Six ViVE 2023 Healthcare Cyber Security Takeaways

From Hacked to Hero: Cyber State of the Union

At ViVE 2023 Armis’ CTO and co-founder Nadir Izrael participated in a panel discussion: From Hacked to Hero: Cyber State of the Union along with:

• Salwa Rafee – Global Managing Director, Accenture Security (Moderator)
• Errol Weiss – Chief Security Officer at Health-ISAC
• Greg Garcia – Executive Director at Healthcare Sector Coordinating Council

In a compelling 45 minute discussion the panel touched on some of the most fundamental challenges facing healthcare IT security today. Here’s my top 6 discussions and the video snippets:

Medical Device Security

Medical device, IoMT security is a top concern for healthcare environments. These devices may be physically connected to people, they are often using out of date software before they even reach the hospital floor and hospitals often don’t know how many, or even which medical devices they have in their environment. Nadir and Greg outline the challenges and the steps to improve healthcare IT security and risk management for medical devices including discussing the updated Healthcare Industry Cyber Security Practices (HICP) for 2023.

Nation States

Nation states are waging cyber warfare. Geopolitical unrest is driving attacks on healthcare and becoming the “new terrorism for the 2020’s”. In turn this is influencing, and empowering the creation of healthcare cybersecurity legislation to help focus resources clearly on the security practices that need to be put in place. While it appears that the EU and the UK are leading the way, the March 16^th 2023 testimony to the US congress: Examining the Cyber Security Risks to the Healthcare Sector, to which Greg Garcia was one of the witnesses, showed there is calling for, and sensitivity to the need for healthcare security mandates and incentives. And while there are certainly challenges with how smaller rural healthcare organizations would be able to implement such measures – having a definitive mandate on the measures to be taken, and funding to achieve it, will help identify the organizations that need the most help.

Cyber Weapons

Ease of access to cyber weapons. The issue of nation state attackers was discussed several times. Compounding this problem is that these nation state grade cyber weapons that get developed by well funded and advanced cyber warfare organizations become easily accessible to far less technically capable groups or individuals that in turn can broaden and perpetuate attacks. It isn’t necessarily that groups of cyber criminals are independently innovating new attack tools – like the virus toolkits that are the pre-cursor to today’s weapons, they are utilizing the tools available and increasing their proliferation.

The Basics

Focus on the basics. To paraphrase Douglas Adams’ Hitch Hikers Guide to the Galaxy – the scope of the problem of healthcare cybersecurity is “big. Really big. You just won’t believe how vastly mind bogglingly big it is.” From potentially decades old medical equipment to the latest advances in implantable or robotically controlled devices – where do you start? As most security frameworks will advise you – start by understanding what you have, triage the riskiest or most vulnerable assets and focus on them. It may be impossible to get to everything, but getting this aspect of IT security hygiene right will lower risk and improve resiliency. As Nadir says “the reality is it’s the boring parts – it’s the basics.”

Malicious AI

The malicious use of AI. We aren’t going to be able to spot phishing attacks by looking for typos and grammar mistakes any longer. As referenced earlier, the bad actors are utilizing every tool available to them. This includes the much-discussed AI platforms that are able to craft very convincing phishing emails. Continuing education on the signs of attack are one of the key pillars in a security strategy – so is continuing development of those education programs.

Ransomware

Whether to pay ransomware. A deeply difficult question to answer when viewed through the lens of a healthcare organization and the potential implications of not being able to deliver care with all the required information or services. In the recent Armis report The State of Cyberwarfare only 34% of healthcare respondents said they never pay a ransom – with 19% responding that they always pay. In Israel, a recent ransomware attack on a hospital, which is essentially a government facility, meant that a ransom could not and would not be paid. Restoring the services took about two months with providers having to fall back to paper records. Although this was very disrupting, the result showed that there is nothing to be gained to would be attackers and, so far, no more ransomware attacks.

We would like to thank all of the panelists for such a valuable and informative discussion. The complete video is available for those that attended ViVE through the event app.

Armis identifies every medical device, IoT, IT, building management and OT asset that’s connected and communicating on your hospital’s network. Risk and vulnerability management scoring pinpoints the devices exposing your environment to attack, incorporating threat feed, patch status and in the wild exploitations.

To learn more on how Armis can improve your healthcare IT security resilience sign up for our Healthcare Catch a Hacker event or schedule an individual demo.