Over the past decade, teams of healthcare clinical engineers, and IT security personnel have focused on the security and privacy of patient data. The confidentiality, integrity, and availability of patient data has been protected by HIPAA and enforced by the Department of Health and Human Services Office for Civil Rights. And yet, ransomware continues to bypass security controls, negatively impacting not only the financial stability of healthcare organizations — but also cyber patient safety.
Cybersecurity in healthcare not only involves the sensitivity of patient information, but the safety of patients. With the rise of the interconnected Internet of Medical Things (IoMT) and other healthcare cyber-physical systems (CPS) cybercriminals have been able to disrupt patient care by triggering device outages or malfunctions. This has led caregivers to take a more clinically focused viewpoint on cybersecurity, correlating it more closely with patient outcomes. Cybersecurity in healthcare is essential because any compromise of patient data or medical devices can result in serious harm to patients, including misdiagnosis, incorrect treatment, and even death.
Emergency Physician, Clinical Informatics, and researcher, Dr. Christian Dameff stated, “We are at a point where bits and bytes are meeting flesh and blood.” Meaning, the cyber-physical world of connected devices in a hospital network uniquely increases the risk to patients. The medical devices that patients' lives depend on cannot be properly managed or protected by traditional IT security tools, leaving them as easy network entry points unless purpose-built security controls are implemented.
A study from the U.S. Cybersecurity Infrastructure and Security Agency (CISA) suggests a strong correlation between cybersecurity attacks, hospital strain, and ultimately, degraded functionality. Due to a rise in patient bed count during the pandemic, CISA explains that healthcare systems suffered, leading to a reduction in operational effectiveness of hospitals. This led to an additional external stress during a time of crisis in the form of ransomware and attacks on healthcare delivery organizations (HDOs) supporting infrastructure. Ransomware is one of the most common cyber attacks against hospitals. These attacks on hospitals system’s networks many times resulted in inaccessible patient schedules and records, disrupted communication, and delays in processing and communicating test results. Downstream effects of these attacks proved to be more damaging, including canceled or delayed surgeries and cancer treatments or loss of communication between hospitals in the network. These consequences further enforce the impact a ransomware incident can have on medical device effectiveness and the detrimental effects on patient safety.
An additional proof point can be drawn from a recent Ponemon study on breach impacts. The study emphasizes the effects ransomware attacks can have on patient safety, data and overall care availability, stating, 71% of respondents reported longer patient stays, 70% reported delays in procedures, 65% reported increased patient diversions, 36% reported increased complications, and 22% reported increased mortality. The onset of the COVID-19 pandemic introduced a myriad of risk factors to HDOs, including remote work and the systems to support it, staffing challenges, and elevated patient care requirements. The demand for higher-quality patient care, regulatory directives, and the necessity to contain costs led HDOs to shift to the digitization and distribution of health information. This, coupled with the reliance of medical devices on network connectivity for operations and maintenance, and the implementation of third-party products and services have left HDOs woefully unprepared to deal with associated risks.
Both studies conducted by CISA and Ponemon emphasize that ransomware attacks on HDOs can be a life-or-death situation. But, many healthcare organizations are not prepared to mitigate ransomware attacks and third-party risks — making potentially harmful mistakes along the way. As the pandemic exacerbated the existing strain on hospitals, it became more important than ever for organizations to address their cyber patient safety and medical device effectiveness holistically, and to partner with a CPS security vendor who could help address their unique needs.
The high stakes of securing connected medical devices and other healthcare cyber-physical systems are well understood, but many organizations still make one of the following mistakes:
Attempting to use IT security tools to secure medical devices. IT security tools are not compatible with the protocols used by medical devices, and in most cases, attempting to use them will often do more harm than good.
Managing medical device security separately from IT security. When cybersecurity silos form within a healthcare organization, it leads to situations in which isolated teams fail to defend against cyber threats in a coordinated manner. To present a unified front against threats to patient privacy and safety, healthcare organizations must adopt a converged approach to cybersecurity.
Not conducting risk assessments prior to engaging with third-parties. By ensuring critical steps for identifying and mitigating third-party risks, organizations can continuously monitor vendors and evaluate various threats targeting their medical device assets and associated vulnerabilities.
Having an incomplete or inaccurate medical device inventory. Many HDOs are unaware of what medical equipment they own, can’t locate devices, and/or have no information regarding the vulnerabilities of these devices. A complete device inventory will allow security teams to make informed decisions on how devices should be treated, and where your biggest risks lie.
Addressing cyber patient safety and ensuring medical device effectiveness requires the right purpose-built tool to protect your unique healthcare environment from ransomware. With a CPS security partner, like Claroty, HDOs can gain a comprehensive understanding of their network, and avoid making critical mistakes when securing medical devices. As ransomware attacks have evolved from not only impacting HDOs financially, but to putting patient’s safety and privacy at risk, it is critical that organizations ensure medical devices are properly managed and protected. By teaming up with Claroty, hospitals can accomplish better outcomes, improve device effectiveness and safely deliver care to patients.
7 Essential Tips for Improving Operational Efficiency in Healthcare
405(d) Task Group Updates HICP Document for Healthcare, Medical Device Cybersecurity
Medical Device Cybersecurity: HHS 405(d) Best Practices Update