Healthcare continues to face dramatic challenges as we head into 2023. The long-predicted staffing shortages – which have been accelerated due to the burnout created by COVID-19 – are having an impact across healthcare service delivery all over the world. On top of that, cyber attacks continue to be on the rise – even though, a little bit ironically, technology is often, rather generically, hailed as the solution to healthcare’s problems (including staffing).
In this blog we will identify 5 key trends that we see emerging as a result of the discussions that we at Armis have with our customers and partners in understanding their challenges and plans.
Remote patient care or monitoring (RPM), utilizing smart devices, isn’t exactly new. Mercy Virtual was launched in 2015, was described in a 2016 CNN article as the “$54 million hospital without any beds” and in 2019 disclosed that for nearly 4,200 patients in their vEngagement program they had a 50% reduction in emergency department visits and hospitalizations!
With the cost of readmissions, just to Medicare, estimated at $26 Billion, one would guess that everyone joined in years ago… but that would be the wrong guess: reimbursement restrictions meant that organizations couldn’t bill for remote patient services and so couldn’t fund programs.
As with many things in healthcare, COVID-19 changed the reimbursement rules, with the Centers for Medicare and Medicaid Services (CMS) releasing an interim final rule (IFC) that effectively enabled telehealth reimbursement and RPM.
Overnight, virtual visits and telehealth skyrocketed, as did the number of remote patient monitoring companies. Beckers Hospital Review published a list of the top 50 RPM providers in July 2022 and in October 2021 Best Buy acquired RPM provider Current Health, stating “The future of consumer technology is directly connected to the future of healthcare”. RPM utilizes connected devices in the patient’s home – often a tablet or phone connected to a pulse oximeter, scales and a blood pressure cuff.
Remote care has shown indicators of its value, contributing to keeping people out of the hospital, easing some of the burden on care teams, and delivering positive results for patients. More patients will be enrolled, more devices will be deployed, and the vulnerability footprint within HDOs will continue to grow. Which leads to…
Recent research carried out by Ponemon identified 12% of attacks were rooted in IoT devices. In a recent CHIME focus group that Armis held, the highest perceived cybersecurity risks in healthcare were overwhelmingly what you might call your traditional IT devices. The Windows desktops and laptops that store Personal Health Information (PHI).
Given these devices have the most “mature” security solutions, it raises an alarm that the emerging attack surfaces are not getting the focus that they should. Healthcare is a carefully orchestrated system of increasingly connected services – of which clinician access to patient information is only one aspect.
IoT, OT and IoMT devices all play critical parts in care delivery. Building management systems control HVAC, elevators and refrigeration systems that could halt the ability to deliver patient care if disrupted. IoT devices control parking barriers, building access and security systems. And there’s a rapidly increasing array of IoMT clinical devices including nebulizers, pumps, ingestible devices, medication dispensers, etc., any of which once again, could dramatically impact patient care.
Attackers are well aware of these vulnerable areas, Gartner has predicted that by 2025 cyber attackers will have weaponized operational technology (OT) and will kill or harm humans by 2025. In an environment where people are already incredibly vulnerable, will “protection” attacks be next? Which leads us to:
As the technologies surrounding IoT, OT, IoMT and IT have evolved, the responsibility for the systems has stayed in its traditional lanes. OT systems, with their dark prediction from Gartner, remain the responsibility of facilities management. Medical devices fall into the biomedical engineering department which may report into the CMO.
Although these devices are often using a shared service provided by the IT team, when it comes to looking at the patching and security of the devices, that often falls to the individual teams, with IT having very limited visibility into devices that cannot have their security agents installed.
Furthermore, the priority of adding a patch to a sensitive MRI machine, or manually updating the firmware via a USB stick to 10,000 (sometimes hidden) infusion pumps, or updating the pneumatic tube system, is pretty low, on top of it being a logistical nightmare. Availability and uptime takes precedence, leaving these known attack vectors exploitable.
Healthcare needs to align all digital systems under a single point of responsibility. CMIO, CNIO, and CHIOs need to have understanding of the scope of the threats (not necessarily the threats themselves) and that a single infusion pump can ultimately undermine the security of the entire hospital. I believe this needs to be led by the CIO.
Committing the resources to drive this oversight, training and security though is challenging, which leads to:
As I mentioned in the opening, technology is often hailed as the solution to some of the major challenges faced by healthcare. Technology will solve the rising cost of care by utilizing big data to drive Value Based Care, increase earlier diagnosis and quality of treatments, identify risk factors for diseases and improve patient safety through improved predictions of outcomes – to name but a few. Remote patient monitoring has proven to decrease readmission rates, and is only scraping the surface in terms of the types of conditions to which this is being applied today.
What I rarely see though is exactly how this is going to be funded and staffed. Healthcare is being dramatically impacted by staffing shortages, but not just on the clinical side: also on the IT side. Many healthcare organizations have struggled to attract the best and brightest IT talent, particularly ones located close to large employers in technology and finance. Unfortunately, the “work from anywhere” post pandemic world we are in has reportedly only exacerbated the problem.
High tech organizations with lots of funding are now able to attract candidates located anywhere – and deliver higher salaries. Attracting, training and retaining talent is difficult. Experience is highly valuable – and a requirement when understanding the complicated world of healthcare information security and vulnerability management.
As more and more information moves to the cloud, it becomes less of a risk for healthcare organizations to place more services with cloud providers and utilize managed services to deal with the provisioning, management, monitoring and securing of those services. They provide consistency, accountability and predictability, which can free the valuable resources to work on some of the innovations we mentioned above, not keeping the lights on and having sleepless nights about being the sole barrier to highly organized, potentially nation state funded cyber criminals. Which leads us to:
Aligning with the theme of a single point of digital security responsibility, is a single security strategy. Knowing where to start is a challenge though. Healthcare has no shortage of security and privacy compliance requirements, yet according to the FBI it is still the industry experiencing by far the most ransomware attacks. With more standards being announced in the U.S. this makes for an overwhelming environment.
The principles of Zero Trust, when applied holistically to an environment, create the framework, concepts and architecture to address data, identity, workload, network and device security. At its simplest, it provides a model that can be shared with the organization to gain buy-in and awareness to a consolidated asset security strategy.
Items like medical devices and building management systems need to be aligned and incorporated into a single security strategy to reduce the risk of one rogue device resulting in the disruption of care across a whole organization. It’s not without its challenges and complications, but for CISOs trying to bring every asset under a single policy that will ultimately meet all of the rules and regulations for healthcare organizations globally, it’s a solid starting point.
A constant theme through these predictions is the growth of devices that are outside the capacity of many of the existing healthcare cybersecurity tools. Many organizations are challenged with how to deal with these devices that go unnoticed by traditional security tools. Even Zero Trust initiatives fail, if they don’t know the device is there. Armis customers regularly discover 40% or more additional devices on their networks than they thought they had. Without complete visibility into the entire attack surface, there is no way to secure it.
Armis was recently named as the clear leader in the Quadrant SPARK Matrix: Medical Device Security Solutions, Q4 2022 Download your copy here.
You can also see how Mater Misericordiae University Hospital is benefitting from Armis today:
Finally, to learn more about the threats from connected devices in healthcare, read our multi-part blog starting with Chapter 1.
Sign up to receive the latest news
Listen to Armis Executives share their predictions for 2023 and beyond.