- March 23, 2020
- Posted by: Rudy Silva
- Category: Blog
Innovation in medical technology has helped solved critical pain-points, such as automation of processes and procedures with precision, improving patient recovery rates, and elevating the overall living standards of billions of people. A good example is the increased ease of access to medical history and the deployment of Artificial Intelligence (A.I.) tools to help healthcare professionals deliver more accurate diagnoses. However, the growing implementation of technology solutions that collects, processes, and stores Personally Identifiable Information (PII) and healthcare data such as Personal Health Information (PHI) has left healthcare institutions at the mercy of security breaches.
Image courtesy: cyberstartupobservatory.com
Recent technological innovations in the healthcare industry have been incredibly beneficial to humanity. However, its negligent usage broadens the attack surface of the information systems, thus jeopardizing the cybersecurity posture of any organization.
The Widening Cybersecurity Threat Landscape in Healthcare
A healthcare device manufacturer is responsible for developing devices that are cohesive to cybersecurity controls and countermeasures. It is incredibly critical for said devices to be able to passively and actively achieve security monitoring to detect malicious activities and isolate suspicious elements for further analysis. The following statistics highlight cybersecurity challenges faced by the healthcare industry:
- High Attack Risks: the healthcare industry experience the highest cyberattack volatility (ransomware attacks) compared to any other industry.
- High Average Costs: the average cost of recovering from a cyberattack in the healthcare industry is a whopping $3.62 million. Additionally, medical diagnostic devices are large capital purchases, and they are comprised of multiple interconnected systems used to capture and store patient data. Therefore, whenever these capital-intensive healthcare devices become compromised, achieving a recoverable state becomes inherently expensive.
- Huge Numbers Affected: over the past two years, nearly 89% of healthcare institutions have experienced loss or pilferage of patient data, thus affecting the majority of the U.S. population.
(Image courtesy: fortifiedhealthsecurity.com)
Top Three Cybersecurity Threats Facing The Health Care Industry in 2020
Ransomware can be defined as malicious software that denies users access to their data unless they pay the ransom. Payment is often demanded in cryptocurrency and is untraceable. There are also no guarantees that the victims will get access to the data even after paying the ransom. Ransomware related cybercrime rose by 350% in the year 2018 alone. Reports suggest that ransomware attacks will cost enterprises nearly $6 trillion annually by 2021.
Legacy Devices and Operating Systems
When it comes to the vulnerabilities present in the legacy devices and operating systems, the WannaCry ransomware attack is the most relevant example someone can look at. In 2017, the medical devices were compromised for the first time in many of the U.S. & U.K. hospitals, where hackers exploited the system vulnerabilities of unpatched or legacy Microsoft Windows operating systems. It left many of the crucial and expensive medical devices (such as MRI scanners, etc.) useless as these were unplugged from the main network because of the inability of these systems to be quickly patched/updated, and tested.
Varied Or No Medical Diagnostics Device Security Standards
The privacy and security responsibility of medical diagnostic device manufacturers can not be ignored because users can no longer rely on firmware patches to achieve secured functionality. With the absence of specific cybersecurity regulations directed towards the manufacturers of medical devices, the healthcare industry will continue to experience vulnerabilities that can only be resolved via secure manufacturing protocols. As more sophisticated cyberattacks continue to target the hardware component of medical devices, the healthcare industry will require all-hands-on-deck to close the security gap, especially from medical device manufacturers. Failure to implement cybersecurity regulations on medical device manufacturers will most likely increase the likelihood of looming threats similar to the WannaCry attack in 2017.
Top Three Ways Healthcare Organizations Can Ensure Information Security
- Upgrading Baseline Security Measure & Systems: 94% of the healthcare industry is using advanced IoT/IoMT technology. However, many of the underlying systems are still running on outdated or unpatched operating and communication systems. Organizations must install and update antivirus software, firewalls, IDS, and IPS for every medical device connected to the internet.
- Investing In Employee Awareness, Training, and Educations: a security or data breach is often a result of an employee clicking a malicious URL or downloading a malicious attachment, knowingly or unknowingly. Training plays a significant role in detecting and preventing phishing attempts and attacks.
- Due Care and Due Diligence: employee negligence counts for nearly 81% of healthcare-related cybersecurity incidents. A robust cybersecurity culture, being aware and responsible for your actions, and to be more vigilant should be on top of the check-list for enhancing cybersecurity.
A Robust Cybersecurity Awareness Training Program Is Key
Humans are the weakest link in the security chain when trying to protect an organization from cyber-attacks. Employees may intentionally or accidentally expose valuable information assets and pave the way for a data breach. At the same time, they could be the most reliable defense against many cyber threats if they understand how to identify and respond to a cyber attack. Thus, a robust cybersecurity awareness training program is key, especially in the healthcare sector. The following are effective cybersecurity awareness training best practices recommended and offered at GoldSky:
- Healthcare organizations must endeavor to maintain continuous cybersecurity awareness training and awareness programs around the secure handling of software, hardware, and firmware that power medical devices. This singular and consistent best practice ensures that both users and said devices are equipped with the capacity required to withstand cyber attacks.
- Ensure that all organizations implement secure passwords management best practices and fully understand how to identify and respond to phishing emails, which is going to be critical in the battle against the rise of ransomware attacks within the healthcare industry.
- Training and educating employees on medical device cybersecurity incident preparedness and response plans are the board’s responsibility to make sure that employees are aware of critical procedures to help safeguard sensitive and valuable information assets.
- Integrate an annual or bi-annual cybersecurity risk assessment into your healthcare company’s policy to prepare against cybersecurity threats to medical devices and related data.
The numbers of security breaches and ransomware attacks are increasing, and cybersecurity threats to the healthcare industry are assuming dangerous proportions. The vulnerabilities of healthcare devices and information systems make it an easy target for cybercriminals. The industry must recognize these challenges and meet them head-on by educating manufacturers, healthcare providers, and end-users about said security challenges.
Most importantly, the regulation of medical devices in the United States must assume a proactive posture, such that the FDA introduces a customized regulation targeting the secure handling of medical diagnostic devices and Electronic Health Records (EHR). FDA medical diagnostic device regulations would provide a comprehensive framework, which organizations can leverage upon and reinforces HIPAA and other privacy laws in the industry.
Get in touch to learn more about how GoldSky can keep your data secure today.