Unfortunately, today we live in an era of escalating cyber threats from bad actors and nefarious nation states intent on the disruption of our business and personal lives. Regrettably, this also includes life-sustaining healthcare technologies. If this weren't enough, the healthcare industry is also in the process of transforming to a near complete reliance upon information technology and Internet of Medical Things (IoMT) technologies. In fact Healthcare IoT (HIoT) devices are growing at 20% per annum according to some sources which means the problem is getting bigger and bigger each and every day! This includes a proliferation of medical devices, pharmacy and surgical robots, AI-augmented labs and diagnostic systems, and networked connected hospital building management systems like elevators and HVAC systems, without which the modern day hospital cannot function for long. This provides hackers with a very large attack surface upon which to exploit a weakness or vulnerability and establish a beachhead for more nefarious purposes - perhaps the theft of medical records and personal identities, or to ransom hospital data or patients.
Effective cybersecurity has always been about the combination of people, process and technology and that still holds true today. However the perpetrators of cyber-crime are hell-bent on exploiting every weakness regardless of the patient safety issues of their actions. As cyber defenders we need to employ the best processes, skilled security resources, and most effective technologies in the defense of our diagnostic and clinical systems. It also means that old out-of-date and end-of-life systems should be replaced, while all other systems are updated regularly with security patches, especially if your hospital still runs some version of Windows. The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!
56% of Health Providers Still Rely on Legacy Windows 7 Systems
As a first step hospital CEOs and their boards need to gain an accurate understanding of their risks and that means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about. Remediation of identified security risks then needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. That will require discipline, established and documented processes, and quality resources whether people or tools, or a combination thereof. Above all it requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.
Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. This allows them to offer more profitable and cost-efficient services to patients via among other services, secure online portals, telehealth and telemedicine, just proving that security does not need to be advanced rocket science, just the combination of good people, process and technology to add value to a business.
To learn how Cylera can help automate the inventory and risk analysis of your HIoT devices, please contact us for a no-obligation introductory call. We are happy to share with you what we have developed regardless of whether you are in a position to buy anything. Knowledge is power and the better informed you are, the better able you are to protect your patients from previously unknown risks.