Hospitals associated with the Irish national health system. The State of Georgia hospital system. The University of Florida health system. Scripps Health system. Hoya Optical Labs. These are five examples of healthcare organizations negatively impacted by vicious cyber attacks in just the last month.
Such attacks follow a horrific 2020 for healthcare cybersecurity, as the medical professionals at the epicenter of saving lives throughout the COVID-19 pandemic were too often forced to work under the threat or confirmed occurrence of a cyber attack. IBM’s X-Force reported earlier this year that healthcare cybersecurity attacks doubled worldwide in 2020, with more than a quarter of them being tied to ransomware.
It’s fair to say that the coronavirus emboldened attackers – nation states and well-funded cyber gangs in particular – to increase their frequency of attacks targeting hospitals and healthcare systems. But we also cannot forget that this critical infrastructure sector was already a prime cyber crime target prior to the events of 2020.
That’s largely because hospitals and healthcare systems house some of the most valuable personally identifiable and confidential information than any other type of organization that exists anywhere in the world, and their infrastructure and defenses are often significantly less sophisticated than those of large enterprises and government agencies.
In other words, low risk, high reward.
Early Warning Signs Did Not Induce Enough Action
Recently, an influx of op eds from politicians and security practitioners have urged both the private and public sector to take the healthcare cybersecurity threat more seriously. The Healthcare and Public Health Sector Coordinating Council is actively lobbying President Biden to structure healthcare cybersecurity into the American Rescue Plan. And the Cybersecurity and Infrastructure Security Agency (CISA) has offered new guidance to help hospitals and healthcare systems reduce risk.
While this heightened conversation and direction is certainly a positive, it’s not as new as it might appear. For nearly the past decade, the cybersecurity industry has been waving red flags about healthcare’s inherent vulnerabilities – from insecure IT networks and legacy OT systems to the emergence of connected medical devices talking to each other and insider threats.
Unfortunately, such early warnings were too often perceived as boasting FUD (fear, uncertainty, and doubt) to sell products or services, and not as genuine attempts to help prepare an industry on the cusp of evolving into the epicenter of cybercrime. That’s not to suggest that hospitals and healthcare systems didn’t breed any of the warnings – the majority have certainly improved their security posture in recent years as much as budget and resources would allow.
However, the success attackers have had over the past two years reinforces that our hospitals and healthcare systems aren’t prepared enough to defend against “ruthless hackers who do not care.” The question now is where does the industry and society go next?
Removing Trust to Harden the Network
In the post-COVID environment, medical and IoT devices are arguably the biggest weak spot for the healthcare industry, as connected medical devices – an integral part of the Internet of Medical Things (IoMT) – are increasingly being used by hospitals.
According to Deloitte, approximately 68% of medical devices will be connected or able to connect to a health system network by 2025. While connected medical devices are critical to patient care, they are also the most vulnerable to cyber threats. For example, 96% of infusion pumps in healthcare facilities were affected by URGENT/11 or Ripple20 critical vulnerabilities over the past year. In addition, Cynerio research has found that more than 40% of CT machines are managed unsafely by technicians, potentially exposing credentials and classified patient data in cleartext.
While there is no one size fits all solution to this healthcare cybersecurity challenge, implementing a Zero Trust architecture is proving one efficient way to reduce risk. The concept of Zero Trust is not new, but it has recently exploded in conjunction with the diminishment of the office perimeter during the pandemic. Breaking it down into its most simplistic form, Zero Trust denies network access to anyone or anything that absolutely doesn’t require permission.
For example, blocking unauthorized connections between devices thwarts ransomware and malware’s ability to spread across a network. It prevents communications between malware and command and control. It also keeps bad actors from performing denial of service with vulnerable devices and from extracting data using malware.
With Zero Trust in place, unmanaged communications services are usually allowed only for essential communications. By ensuring every connection is authorized, verified, and authenticated and that communications are controlled on a case-by-case basis, Zero Trust security ensures tight controls on these unmanaged services.
Moving Forward with Zero Trust in Healthcare Security
Between 2019 and 2020, healthcare breaches in the U.S. increased by 55%. Over 67% of those breaches were caused by hacking and IT incidents, with about 24 million patient records being exposed to unauthorized parties because of cyberattacks.
Even if every hospital and healthcare system were to adopt Zero Trust, vulnerabilities would remain for cyber criminals to exploit, and new ones would undoubtedly be found. But the goal of Zero Trust isn’t to eliminate risk completely: that’s a fool’s errand. But it can realistically reduce risk to levels that are far more manageable by IT staff and security partners.
The time for talking about change is over, and the time for real action is now. We’ve seen what adversaries can and will do. They weren’t deterred by a once in a century pandemic; rather they are emboldened to exploit it.
That’s why hospitals and healthcare systems must work to reduce the malware, ransomware, and other threats as much as we can, and as fast as they can. Adopting Zero Trust is a necessary and reasonable start to addressing this task.
About the Author
Leon Lerman is the co-founder and CEO of Cynerio, Inc., a full-suite Healthcare IoT platform that enables healthcare providers to secure patient data and connected devices against cyber threats. He has over 15 years of experience in innovative technology development, served in Israel’s elite Unit 8200 cyber technology division, has served as a trusted security advisor to Fortune 500 companies, and has earned international recognition for excellence in the cybersecurity industry.