Mitigating health care’s cybersecurity risks in the era of hyperconnectivity

EHR implementations and numerous other interoperability initiatives have dominated health care industry technology agendas for nearly two decades. Although the resulting “connected landscape” has driven a treasure trove of operational efficiencies and patient care improvements, it also serves as host to the most lucrative attack surface across industry.

Put bluntly, for an increasingly sophisticated, global community of cybercriminals, health care pays - both figuratively and literally.

The cyberattack by the WannaCry ransomware cryptoworm in 2017 demonstrated this point. Clinical networking vulnerabilities and the consequences of a successful breach were exposed in dramatic fashion. Whether history will record WannaCry as the industry’s wake-up call already seems irrelevant, as health care networks continue to be compromised in an increasing number of ways and at an unprecedented pace. 

Cyberattacks against health care organizations jumped 60% in 2019, while crippling Trojan ransomware programs like Emotet and TrickBot climbed by 82% between the second and third quarters, according a 2019 Cybercrime Tactics and Techniques report by Malwarebytes, an anti-malware provider. Whether the subject of an external attack or caused by internal human error, the problem is that most health care delivery organizations don’t have the technology or expertise to detect and react to either in a reasonable timeframe.

In fact, the 2019 Cost of Data Breach Study conducted by the Ponemon Institute confirmed that the average time for a health care organization to identify a breach is 236 days - almost two months longer than the average across other industries - and then an additional 93 days to contain it. Even more alarming, the average total cost of a data breach in the health care industry is $6.45 million. The total damage - whether to patients, devices, care delivery systems or record keeping infrastructure - is hard to imagine. And keep in mind, these are self-
reported numbers. 

Cybersecurity is now top of mind with health care leadership. The lack of clinical network cybersecurity, however, wasn’t an oversight - the tools required to solve the problem didn’t exist. Not surprisingly, risk capital poured into the problem space, a solution market was born, and health care’s established early adopters are already driving new best practices in partnership with their selected vendors. Although the solution market is relatively immature, it has made dramatic strides in short order. And, since there’s no such thing as “plug and play” cybersecurity, the market’s leaders are quickly differentiating, both in terms of innate capabilities and the ability to bring them to life in successful implementations.  

Examining the problem

Sometimes referred to as “bringing down silos,” the interoperability trends of the past several years are essentially a push for new front-, middle- and back-office connections. Specific to cybersecurity, the adoption of “smart devices,” also known as the Internet of Things (IoT), has exploded. It seems that every device in use anymore, whether to facilitate patient care directly (e.g. patient monitors, infusion pumps, radiology, etc.) or to improve the way systems are managed - from cameras to elevators to HVAC - are “talking” to one another. As expected, the data being generated are proving to be immensely valuable and strategic, as the resulting operational efficiencies include improved clinical workflow coordination, faster revenue cycles, smarter major system management and better patient care. 

Of course, the downside with every added “endpoint” is increased risk caused by poorly managed devices, many of which can cause financial harm, not to mention system-wide care delivery issues and patient safety nightmares. And while debates continue over the severity of direct patient risks, those arguments are losing traction because the disruption caused by a successful breach can impact patient care many other ways.

Although the very idea of a hack to a connected medical device is horrifying, a successful compromise of an HVAC system or an elevator complex can also have a shutdown effect. While all connected assets are not created equal, it is important that health care leaders understand how they’re all part of a larger, interdependent system. 

Unfortunately, the reality is many health care systems have little visibility into which medical (and general IoT) devices are connecting to their networks, where these devices are located, how they’re connected, who’s using them, how they’re being used and their respective security posture. This makes it nearly impossible for even the most tech-savvy organizations to create an effective security strategy because you can’t manage what you can’t see.  

The solution is visibility

For these reasons, connected asset visibility must be comprehensive and include highly granular device-profiling detail. This is definitely a case where the more data, the better, and enriched, contextualized data are best. So, it’s not just about discovering what’s connected inside your network. Instead, what’s required are detailed device-specific profiles, including an understanding of the device’s needs and workflow, knowledge of how the device interoperates, how it is being used and its security posture.  

Due to the proprietary nature of both clinical and medical devices and the unique, often undocumented communication protocols that they use, visibility remains a major challenge. And given how these assets are maintained, updated, patched, etc., a continuous view into their status is essential, whether for good, safe operations or security purposes.

When that kind of continuous, real-time visibility is available, most things are possible. For example, instead of health care technology management workers scrambling to determine if a newly published threat is relevant, any/all existing and newly published threats can be instantly correlated. Armed with knowledge, anomalous behaviors at the network level can also be detected and safely terminated. The list goes on. The operational benefits can actually change the organizational profile of those enlisted to execute the improvements. 

In short, you must establish an accurate baseline and build security programs from the ground up. You must know your endpoints at the individual level and build from there. In doing so, you can not only create and enforce appropriate security policies, but also overhaul preventative maintenance programs and rationalize replenishment programs. 
The hyperconnected future
Telehealth and the bring-your-own-device trend are driving an even more connected landscape. And because COVID-19 will result in permanent changes that continue to drive both, management and security challenges will clearly increase. Looking ahead, it’s not difficult to envision a future where a majority of care is delivered through mobile, remote-capable monitoring solutions, so leaders must take notice. 

Recognizing that budgets and cybersecurity experiences vary, a logical first preparatory step is to take inventory of the devices used by clinicians to conduct remote consultations, followed by an inventory of mobile devices used to remotely monitor the conditions of patients. Are they hospital-issued devices or personal? What type of information are they transmitting and what, if any, security policies exist? What is the difference between device counts under mobile device management pre-COVID-19 versus the number of devices in use post-COVID-19? 
The good news is that the market’s leading solution providers are genuinely on top of the problem space. The bad news is that separating the marketing hype from reality can be difficult.

Choosing vendors that are focused on the acute care subvertical makes sense, since cross-industry solutions rarely work in health care. If the right vendor is selected, financial offices can justify their investments against a business case that is based on operational improvements that can be monetized - and ultimately benefit patients.