Cybersecurity presents a serious challenge to health systems. Guarding against attacks and reducing risk requires comprehensive strategy from the top down.
By Scott Trevino
Cybersecurity is one of the most prevalent challenges in healthcare. The U.S. Department of Health and Human Services warns that industry cyberattacks are growing in both “numbers and severity.” In response to this intensifying threat, health systems need to establish a comprehensive medical device cybersecurity program to avoid being vulnerable to cyberattacks and malicious intrusions which could have life-threatening consequences.
This summer, one cyberattack disrupted hospitals in several states, forcing some hospitals to shut down emergency rooms, postpone elective surgeries and other services, and resort to paper records. Health systems increasingly rely on digital technology and networks to provide patient care, and while this has transformed care delivery, it has also introduced a multitude of new cybersecurity risks.
The financial impact of cyberattacks, which costs health systems an average of more than $10 million—combined with operational disruption to vital medical equipment and patient care—put healthcare facilities’ reputation, and most importantly, patient safety and outcomes at risk. The U.S. government says increasing cyberattacks on hospitals are “creating fear and confusion while eroding the public’s trust and faith in our hospital systems throughout the U.S., potentially leading to public health challenges.”
The proliferation of cyberattacks has driven health systems to spend more on cybersecurity initiatives, with sustained double-digit annual growth projected through the end of the decade. Yet increased spending alone does not guarantee the success of a cybersecurity program. Without the right processes in place to coordinate between people and technology, major gaps can remain in a healthcare organization’s cybersecurity strategy.
In September, the U.S. Treasury Department said a cybercrime gang that had targeted hospitals “publicly gloated” how easy it was to target the medical facilities and how quickly it received ransom money.
Health systems can start on the path to cybersecurity by strengthening their processes for managing medical devices, breaking down organizational silos, and standardizing how their organization evaluates and addresses risk.
First, a health system needs to establish an accurate inventory. Inventory accuracy builds the foundations of a reliable cybersecurity program, but it is often a major stumbling block for many health systems. Without a rigorous assessment of current clinical assets, it can be difficult to know where to begin improving medical device cybersecurity.
Cybersecurity requires visibility and reliable data. Developing a strong understanding of what resources and assets a health system has, where they are located, and how they are used in a clinical environment is crucial for executing a medical device cybersecurity strategy. While this may sound intuitive, it is often difficult for health systems because they don’t have clear processes and systems in place.
There are many cybersecurity vulnerabilities across these dispersed inventories. A 2022 report indicated that 53% of healthcare IoT devices, including medical equipment, have known critical vulnerabilities. When numerous vulnerabilities are not carefully and accurately identified and matched to the relevant devices, the ability to generate actionable intelligence suffers.
Empower Associates to Support Security
Health systems should empower their associates to support the organization’s cyber defenses. Cybercriminals frequently take advantage of healthcare personnel to gain access to health systems through ransomware attacks.
Thirty-eight percent of attacks on healthcare organizations are ransomware. Bad actors use carefully disguised emails, links, and websites to steal sensitive information and credentials that cannot be retrieved once divulged. Precautions are the greatest defense for anyone wishing to avoid leakage of vital details.
Health systems can provide extra resources and training to their members to make them more aware. Training must include common tactics used by hackers including almost identical email addresses, dubious URLs, suspicious formatting, and urgent text messages. IT teams should actively engage with other members of the organization, informing them of the latest tactics cybercriminals are using.
Connecting with an external third-party organization that is well-versed in cybersecurity, particularly for medical device cybersecurity instruction for clinical engineering teams, will help a health system to stay on top of evolving threats.
Break Down Silos Between Healthcare Technology and IT Teams
Health systems must leverage all human resources to close the loop on cybersecurity initiatives.
Organizational silos can create gaps in cybersecurity coverage. A lack of coordination between IT teams and clinical engineering teams can be detrimental to a health system’s cybersecurity program.
Traditionally the management of medical device cybersecurity has not been a primary concern of a clinical engineering program in a healthcare organization. Clinical engineering teams are usually most focused on scheduled and preventive maintenance and repairs, and often lack IT and cybersecurity skills training. IT teams often don’t have the medical device knowledge or experience and expertise to work on medical equipment. These teams should work collaboratively, leveraging their complementary skills, allowing healthcare organizations to more effectively protect against cyberattacks while contributing to their primary mission: safe and reliable patient care.
To make matters more complicated, original equipment manufacturers (OEM) have disparate methods of sharing the availability of a validated or approved mitigation for medical devices impacted by a vulnerability, and there are no industry-wide standards or regulations for releasing validated patches in a reasonable time. This creates a unique challenge for healthcare organizations to track the timely availability of a patch or other mitigations.
Health systems can minimize these types of inefficiencies and inaccuracies by adopting tools and processes that make vital information more accessible to both IT and clinical engineering teams. Passive monitoring and identification tools can promptly detect vulnerabilities in network-connected medical devices. Up-to-date automated discovery in real-time combined with device profiling enables health systems to confidently identify authorized assets within their fleet.
Standardize Risk Assessment
Understanding how medical devices function clinically is just as important for assessing cybersecurity risk as identifying and monitoring vulnerabilities. Clinical engineering and cybersecurity teams should work together to perform risk assessments, once again bridging the gap between the two teams, to provide the most accurate assessment of the risks in a health system’s inventory.
Tracking key characteristics of medical devices can help establish a common understanding of risk and how to prioritize it:
- Network connectivity: Can a device connect to the facility’s networks, and is it currently connected?
- PHI storage: Can a device electronically store identifying patient data, and does it currently do so?
- FDA alerts and manufacturer recalls: As medical device technology rapidly evolves, new concerns and challenges are bound to emerge.
- Role in clinical care: It’s important to understand how a device is used and the immediate safety risk to patients if it were to fail.
- Mission criticality: What is the potential risk of a device failure to organizational operations?
Once a health system understands the characteristics of risk, it will be able to prioritize cybersecurity projects with a standardized method. A standardized method allows the health system to clearly prioritize projects based on its own unique needs and take prompt action.
Empower Continuous Improvement
Establishing a governance council can foster communication and accountability between all stakeholders involved in remediating known vulnerabilities and reducing overall risk. This council can include IT, clinical engineering, operations, facilities, and C-suite executives.
The governance council, working in tandem with clinical engineering and IT teams, should be plugged into all medical device technology integrations and related work processes. This will help the health system monitor, detect, and respond to cybersecurity threats more quickly.
Improved readiness is not just about shortening the response time when a breach occurs. It’s also about increasing the ability to prevent attackers from gaining access in the first place.
Cybersecurity is one of the most pressing threats to health care, and the urgency will only increase going forward. Health systems understandably want to rise to the challenge quickly to protect their patients and the infrastructure that makes high-quality care possible. However, a thorough approach is needed to build sustainable security practices. That approach requires comprehensive data, collaboration, and established processes.
Scott Trevino is senior vice president of cybersecurity at TRIMEDX. Questions and comments can be directed to [email protected].