From hospital staff and third-party partners to board members, all stakeholders play a role in keeping healthcare cyber threats at bay. Hospital cybersecurity is everyone’s responsibility.
This final chapter of our Internet of Medical Things (IoMT) Security playbook breaks down how different hospital stakeholders can work together to improve cybersecurity in healthcare.
A takeaway from this IoMT security series is the concern with the expanding attack surface and the growing number of cyberattacks disrupting hospitals’ operations and patient care. From building systems to infusion pumps, smart devices in healthcare are ubiquitous, with hospitals expected to deploy 7.4 million connected IoMT devices globally by 2026, according to Juniper Research.
The expanding cyberattack surface goes beyond connected medical devices themselves, as Armis forecasts that, by 2025, the number of unmanaged assets will surpass 50 billion devices.
With the growing attack surface and threat landscape, putting in place stronger controls has become critical. Here are four trends that also reinforce the call for increased healthcare industry cybersecurity:
Cyber liability refers to the potential financial losses, legal liabilities, and reputational damage that organizations may face as a result of a cybersecurity breach or failure to adequately protect sensitive information. Cyber incidents in healthcare facilities can impact the delivery of care — for example, hacked medical smart devices can malfunction while touching patients or ransomware attacks can force hospitals to halt emergency services.
Such is the concern that Gartner predicts that, by 2024, three out of four CEOs will become personally liable for cyber-physical security incidents. Gartner also anticipates that, by 2026, at least half of executives at the C-level roles will have performance expectations regarding cybersecurity risk management as part of their employment agreements. These predictions indicate a growing understanding of cybersecurity as a business risk rather than merely an IT issue.
The rise in connected healthcare devices and cyberattacks has added pressure on regulators and manufacturers to establish more rigorous cybersecurity standards for medical devices. The Protecting and Transforming Cyber Health Care (PATCH) Act, for example, has measures to enhance medical device security standards. One of the provisions is the requirement to disclose a software bill of materials (SBOM) for new devices, which will help to support the identification of vulnerabilities and management of risks and compliance.
Another recent legislation is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which requires organizations to report breaches and ransom payments to the Cybersecurity and Infrastructure Security Agency (CISA). As covered in Chapter 4, medical device ransomware detection and prevention is a focus of concern for hospitals.
Healthcare organizations are subject to a number of regulations that aim to protect electronic health records, including the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the Data Security and Protection Toolkit (DSPT) in the United Kingdom. Compliance with regulations requires hospitals to boost their investments in cybersecurity.
In the HIMSS Healthcare Cybersecurity Survey, 59% of the respondents indicated a yearly increase in budget allocation towards cybersecurity in healthcare. Higher investments are a response to the growing attack surface and the need to comply with regulations to improve patient data security. In fact, three out of four IT healthcare professionals in the Armis Censuswide survey confirm that cyberattacks have had a strong influence on decision-making at their health organization.
As the SANS Security Awareness Report points out, lack of time is a top challenge in managing awareness programs, but not implementing those measures can increase your cyber risk. After all, data breaches are largely driven by human factors, with 82% of incidents involving human error (for example, using a weak password or falling for a phishing email), per Verizon’s report.
In order to address human behavior in cybersecurity strategies, hospitals should conduct regular training sessions for employees on IT best practices, including how to identify and avoid phishing emails, create complex passwords, and report medical cybersecurity incidents.
Stay ahead of the latest hospital security trends. Explore our top 5 healthcare cybersecurity predictions for 2023.
Building and fostering cybersecurity in healthcare requires alignment between cross-functional teams with different priorities. Typically, while IT focuses on security, biomedical professionals prioritize patient safety. Lack of communication and collaboration between departments can lead to blind spots and exposure to the threat landscape.
Here’s how hospital stakeholders can work together to prevent cyberattacks in the healthcare industry:
Leaders play a key role in creating a sense of urgency and getting stakeholder support for initiatives that can help keep hospitals out of the headlines about security breaches in healthcare.
To address the growing challenges of healthcare cybersecurity, the role of the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) should grow. In other words, these leaders should take responsibility for the security strategy across all assets, beyond IT. Since everything is connected now, from MRI machines to the HVAC systems, a traditional siloed approach poses too many gaps. That’s why hospitals need to unite the security and risk for connected devices in healthcare under a single responsible leader — an approach that breaks down silos between IT security and biomedical teams.
IT security teams are responsible for identifying, monitoring, and creating policies to secure all types of smart healthcare devices, including OT, IoT, and IoMT devices. IT might feel overwhelmed with too many vulnerability alerts, so it’s crucial to take a risk-based approach and prioritize remediation for issues that might have a clinical impact.
Cybersecurity is a growing concern for teams responsible for tracking connected medical devices and overseeing the medical equipment lifecycle. Healthcare technology management needs to take the evolving threat landscape into account when leading clinical device planning and then build stronger partnerships with IT security teams.
For example, biomed teams should proactively engage healthcare cybersecurity professionals when procuring new devices. Let’s say you are going to purchase new CT scanners and you have to choose between two assets that are on par from a clinical point of view. You can bring cybersecurity in to influence the decision and select the equipment with increased cyber controls.
Operation teams typically focus on the potential impact that a failure of power, water, and HVAC systems might have on clinical operations. With the IT/OT convergence, these disruptions could be triggered by cybersecurity breaches. No wonder healthcare IT professionals surveyed by Armis Censuswide consider building management systems such as HVAC riskier devices than image machines and check-in kiosks.
These concerns reinforce the importance of operation teams working more closely with IT departments to ensure business continuity. To learn more about the challenges of securing operational technology, check out our IT/OT Cybersecurity Playbook.
While cybersecurity is often seen as the responsibility of IT professionals and security personnel, every employee in a hospital has a role to play in keeping patient data safe. Whether it’s a nurse accessing a patient’s medical records on a computer or a front desk staff member handling billing information, every interaction with technology presents an opportunity for a cybercriminal to strike. All hospital staff should be aware of cyber risks and follow the best practices in healthcare cybersecurity, including the use of strong, unique passwords and multifactor authentication.
A report by the U.S. Department of Health and Human Services indicates that 94% of healthcare delivery organizations (HDOs) give third parties access to their systems. These partners can be valuable assets to HDOs, providing expertise and resources that may not be available in-house. But vendors can also cause a security incident, for example, due to a misconfiguration or failure to follow security protocols.
In addition, third-party partners might have weaker security measures in place than the healthcare companies they are working for, making them an easier target for cybercriminals. Attackers target vendors as a way to gain access to HDOs’ systems and data. In fact, a Ponemon report even indicates that 36% of the reported ransomware incidents were caused by third parties.
Learn how to take a multi-faced approach to hospital cybersecurity. Download our white paper showcasing Armis’s use cases for the health system.
To strengthen cybersecurity in healthcare, hospitals need a single platform to discover, analyze, and secure IoMT, IoT, OT, and IT assets. That’s the case with Armis Asset Intelligence and Security Platform, which empowers biomedical, security, and IT teams with a unified view that includes hospital security risk assessment, vulnerability management, and medical device utilization insights.
Book a demo to see Armis in action.
The healthcare industry is prone to cybersecurity threats due to the following reasons:
The top healthcare cyber threats include:
Read all IoMT Playbook Chapters:
Sign up to receive the latest news