Cybersecurity poised to take center stage at HIMSS21

The increased volume of ransomware, data breaches and other attacks that started during the COVID-19 pandemic continues to threaten patient, data and medical device safety.

While all eyes have been on COVID-19 for the past 18 months, opportunistic and morally bankrupt cybercriminals exploited the once in a century pandemic to accelerate attacks on the healthcare sector at a time when the industry needed to prioritize health and safety over digital security.

As the coronavirus slowly begins to recede from its highest peaks, many of today’s healthcare security leaders are finally able to renew their focus on strengthening their cybersecurity posture. Cyber defense will be front and center at the 2021 HIMSS Global Health Conference, and not a moment too soon, as the increased volume of ransomware, data breaches and other attacks that started during the pandemic continues to threaten patient, data and medical device safety.

A Growing Onslaught of Cyber Attacks in Healthcare

In the early months of the pandemic, cyberattacks accounted for 79% of reported healthcare data breaches. They continued to escalate from there, with a reported 45% spike on healthcare systems in November and December 2020 alone, compared to a 22% increase in other sectors.

A significant number of these attacks were ransomware, which shuts down mission critical operations or systems until an organization either pays the ransom, obtains a decryption key, or initiates a backup system. It is estimated that ransomware attacks on healthcare organizations each lasted an average of 287 days and cost an average of $8.1 million, according to Emsisoft.

The cybersecurity problem is not limited to just the United States. Central Europe, East Asia and Latin America also experienced triple digit increases in healthcare attacks, as cybercriminals sought to steal valuable commercial and patient information, disrupt operations and take digital hostages for financial gain.

Attacks on healthcare networks, systems and devices show no signs of slowing down. Although the industry houses some of the most sensitive personally identifiable and confidential information in existence, its defenses are often less ‘in-depth’ and multi-layered than those of large enterprises or government entities, even as personal health data is more than three times more valuable on the black market than other kinds of personal information. Since hackers tend to look for targets they can attack with the least amount of effort, healthcare is often in their crosshairs, and the wide variety of medical and IoT devices with outdated operating systems and other vulnerabilities often makes them the weakest link in those environments.

In fact, last year’s HIMSS cybersecurity survey revealed that healthcare providers' cybersecurity budgets are only 6% or less of the total IT spend. This is especially concerning post-pandemic, as providers and patients have become more reliant on digital, patient-centric solutions – like telehealth, remote patient monitoring and wearables. The rapid push to make these technologies interoperable with healthcare organizations’ existing information systems has opened the door to new channels of data vulnerabilities and altered the size and shape of their computing edge.

Data aggregated from Cynerio deployments at hospitals reveals how vulnerable connected IoT and medical devices are to ransomware and other attacks. In environments where Cynerio is first deployed, our analytics found that over 70% of IoMT (Internet of Medical Things) devices have at least one critical vulnerability, and over three-quarters of these risky devices would have a critical impact on patient safety if an attacker were to take advantage. In addition, nearly half of IoMT devices handling or transmitting personal health data are also found to have critical risks that could enable data breaches.

Ultimately, the explosion of connected and vulnerable devices in medical environments means that there are many more potential entry points in healthcare systems for ransomware and other threats. Many of these devices are connected to live patients whose safety could be adversely affected if devices don’t function as designed. While the pandemic necessitated a rapid shift to virtual visits to maintain optimal patient outcomes, securing the emerging IoT technology and digital transformation underpinning those visits will be crucial to preserving those optimal patient outcomes from attackers seeking to jeopardize them in the future.

Strengthening Cyber Safety Reinforces Patient Safety

Given all the challenges healthcare providers are facing – including IoMT and cloud security, data protection, and how to manage device vulnerabilities and respond if attacks occur – it seems fitting that HIMSS is bringing cybersecurity to the forefront. How to best secure hospitals is a multi-faceted conversation that will lead in many different directions. However, a few key themes are emerging as healthcare industry professionals seek to secure the digital tools and devices that mushroomed in the wake of the pandemic:

  • There is no patient safety without cyber safety - The average hospital room has more than 15 connected devices in it, and if an attack prevents them from functioning properly, a patient’s life could be on the line. Connected devices have done wonders from streamlining care and improving health, and to keep them functioning and available when we most need them, security tools designed with those connected devices in mind must be implemented.
  • More devices than ever contain confidential data - Valuable personal healthcare data goes for a premium on the black market, and letting it slip out in a breach results in hospitals getting fined, audited and taking a reputational hit. Every healthcare entity covered by HIPAA needs to disclose data breaches publicly within sixty days of their discovery, making further attention from auditors and regulators inevitable. Proactively avoiding breaches allows hospitals to focus on providing better patient care.
  • Zero Trust architecture will increasingly be leveraged to control risk - With remote work causing the digital perimeter to dissipate, businesses increasingly turned to Zero Trust to better control risk by assuming that every user or device on a network could potentially be malicious. Although 72% of organizations across every sector plan to deploy the Zero Trust approach by the end of this year, it has yet to be widely embraced within healthcare. Part of this is due to healthcare’s “first, do no harm” approach to patient care, which makes the industry averse to security frameworks that might disrupt device functionality. However, we expect Zero Trust to get more popular in the sector as security solutions improve their policy validation capabilities before deployment.

This year at HIMSS, we look forward to productive discussions on how the industry can better work together to ensure a critical balance between security and safety, while not disrupting the medical process and negatively impacting patient care. These conversations will be critical as we seek to better equip hospitals and health systems with the tools, insight, and control they need to stay secure.

Leon Lerman is the co-founder and CEO of Cynerio, Inc., a full-suite Healthcare IoT platform that enables healthcare providers to secure patient data and connected devices against cyber threats. He has over 15 years of experience in innovative cyber security development, served in Israel's elite Unit 8200 cyber technology division, has served as a trusted security advisor to Fortune 500 companies, and has earned international recognition for excellence in the cybersecurity industry.