It seems that every year the negative impact of a cyber attack reaches dizzying new levels – overlapping regulatory fines, restitution and identity / credit monitoring, punitive damages, and of course incident handling and clean-up costs for fixing what should have been fixed in the first place, had the organization understood the risks and not chosen to ignore them.
But it’s not just as simple as writing off some vast sum of operating profit and having to explain that loss to shareholders or governing boards. Longer term damage to reputation can take years to recover from – if at all. I know of many firms and individuals that will never do business again with an entity that lost their data and caused them so much pain. Do executives and their governing boards even consider the long-term costs of the loss of their reputation?
And what happens when someone dies as a result of a cyber-attack as happened recently at University Hospital Düsseldorf where prosecutors opened a homicide case against the Russian perpetrators of a ransomware scheme? What will be the long-term impact to the university hospital’s funding, to its patient numbers, its standing in the academic and local communities, and how many medical students, doctors and other medical professionals will want to study or work there?
Medical malpractice suits already run to tens of millions of dollars in the US. What is going to be the financial and reputational costs to a healthcare provider when patients expire on the operating table, or while connected to a medical device that is hacked by cyber criminals, either seeking extortion payments or simply trying to expand their foothold on healthcare networks, while inadvertently breaking critical life-sustaining medical devices?
At this point many executives would accusing me of raising fear uncertainty and doubt or FUD as its also known. But am I? Doesn’t the German woman who died in Düsseldorf when hospital IT systems were attacked with ransomware make this very real? I would wager that the recent German case is not alone and that many other deaths caused by hackers or weak cybersecurity have simply been reported in a different way covering up failures in IT and IoT equipment so as to absolve manufacturers and providers from potential legal liability from families and regulators.
Ethical hackers like Barnaby Jack were demonstrating how easy it is to hack a medical device nearly a decade ago. Ever since, security conferences have featured numerous hackathons of medical equipment, and on-stage demonstrations how to hack an infusion pump, XRay machine, or other piece of medical equipment.
Researchers at Ben-Gurion University of the Negev demonstrated last year how easy it was to intercept medical PACS images and change them to add or remove tumors while fooling the majority of radiologists and AI software alike. And at Cylera last year, we discovered an attack vector that can change the content of a medical DICOM image to include malware that can be used to infiltrate the healthcare network, simply by sharing or viewing a PACS image, something that happens thousands of times a day in every hospital.
This is not science fiction or FUD. This stuff is out there in the public domain and working exploits are most definitely in the wild. A hospital or an entire health system the size of UHS could be attacked tomorrow and rendered unable to treat patients by a cyber attack against vulnerable IT or IoT assets.
Healthcare providers the world over need to gain a better understanding of what assets they have connecting to their networks and what risks each of those assets represents not only to any patients which may be attached to the device or being treated by such a system, but also to the broader healthcare network. Any endpoint asset could be used as an infiltration vector and foothold for expanding the attack. You don't need a wooden Trojan horse to get inside the perimeter of a hospital network, just access to an insecure endpoint device. Identifying and risk assessing all your assets is absolutely critical today, and preferably to NIST SP 800-30 standards, which after all is a requirement of the HIPAA Security Rule.
But it’ s not just a risk analysis that is needed to protect patients, providers also need to ensure that they have put in place adequate protections and compensating security controls. This is where many HDOs come unstuck - they simply don't have the staff cycles to even evaluate the risks, let alone remediate potential life threatening problems, even though they may already have some of the tools in place to segment high risk devices from the rest of the network.
The Cylera MedCommand platform automates this entire security risk management workflow identifying and then adding HIoT devices to an asset management system, risks to GRC and risk management tools, identifying IOCs and creating alerts via an existing SIEM or MDR, while talking directly with an existing NAC to automatically isolate and quarantine any compromised endpoints before patients are put at risk. Learn more or request a demo to understand how Cylera has used artificial intelligence and machine learning to simplify and automate what would otherwise be a highly labor intensive and cumbersome task.