The digital frontline: Battling cyber threats aimed at care facilities
How vulnerable healthcare systems are facing the onslaught and can use advanced computing technologies to improve their defenses.
Healthcare today is heavily reliant upon technologies to diagnose, monitor, manage and treat patients. IT systems manage extensive and ever-growing digital patient records on all of us.
But these systems need to be highly interoperable and connect with a whole host of other IT and IoT systems for collaboration between different primary, secondary and tertiary care providers, public and population health agencies, pharmacies and health insurers. Additionally, they need to connect to patients via provider web portals and mHealth applications where it’s possible to book appointments, review lab results and other tests, or check on vaccination records.
Doctors and nurses still play a part in this technology wonderland, but they are now reliant upon – and, in many ways, subservient to – the processes and workflows dictated by medical applications, systems and devices.
The near ubiquitous use of machine learning and other forms of artificial intelligence across healthcare for clinical decision support to radiological imaging has transformed diagnosis and treatments, while further application of AI for precision medicine appears ready to massively increase intervention effectiveness and patient outcomes.
But without working technology, modern healthcare becomes a flashlight without a battery in a dark room. It’s no wonder, then, that growing concerns about healthcare cybersecurity have reached fever pitch among government leaders, patients and those who treat them.
Healthcare has been experiencing cyberattacks for quite some time. The industry is being targeted by cybercriminals seeking to monetize stolen personal health information (PHI) and personally identifiable information (PII) held in patient records. It is also being targeted for the theft of intellectual property, cutting edge clinical research and drug trial data.
This cyber-espionage is being conducted by pariah state-operatives and by common criminals alike, intent on using or selling this data for the competitive advancement of state-owned medical enterprises. Finally, there are attacks by cyber-extortionists intent on holding this critical industry and the wellbeing of many of its patients to ransom.
An expanding threat surface of more and more technologies makes healthcare an easy target. Because of our dependence upon it and the near vertical demand for urgent health services, it makes the industry an especially lucrative target for extortion via a ransomware attack, or as an act of cyber warfare, as Ukraine has discovered since 2015.
The fact is that whether an attacker is a lone individual, part of an organized crime syndicate or a member of a nation state’s intelligence or military apparatus, cybercrime goes largely unpunished, enabling those who participate in cyber-theft, cyber-espionage, or cyber-extortion to operate with near impunity.
Very few cybercriminals to date have been prosecuted, renditioned to face trial in the west or authorized for extrajudicial justice. As a result, more young and skilled individuals are choosing to make a career out of it, especially where poverty and few other prospects present themselves.
The cost of loss
Cybercrime is on track to cost the world more than $8 trillion USD by the end of 2023. If that loss was measured in relation to a country’s revenue, cybercrime would be the world’s third largest economy after the U.S. and China. By 2025, cybercrime is estimated to reach a staggering $10.5 trillion USD annually.
Each day, from two to three healthcare providers are successfully attacked by ransomware, according to Cylera Labs. And in 2022 alone, more than 51 million Americans had their health data breached. Healthcare organizations worldwide averaged 1,463 cyberattacks per week in 2022, up 74 percent, compared with 2021. The average cost of each breach is more than $10 million, making healthcare the largest and fastest-growing industry to experience multi-million dollar cybercrime losses.
Midsize hospitals lose an average of $45,700 per hour during attacks and suffer lengthy shutdowns, on average 10 hours or more, leaving these providers unable to serve patients. A multi-week outage following a ransomware attack at Scripps Health in San Diego recently cost the provider $113 million in lost revenue and immediate incident handling charges, and that’s before fines, punitive damages and class action lawsuits by patients are accrued.
In light of this, security is now paramount for all healthcare providers, not just to prevent breaches of highly regulated protected health data but more importantly to ensure resiliency and the availability of health services when patients and communities need them.
When hospitals are unavailable, as was the case with much of the Irish HSE during the Wizard Spider attack, and a third of NHS Trusts when hit with WannaCry, patient safety is severely impacted, leading to an increase in patient morbidity and mortality. This is reflected in the recent Ponemon Institute's 2022 study, which indicated that more than half of the 517 healthcare practitioners polled saw their institutions endure greater death rates as a result of cyberattacks.
The need for healthcare security
The 1996 HIPAA rules require covered entities (CEs) to protect the confidentiality, integrity and availability of personal health information. Together, these three dimensions are referred to as the Security Triad – a supposed equilateral triangle where optimal security lies somewhere in the middle.
However, healthcare and other regulation has been almost myopically focused on the protection of confidentiality and privacy during the past two decades, meaning that cybersecurity protections for data integrity and systems availability have largely been ignored by regulation, and by security and compliance teams.
This is one of the reasons why so many healthcare providers are being hit with ransomware attacks every week. The industry has few protections against availability attacks and has not been made resilient. It lacks highly available infrastructure and tools, as well as security teams appropriately staffed, trained and drilled to respond to cyberattacks or other incidents when they inevitably occur.
Furthermore, out-of-date or end-of-life healthcare IT (HIT) systems inundate hospital data centers, while a growing morass of IoT connected medical devices fill care facilities, seemingly to automate diagnostic, treatment and patient monitoring functions while helping to drive improvements in patient outcomes. The difference is that while servers and workstations are managed by hospital IT staff and configured with antivirus, host firewalls and other security tools, healthcare IoT (HIoT) devices cannot support security supplicants and are rarely, if ever, patched against known security vulnerabilities.
Insecure legacy HIT and HIoT represent an easy target for cybercriminals and are often the first systems to be compromised. While hospitals may have a good picture of IT systems that need to be replaced when budgets permit, few have an accurate understanding of what connects to healthcare networks or just how many medical and other IoT devices are owned or leased by clinical engineering, facilities and other groups. This makes risk analysis almost impossible, despite a HIPAA requirement to risk assess any system or device that generates, transmits or stores PHI.
One in five UK NHS hospitals admitted to manually tracking each medical device added to their networks, and nearly one in six hospital networks are not checked for cybersecurity concerns at all. The linked article notes that, “NHS trusts are responsible for their own cybersecurity and must maintain a register of medical devices connected to their network, including information on their data security assurance process," said a spokesman for NHS England. “The NHS will continue to review the requirements for cybersecurity relating to connected medical devices and take action to make improvements where appropriate.”
Medical devices and other healthcare IoT connected endpoints represent the open back door to hospital cybersecurity, privacy and compliance. Most were never designed to be secure, few manufacturers test and publish vulnerabilities, and even fewer make security patches available even when critical vulnerabilities are discovered.
That is about to change for new medical devices approved after Oct. 1, 2023, but with literally millions of legacy devices in use each day, and with an expected life expectancy of as long as 20 years, the security of HIoT is going to be a major concern for decades to come.
While compensating security controls such as network segmentation or micro-segmentation can be used to lock down or “enclave” at-risk devices, thus permitting their safe continued use on patients, the problem for security teams is building an accurate profile for needed traffic in and out of any segment or enclave. This is where next generation AI based tools come into play using ML DataType Analysis to generate a profile for each and every device attached to medical networks. After a profile is created, AI can be used again to build a Digital Twin of each device where thorough security testing can be conducted to understand risks, to meet HIPAA risk analysis compliance requirements and to prioritize risk remediation when patches can be obtained.
After a hi-fidelity device profile has been generated, tools can be used to seamlessly orchestrate segmentation via network access controls (NAC) already owned and licensed by most providers.
Combined, these AI based IoT security and management tools can be used to identify, assess, and easily remediate risks, thus eliminating a major headache for hospitals and other providers.
Richard Staynings is chief security strategist for @Cylera and adjunct professor of cybersecurity and health informatics at the University of Denver.