Any cybersecurity expert will tell you that it’s not a matter of if you will be hacked, but when. Healthcare organizations across the country are quickly learning the truth about that axiom.
According to the most recent IBM X-Force Cyber Security Intelligence Index, healthcare tops the list of most cyber-attacked industries. And, according to Rapid7’s threat report for the first quarter of 2018, healthcare beats out industries such as finance, retail, and construction as the top targeted by hackers.
As we work through the second quarter of this year, already multiple hospitals have been affected by the ransomware SamSam. Then there’s the Orangeworm attack group that’s targeting different facets of the healthcare industry worldwide.
According to HealthITSecurity.com, hackers are increasingly targeting the healthcare industry because of its distributed IT infrastructure (which utilizes a combination of legacy systems and medical devices), constantly available systems, and the amount of sensitive data so many organizations hold.
The average cost of a cyber attack is $5 million, according to the Ponemon Institute, and can be much higher for larger organizations. Erie County Medical Center in Buffalo, NY reported the total costs associated with just one ransomware attack last year added up to more than $10 million.
Healthcare Security Risks
While healthcare IT professionals have been focusing on protecting things like servers and networks, many are learning quickly that certain types of medical devices can also provide hackers a backdoor into systems.
Additionally, despite FDA guidance, hospitals are still struggling with protecting these vulnerable targets. And points of exposure might not always be fully apparent.
As Symantec notes about the Orangeworm threat, for instance, some of the tactics being used by the perpetrators to gain access to software used to equipment like X-Ray and MRI machines are fairly dated. The reason the efforts can still be effective is because of older operating systems.
So, theoretically, even if a medical device is boasting state-of-the-art security, if it’s placed in an environment utilizing legacy software and dated operating systems, such as Windows XP, that can introduce risk.
While this may be disheartening to device manufacturers prioritizing security, they should still do what is necessary to protect their products against an attack, and assume the provider will follow safety protocols accordingly.
However, this could be considered a silo approach to cybersecurity, and the threats to medical devices really call for a strong eye on security throughout design, development and deployment.
Healthcare Information and Management Systems Society (HIMSS) is one example of an organization that wants to tear down those silos, calling for a holistic approach to cybersecurity. In its Cybersecurity Position Statement, HIMSS defines that approach:
“HIMSS calls on the healthcare community at-large to work together, and with cyber experts from other sectors, to achieve a future state in which all are prepared to defend against increasingly sophisticated and numerous cyber-attacks… Through cooperation and focused efforts, we can overcome policy, cultural and financial roadblocks, and other barriers that inhibit the development of cyber solutions that work.”
Building Cybersecurity into Product Development
Cybersecurity collaboration must be built into project frameworks that extend throughout the product’s lifecycle.
And speaking of framework, you should take some time to get familiar with the National Institute of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity, or as it is thankfully referred to more commonly — “the Framework.”
The Framework is part guide and part reference manual for outside resources that can provide more detail on strengthening security. One of the advantages the Framework offers is that it gets everyone speaking the same language, which is essential if the HIMSS holistic approach takes off.
And it’s not just nice to have everyone on the same page. If you plan on doing business with the government, you’re going to have to show you follow the Framework. Healthcare industry CIOs are very familiar with it, and they are beginning to require vendors to adhere to it. You can expect more will follow.
If this all seems overwhelming and you’re not sure where to begin incorporating it into your product plans, here’s the good news. The NIST Framework was a joint effort between government and industry. One of the industry players was Intel. Soon after the first Framework was delivered, Intel launched a pilot project to test the Framework’s use. They documented the entire project and published a document serving as a use case.
Adding Value Through Education
Medical device manufacturers that take a holistic approach to cybersecurity into their projects will have an advantage to companies that do not. While many hospitals are doing a better job, physician practices still need a lot of help.
According to a survey conducted by the AMA and Accenture, 83% of 1,300 physician practices surveyed already have experienced a cyber attack. While more than half of the physicians surveyed said they were very or extremely concerned about attacks, nowhere in the survey did they directly mention medical devices.
This omission could indicate a lack of understanding on the part of the survey creators, or perhaps it shows that doctors are unaware of the fact that devices — when connected through wireless networks and aging legacy systems — could be the source of a breach.
In any case, you can bet the threats to medical devices are only going to grow more sophisticated and numerous as time passes. Those medical device companies who fail to act will gradually become larger targets for criminals. The faster security is prioritized throughout development of medical devices, and everyone in the industry gets on the same page about security, the better chance we’ll have at staving off the threats of tomorrow.