Guarding healthcare’s digital frontiers: Predicting 2024’s cyber challenges
CISOs and security experts face new challenges as they seek to prepare for advanced threats to gain access to protected health information.
As 2023 comes to a close, it’s important to look back on what took place and the trends that are emerging to anticipate what the New Year will hold.
When it comes to healthcare cybersecurity, providers continued to be a prime target of malicious actors in 2023, with major breaches affecting HCA Healthcare, New England Life Care, Managed Care of North America, Rite Aid Corp. and others making headlines this past year.
To better prepare for the year ahead, healthcare providers will find themselves again in the crosshairs of bad actors. Because of this, it’s critical for security and IT pros to learn from these past experiences to better position their organizations to face the ever-evolving threat landscape.
And while it will continue to prove to be an uphill battle, healthcare security and IT pros, along with legislators and cybersecurity vendor partners, will make great strides in the coming year. Here are my five healthcare cybersecurity predictions for what we can anticipate in 2024.
The tactics of malicious actors will grow more sophisticated, and cyberattacks will come at higher frequency, further complicating the threat landscape for healthcare providers.
Ransomware attacks have not entirely shifted from a “spray-and-pray” approach via phishing, but continue to incorporate targeted footholds and more complex attacks into environments. While Ransomware as a Service (RaaS) and “simpler” ransomware attacks will continue to target the industry, we will see more complex ransomware and other cyberattacks that particularly target the largest healthcare providers.
Generative AI is also top-of-mind for security and IT pros at healthcare delivery organizations, and several organizations are setting up committees to review AI capabilities – for offensive and defensive, and clinical care purposes. As the healthcare industry incorporates and innovates solution stacks with Generative AI, so will its adversaries. Whatever is available to security and IT pros is also available to malicious actors. Take ransomware as a prime example of what can happen when a security capability – in this case, encryption – is flipped on its head and weaponized. The very technology intended to keep the bad guys out is being leveraged to instead block the good guys from accessing their files. AI will help to advance patient care, but we will also start seeing the technology being leveraged increasingly to drive more frequent, sophisticated attacks. It will be crucial for security and AI pros to expedite their own use of the technology, its governance and security to better protect their organizations to meet this evolving threat.
An increased focus on medical device security will continue to proliferate into regulations globally.
We have seen the Food and Drug Administration (FDA) make these mandates – such as the most recent refuse-to-accept (RTA) policy – as well as the UK National Health Service (NHS) with its Data Security and Protection Toolkit (DSPT) legislation, and other countries across Europe will develop similar guidelines. We’ll also see a renewed focus on software bill of materials (SBOMs) to provide clear understanding of the software components used to build various assets. We will continue to see additional developments and specificity on medical device security as more cybersecurity and critical infrastructure-centric regulations are developed.
While work remains to be done and the execution to be both seen and tweaked, these regulations are a great step forward to mandate that cybersecurity be baked into products and that organizations have regular assessments of the cybersecurity posture of devices. And while there are growing pains as with any new regulations, these are necessary pains. After all, a plan is only as effective as its execution. In this case, a critical plan driving the industry forward.
Healthcare providers will continue to modernize their security strategies, prioritizing segmentation and defense-in-depth in 2024.
Segmentation will remain one of the primary methods for increasing healthcare cybersecurity. As such, security and IT pros at healthcare organizations will look to modernize their strategy to begin segmenting their networks in 2024, if they have not done so already. It is a massive and difficult project that can span many years. However, it is the project that will accomplish the greatest amount of risk reduction in a healthcare environment and be a pillar in a proactive risk reduction strategy.
What’s key for these projects is the proper planning and understanding that a segmentation project can be akin to a journey with multiple phases – discovery and inventory, behavioral and communication mapping, policy creation, prioritization, test and pilot, implementation and automation. One growing trend is a risk-based prioritization approach that, instead of a traditional method of segment lists created by manufacturer or type, healthcare organizations can achieve a much faster ROI by identifying and prioritizing the segmentation of critical vulnerable devices first – particularly patient facing devices – to achieve maximum risk reduction upfront.
Additionally, defense-in-depth capabilities will start to emerge for newer medical devices. These will include more clearly outlined security documentation and behaviors, embedded security capabilities, support for security software and solutions, and retiring of legacy systems in favor of newer, more secure devices. As a result, segmentation will start to be augmented by other security capabilities now being supported on newer medical devices, such as more frequent software patching and updates.
Medical device manufacturers will develop additional security partnerships and offerings.
How effective vendors’ efforts will be is still unknown at this time, but whether through professional services, technical capabilities or new devices, we’re seeing medical device manufacturers start focusing on cybersecurity initiatives for their new medical devices. In the year ahead, medical device management service providers will place additional focus on providing remediation services for medical device security advisories. Healthcare organizations will also leverage MSSPs and partner or vendor services more to help scale their internal operations. Using this approach can help with offloading tasks, more rapid risk reduction, as well as sharing of information and best practices for maximum effectiveness.
The cybersecurity skills shortage gap will widen.
Artificial intelligence is being increasingly incorporated into technology stacks, particularly as cybersecurity vendors look to harness its innovative power. It will help streamline tasks, but organizations – particularly smaller healthcare organizations with fewer resources – will still suffer greatly from shortage of cybersecurity skills and experience – not only in specific technical domains, but also in the ability to implement and systematically mature a healthcare cybersecurity program. To fill these gaps, it’s critical that delivery organizations look to external partners for help in supporting their security programs. A foundational recommendation here is to leverage security frameworks to help build a systematic approach to improving their security posture with prioritized security efforts. A key here is to anchor the program in a framework-based approach, such as the NIST Cyber Security Framework, with regular reviews and gap analysis to form a guide on priorities and efforts for the year ahead.
Mohammad Waqas is CTO of healthcare for Armis.