Feb 28, 2023

Chapter 10 – Which role can you play in strengthening cybersecurity in healthcare?

By

James Millington

Senior Director, Product Marketing
Ch 10 - Which role can you play in strengthening cybersecurity in healthcare?

From hospital staff and third-party partners to board members, all stakeholders play a role in keeping healthcare cyber threats at bay. Hospital cybersecurity is everyone’s responsibility. 

This final chapter of our Internet of Medical Things (IoMT) Security playbook breaks down how different hospital stakeholders can work together to improve cybersecurity in healthcare.

Cyber threats to healthcare require increased accountability

A takeaway from this IoMT security series is the concern with the expanding attack surface and the growing number of cyberattacks disrupting hospitals’ operations and patient care. From building systems to infusion pumps, smart devices in healthcare are ubiquitous, with hospitals expected to deploy 7.4 million connected IoMT devices globally by 2026, according to Juniper Research
The expanding cyberattack surface goes beyond connected medical devices themselves, as Armis forecasts that, by 2025, the number of unmanaged assets will surpass 50 billion devices.

Chart indicates that 95% of assets are unmanaged. Chart also shows that, by 2025, there will be over 50 billion connected devices, according to Armis research and various market analysts

With the growing attack surface and threat landscape, putting in place stronger controls has become critical. Here are four trends that also reinforce the call for increased healthcare industry cybersecurity:

1. Cybersecurity as a liability for leadership teams

Cyber liability refers to the potential financial losses, legal liabilities, and reputational damage that organizations may face as a result of a cybersecurity breach or failure to adequately protect sensitive information. Cyber incidents in healthcare facilities can impact the delivery of care — for example, hacked medical smart devices can malfunction while touching patients or ransomware attacks can force hospitals to halt emergency services.

Such is the concern that Gartner predicts that, by 2024, three out of four CEOs will become personally liable for cyber-physical security incidents. Gartner also anticipates that, by 2026, at least half of executives at the C-level roles will have performance expectations regarding cybersecurity risk management as part of their employment agreements. These predictions indicate a growing understanding of cybersecurity as a business risk rather than merely an IT issue. 

2. Healthcare cybersecurity regulations 

The rise in connected healthcare devices and cyberattacks has added pressure on regulators and manufacturers to establish more rigorous cybersecurity standards for medical devices. The Protecting and Transforming Cyber Health Care (PATCH) Act, for example, has measures to enhance medical device security standards. One of the provisions is the requirement to disclose a software bill of materials (SBOM) for new devices, which will help to support the identification of vulnerabilities and management of risks and compliance.

Another recent legislation is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires organizations to report breaches and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). As covered in Chapter 4, medical device ransomware detection and prevention is a focus of concern for hospitals.

Healthcare organizations are subject to a number of regulations that aim to protect electronic health records, including the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the Data Security and Protection Toolkit (DSPT) in the United Kingdom. Compliance with regulations requires hospitals to boost their investments in cybersecurity.

3. Calls for more investments in medical cybersecurity

In the HIMSS Healthcare Cybersecurity Survey, 59% of the respondents indicated a yearly increase in budget allocation towards cybersecurity in healthcare. Higher investments are a response to the growing attack surface and the need to comply with regulations to improve patient data security. In fact, three out of four IT healthcare professionals in the Armis Censuswide survey confirm that cyberattacks have had a strong influence on decision-making at their health organization. 

4. Growing importance of cyber healthcare training and awareness

As the SANS Security Awareness Report points out, lack of time is a top challenge in managing awareness programs, but not implementing those measures can increase your cyber risk. After all, data breaches are largely driven by human factors, with 82% of incidents involving human error (for example, using a weak password or falling for a phishing email), per Verizon’s report.

SANS Security Awareness Report shows the top challenges in managing awareness programs.
Source: SANS Security Awareness Report

In order to address human behavior in cybersecurity strategies, hospitals should conduct regular training sessions for employees on IT best practices, including how to identify and avoid phishing emails, create complex passwords, and report medical cybersecurity incidents. 

Stay ahead of the latest hospital security trends. Explore our top 5 healthcare cybersecurity predictions for 2023.

What your teams can do to prevent healthcare cyberattacks 

Building and fostering cybersecurity in healthcare requires alignment between cross-functional teams with different priorities. Typically, while IT focuses on security, biomedical professionals prioritize patient safety. Lack of communication and collaboration between departments can lead to blind spots and exposure to the threat landscape.

Here’s how hospital stakeholders can work together to prevent cyberattacks in the healthcare industry:

Healthcare leaders

Leaders play a key role in creating a sense of urgency and getting stakeholder support for initiatives that can help keep hospitals out of the headlines about security breaches in healthcare.

To address the growing challenges of healthcare cybersecurity, the role of the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) should grow. In other words, these leaders should take responsibility for the security strategy across all assets, beyond IT. Since everything is connected now, from MRI machines to the HVAC systems, a traditional siloed approach poses too many gaps. That’s why hospitals need to unite the security and risk for connected devices in healthcare under a single responsible leader — an approach that breaks down silos between IT security and biomedical teams. 

IT security teams

​​IT security teams are responsible for identifying, monitoring, and creating policies to secure all types of smart healthcare devices, including OT, IoT, and IoMT devices. IT might feel overwhelmed with too many vulnerability alerts, so it’s crucial to take a risk-based approach and prioritize remediation for issues that might have a clinical impact. 

Healthcare technology management

Cybersecurity is a growing concern for teams responsible for tracking connected medical devices and overseeing the medical equipment lifecycle. Healthcare technology management needs to take the evolving threat landscape into account when leading clinical device planning and then build stronger partnerships with IT security teams. 

For example, biomed teams should proactively engage healthcare cybersecurity professionals when procuring new devices. Let’s say you are going to purchase new CT scanners and you have to choose between two assets that are on par from a clinical point of view. You can bring cybersecurity in to influence the decision and select the equipment with increased cyber controls. 

Operations

Operation teams typically focus on the potential impact that a failure of power, water, and HVAC systems might have on clinical operations. With the IT/OT convergence, these disruptions could be triggered by cybersecurity breaches. No wonder healthcare IT professionals surveyed by Armis Censuswide consider building management systems such as HVAC riskier devices than image machines and check-in kiosks.

These concerns reinforce the importance of operation teams working more closely with IT departments to ensure business continuity. To learn more about the challenges of securing operational technology, check out our IT/OT Cybersecurity Playbook.

General staff 

While cybersecurity is often seen as the responsibility of IT professionals and security personnel, every employee in a hospital has a role to play in keeping patient data safe. Whether it’s a nurse accessing a patient’s medical records on a computer or a front desk staff member handling billing information, every interaction with technology presents an opportunity for a cybercriminal to strike. All hospital staff should be aware of cyber risks and follow the best practices in healthcare cybersecurity, including the use of strong, unique passwords and multifactor authentication.

Third-party partners 

A report by the U.S. Department of Health and Human Services indicates that 94% of healthcare delivery organizations (HDOs) give third parties access to their systems. These partners can be valuable assets to HDOs, providing expertise and resources that may not be available in-house. But vendors can also cause a security incident, for example, due to a misconfiguration or failure to follow security protocols. 

In addition, third-party partners might have weaker security measures in place than the healthcare companies they are working for, making them an easier target for cybercriminals. Attackers target vendors as a way to gain access to HDOs’ systems and data. In fact, a Ponemon report even indicates that 36% of the reported ransomware incidents were caused by third parties. 

Learn how to take a multi-faced approach to hospital cybersecurity. Download our white paper showcasing Armis’s use cases for the health system.

Let Armis help you boost your hospital cybersecurity 

To strengthen cybersecurity in healthcare, hospitals need a single platform to discover, analyze, and secure IoMT, IoT, OT, and IT assets. That’s the case with Armis Asset Intelligence and Security Platform, which empowers biomedical, security, and IT teams with a unified view that includes hospital security risk assessment, vulnerability management, and medical device utilization insights. 
Book a demo to see Armis in action.

Frequently Asked Questions

Why is the healthcare industry prone to cybersecurity threats?

The healthcare industry is prone to cybersecurity threats due to the following reasons:

  • Healthcare delivery organizations (HDOs) collect and store large amounts of sensitive personal and medical information that cybercriminals can profit from.
  • The healthcare industry has a long medical device life expectancy due to the complex regulatory environment and the high cost of development and testing. As a result, hospitals often rely on legacy technology that can’t be easily patched, exposing organizations to IoMT, IoT, OT, and IT vulnerabilities.
  • Healthcare employees may lack cybersecurity training and be unaware of the risks and best practices in healthcare security, making them more susceptible to phishing and other social engineering attacks.
  • The complex and interconnected nature of healthcare systems and devices expands the attack surface. A majority of smart devices in the healthcare industry are unmanaged and can’t be secured with traditional IT security solutions, creating cybersecurity blind spots.

What are the top cyber threats to healthcare?

The top healthcare cyber threats include:

  • Ransomware attacks: Cybercriminals use malware to encrypt a healthcare organization’s data and demand a ransom payment in exchange for the decryption key.
  • Phishing attacks: Cybercriminals use email, social media, or other means to trick healthcare employees into divulging sensitive information, installing malware on their devices, or granting access to secure systems.
  • Insider threats: Malicious or careless insiders, such as employees or contractors, can intentionally or unintentionally cause security breaches in healthcare.
  • Device vulnerabilities: The increasing use of OT, IoT, and medical equipment with internet connectivity has created new security challenges, threats, and vulnerabilities that can be exploited by malicious actors.
  • Supply chain attacks: Third-party vendors and contractors may have weaker security measures than the hospital they are working for, making them a potential entry point for healthcare cyberattacks.
  • Data theft: Cybercriminals may target hospitals to steal protected health information, which can be sold on the dark web or used for identity theft.

Read all IoMT Playbook Chapters:

  1. Chapter 1 – How to innovate in healthcare with IoMT devices without exposing the expanding cyber attack surface
  2. Chapter 2 – The Hurdles of Internet of Medical Things Security
  3. Chapter 3 – A history of medical device hacking
  4. Chapter 4 – How to mitigate ransomware in healthcare
  5. Chapter 5 – How to minimize the clinical risks of unsecured healthcare devices
  6. Chapter 6 – How to improve patient data security
  7. Chapter 7 – Why healthcare IT security can’t protect against IoMT vulnerabilities
  8. Chapter 8 – How to spot the top indicators of compromise in healthcare
  9. Chapter 9 – The fundamentals of medical device cybersecurity 
  10. Chapter 10: Which role can you play in strengthening cybersecurity in healthcare moving forward? 👈 you are here

Get Updates!

Sign up to receive the latest news

path-12-path-12-path-12-mask