By Rob Suárez

COVID-19 has brought unprecedented challenges to those working on the front lines of healthcare, helping patients under extreme pressure, in nontraditional settings and with limited resources. In the midst of so much change, the industry has seen a number of technology shifts that could be here to stay, including virtual medical appointments and using connected medical devices to monitor patients recuperating at home. For healthcare cybersecurity leaders, this presents both a challenge and an opportunity to accelerate security initiatives.

What Healthcare Cybersecurity Has Learned from COVID-19

Early in the fight against COVID-19, there were rumors about some of the most notorious cybercriminals pledging not to attack health care delivery organizations during the pandemic[1]. Yet, the industry quickly began to see an unprecedented rise in cyberattacks. In fact, Google reports blocking 18 million malware and phishing emails related to COVID-19 each day[2].

Additionally, the United States Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre[3], the International Criminal Police Organization (INTERPOL)[4], the European Union Agency for Law Enforcement Cooperation[5], and the FB [6] all issued warnings about cybercriminals targeting hospitals, critical healthcare institutions, and even research organizations trying to find a cure. It soon became clear that cybercriminals would indeed continue to prey on the health care industry, even in its most vulnerable state.

Despite the gravity of the pandemic, our adversaries continue their quest. They see an opportunity, and they’re willing to work around the clock to exploit it. Further, it is unlikely that flattening the curve, finding a cure, or releasing a vaccine will dampen their efforts or quell their intensity. Long after schools and restaurants reopen, our cyber adversaries will continue their pursuit. 

Even as healthcare professionals put their own lives at risk to save patients, cybercriminals are diligently honing their craft. They are exploiting the need for faster, less stringent security vetting processes and conducting their own version of A/B testing to determine which phishing and smishing campaigns are most effective in the current environment. Whether you represent a health care delivery organization or a medical device manufacturer, you can be sure cybercriminals are learning from this, and we must do the same to emerge from this pandemic stronger and better equipped to fight cyberattacks.  

Three Trends for Cybersecurity’s New Normal

As we look toward building a post-COVID-19 “new normal,” many healthcare delivery organizations will need to reevaluate the “real-time” security decisions made due to sheer necessity during the crisis or because of time and resource limitations. With an eye toward increasing medical device security and resilience, here are three positive and lasting trends we can expect to see more broadly adopted in our post-pandemic reality:

1.The focus will shift to zero-trust principles.

For years, the focus in cybersecurity has been on securing the networks on which devices operate. Yet, with COVID-19, the boundaries for practicing healthcare have changed, and that means the defense perimeter has changed, as well. Further, it is unlikely that we will ever completely go back to the idea that an organization’s security perimeter can be defined by the walls of a physical building. 

Instead, the security perimeter has now expanded, and in healthcare this includes all the locations where healthcare employees work and where patient devices are used. Zero-trust principles—like assuming nothing and verifying everything—offer a more secure approach. This means trusting no one by default and operating as though the network has already been compromised. 

Since telehealth services take place outside of the physical perimeter of the hospital network and with no end in sight, providing secure access while minimizing risk will remain an ongoing effort. Adjusting to this new reality will require us to go beyond strong passwords and virtual private networks to authenticate and authorize users with additional data points, such as location, user behaviors, and device health attestation. Just as the healthcare industry needs to scale beyond the hospital to manage the growth and demand for healthcare services, securing medical devices in this new, evolving environment necessitates the widespread adoption of zero-trust principles.

2. Biomed and hospital IT professionals will expect a more transparent, simplified security experience.

When it comes to medical device technologies, the security experience needs to be simple and transparent to users. This includes clear communication around routine maintenance, like applying security updates and patches. In recent years, a number of organizations, from the U.S. FDA to the Healthcare and Public Health Sector Coordinating Councils, have issued guidance documents concerning the need for clearly defined, pre-market and post-market cybersecurity considerations related to medical devices. Earlier this year, the International Medical Device Regulators Forum also finalized a set of Principles and Practices for Medical Device Cybersecurity[7].

This guidance encourages stakeholders around the world—including medical device manufacturers and healthcare delivery organizations—to harmonize their approach to cybersecurity across the entire life cycle of a medical device, including planning for and communicating device end-of-life and end-of-support. This clarity is imperative to maintaining device security and also accelerates the clinical value of medical devices by reducing unnecessary disruptions in patient care. More than ever, healthcare delivery organizations must be able to rapidly deploy and continuously operate new technologies. Looking ahead, users will expect even greater transparency from all medical device manufacturers.

3. Collaboration around threat intelligence will become a higher priority. 

The need to keep up with real-time threat intelligence is time-consuming and constant. Particularly for hospitals caring for patients on the front lines of the pandemic, the ability to sift through the latest threats and quickly absorb accurate, reliable threat intel is essential. One way to accelerate knowledge sharing is to participate with Information Sharing and Analysis Organizations, like the Health Information Sharing and Analysis Center. 

These organizations not only provide timely intel about emerging security issues, vulnerabilities, and exploits, they also provide cyber-resilience tools and comprehensive training resources. As we prepare for the new normal ahead of us, accelerating how we share credible threat intelligence and tactical information across the industry will help us put critical mitigations in place, as needed, and adopt emerging best practices more quickly. 

Collectively, we are responsible for protecting the infrastructure of healthcare around the world. As we look toward creating a new normal in response to COVID-19, we cannot ignore the opportunity to prioritize medical device cybersecurity. Our goal is to foster resilience and respond effectively and rapidly to cyber adversaries. 

Incorporating zero-trust principles, simplifying the security experience, and increasing our commitment to sharing threat intelligence will help the industry to rebound from the recent increase in cybersecurity attacks and further improve medical device security.  

Rob Suárez, HCISPP, is vice president and chief information security officer for BD (Becton, Dickinson and Company). Questions and comments can be directed to 24×7 Magazine chief editor Keri Forsythe-Stephens at [email protected].

Resources:

  1. Winder D. Hackers Promise ‘No More Healthcare Cyber Attacks’ During COVID-19 Crisis. Forbes https://www.forbes.com/sites/daveywinder/2020/03/19/coronavirus-pandemic-self-preservation-not-altruism-behind-no-more-healthcare-cyber-attacks-during-covid-19-crisis-promise. Published March 19, 2020. Accessed April 30, 2020.
  2. Kumaran, N, Lugani S. Protecting businesses against cyber threats during COVID-19 and beyond. https://cloud.google.com/blog/products/identity-security/protecting-against-cyber-threats-during-covid-19-and-beyond. Published April 16, 2020. Accessed May 1, 2020.
  3. Cybersecurity & Infrastructure Security Agency. COVID-19 Exploited by Malicious Cyber Actors. https://www.us-cert.gov/ncas/alerts/aa20-099a. Published April 8, 2020. Accessed April 30, 2020.
  4. INTERPOL. Cybercriminals targeting critical healthcare institutions with ransomware. https://www.interpol.int/en/News-and-Events/News/2020/Cybercriminals-targeting-critical-healthcare-institutions-with-ransomware. Published April 4, 2020. Accessed April 30, 2020.
  5. EUROPOL. COVID-19: RANSOMWARE. https://www.europol.europa.eu/covid-19/covid-19-ransomware. Accessed May 1, 2020.
  6. Winder D. FBI Says Foreign States Hacked Into U.S. COVID-19 Research Centers: Report. Forbes.  https://www.forbes.com/sites/daveywinder/2020/04/17/fbi-says-foreign-states-hacked-into-us-covid-19-research-centers-report/#3aeb15803c29. Published April 17, 2020. Accessed April 30, 2020.
  7. International Medical Device Regulators Forum. Principles and Practices for Medical Device Cybersecurity. http://www.imdrf.org/docs/imdrf/final/technical/imdrf-tech-200318-pp-mdc-n60.pdf. Published March 18, 2020. Accessed May 7, 2020.