require a solution that provides them with visibility into critical device details, to identify what your devices are and what they’re doing. This helps organizations understand their device risks, and how to prioritize remediation. By streamlining vulnerability and risk management, HDOs can understand the extensiveness of their exposure to a specific vulnerability and implement the appropriate remediation strategy.
With digital transformation and the rise of the extended internet of things (XIoT), threats to healthcare environments are continuously evolving. That’s why we recommended following this best practice to ensure that your connected devices are trusted and secure. By continuously improving your cyber and operational resilience, your organization can more effectively prepare, respond to, and recover from this dynamic threat landscape.
At Claroty, we understand that healthcare organizations need to be able to connect to their environments with confidence — and by following the above best practices, they can accelerate their real-time healthcare initiatives, and generate better business and patient outcomes. Establishing strong healthcare cybersecurity is no easy task, but the implementation of a purpose-built cyber-physical systems security solution and an enterprise-wide commitment to cyber safety can help.
