Connectivity has become ubiquitous in healthcare-and nearly every other industry. Yet healthcare remains consistently the most frequently breached industry. Perhaps this can be attributed to the complexity of the healthcare industry, which makes it a more vulnerable sector for cybercrime than others. Or perhaps it’s the reality that healthcare optimizes for patient care-as it should-and as a result, is an ill-prepared system with high-risk victims.
What’s healthcare cybersecurity?
There are varying perspectives on the problem, but in the end, it’s all about patient safety.
For a medical device manufacturer (MDM), healthcare cybersecurity is scoped as a device problem. Today, the industry is embracing a process-focused approach: software bill of materials (SBoM), vulnerability disclosure and mitigation (patching). This is reactive, complex and relies heavily on people to enforce. Additional risks viewed by the MDM include security, risks related to production and service infrastructure (e.g., business risk, device quality and recalls) and supply chain risks (upstream and downstream).
For healthcare delivery organizations (HDOs), it’s a system problem. There are many devices, many types, many manufacturers and a complex set of responsibilities between IT/ITSec, clinical engineering and administration. Although, historically, network security has played an important role, there are technical limitations.
The increase in ransomware attacks on healthcare systems is indicative that the risk spectrum in healthcare cybersecurity truly runs the gamut. What used to frequently be defined as a privacy/data risk can now range from clinical operability and business/finance risk through to patient safety.
What makes healthcare different from other industries?
The evolution of connectivity in industries tends to directly correlate to the threat surface that must be managed. For example, in healthcare, the implementation of USB ports and ethernet cables evolved in an effort to increase the patient care experience. It enabled a single practitioner to monitor a multitude of patients from the comfort of a single station. As the value of this connection was realized for patient care delivery, it spread to device-to-system connectivity, thus integrating data into electronic health record systems. And as evidenced by the huge digital transformation HDOs have experienced since the global pandemic began, cloud-based delivery care has become an expectation from patients.
However, all these connections weren’t necessarily done with security in mind. Instead, it was to enhance the patient and/or provider experience. We see the trend repeating itself-the connectivity boom in the energy industry has caused the grid to become more vulnerable to attacks and landed them on the White House’s priority list. Attacks targeting further up the supply chain, including the semiconductor space, have become increasingly common as hackers seek the broadest impact for their efforts.
The reason healthcare repeatedly shows up at the top of the target list is the nature of its business. Ponemon’s recent survey outlines it clearly: 20% of HDOs report an increase in patient mortality rates after a cyberattack. The notion that lives are still lost due to cybersecurity incidents, even though the healthcare industry is at the top of the list of those that most frequently pay ransoms, is difficult to accept.
Cybersecurity used to be seen as a compliance initiative in healthcare but has become a patient safety and business imperative in recent years. For MDMs, tying market delays and metrics to a lack of security will inspire faster action. For HDOs, assessing strategies for incoming devices can start to shift the tide in how risks expand.
It’s been predicted that remote working and business compromise through cybersecurity vulnerability exploits will continue to increase. No member of the supply chain can afford to rest on their laurels and not constantly reassess their security strategies. As rapidly as technology is changing, attackers are strategizing and changing just as quickly. To even begin future-proofing the delivery of care, a robust strategy rooted in business value and tied to people, processes and technology is critical.