The healthcare sector is experiencing a dramatic surge in cyber attacks against many entities – including healthcare service providers, health equipment manufacturers, and more.
Healthcare Cyber Attacks Rising Steeply
2020 saw a dramatic uptick in healthcare vertical cyber attacks. While not surprising given the proliferation of ransomware in general, the healthcare industry provides a rich tapestry of attack surfaces and business types that allow for unique attack scenarios requiring high levels of security awareness to avoid introducing.
The trend line has continued upwards in both sophistication and frequency of malware threats against healthcare organizations, whether they are service providers, health equipment manufacturers, or fundraising organizations.
Healthcare security has been plagued by a history of accidental disclosures or insider data misuse for many years. In 2020, according to the Verizon 2020 Data Breach Investigations Report, we see external attackers becoming the majority of the problem at a slim 51%.
This may indicate healthcare security functions are getting better internal controls in general, but given the ransomware incidents or “data at risk” declarations, it suggests there is still much work to be done on improving internal security defenses and data handling procedures.
Sensitive Business Assets at Risk
In healthcare environments where valuable intellectual property is common in R&D departments and clinical trials, there continues to be a threat from nation-state and espionage actors who typically invest heavily in external intrusion operations as well as physical infiltration of free research candidates who gain access to confidential information. The goals are clearly the transfer of wealth to domestic businesses, and the US Federal government confirms this continues to be a significant trend and will likely persist into the future.
Because the healthcare industry is so broad and can contain so many component parts, there is no single easy template to assess the standard risk to an organization. If the organization has R&D operations in the development of new medical devices, for instance, they will no doubt be subject to interest from competitive state-sponsored agencies looking to gain access to the technology or embed malware into the supply chain.
Public-facing healthcare agencies, whether care providers or fundraising organizations have rich data sets and are always a target for those who profit from access to this information. Whether it is data brokers stealing sensitive customer info, or spammers stealing huge contact info data sets, they are attractive and will invite innovative attack techniques.
Getting Strategy Right
Our proprietary CISO Insights strategy and roadmap development methodology creates an exceptional focus on the business and links the value-creating activities of the organization to the security priorities developed and deployed to maximize risk reduction impact and cost optimization.
The alignment of business-critical assets at the investment level brings hyper-focus to risk and investment trade-off choices that need to be evaluated. Healthcare environments typically have major Cyber Risks like many verticals, but less common to all verticals include the following.
The healthcare vertical is in a constant state of change with new technologies, M&A activity, and continuing regulatory and cost control requirements. Given the changes that are always happening in the industry, replacing legacy technology with new digital innovations is commonplace and can drive efficiency and greater profits for organizations. It also introduces significant risks from those digital technologies as they are complex technologies with long supply chains that are difficult to vet. Building an effective cybersecurity program that is paced to keep up with and be prepared for the capabilities, tools, and strategies for a digitized technology environment requires an enhanced development plan.
In digital transformation, the goal of both enhancing technology and mining business rich data are equally important. Good security plans consider the implications of several key elements.
Technology Enhancement Plan
As digital connections increase between patient data sources, ERP systems, and big data lakes, the architecture, system integration, data protection, access control, and system integrity must have a defined strategy to ensure the new patient, medical systems, and the network get the appropriate protection.
Data Extraction and Movement Needs
In digital transformation, much of the created value is in the data extracted and analyzed in the organization's big data engine. The movement of data to the lake and the creation of data governance and stewardship is critical to maintaining the value for the company. While patient privacy is well established in the medical community, big data benefits are derived from compiling data in new ways. The governance program must become a large focus to maintain appropriate safeguards.
Skills and Capabilities Needed to Meet New and Future Operational States
Once the digital transformation is complete, often new security team capabilities are required to protect the organization, which interacts technologically differently than it did before. If the company has developed an online digital marketing capability or has begun deploying mobile apps to reach their patients, defending these takes new skills. Evolving the cybersecurity program to ensure it has the skills needed to deliver today and tomorrow will increase the organization’s ability to be competitive and protect its valued assets.
Internet of Things Risk (IoT)
While no single innovation in technology can generally be representative of significantly increased risk on its own, the IoT trend has, in a few short years, created a massive impact on the attack surface of most businesses and homes. IoT devices generally are internet addressable devices, whether diagnosis or treatment robotic systems, logistics or tracking systems, or 3D Imaging or augmented reality treatment tools.
Digital Health and Data Interoperability
“Healthcare of the future” is generally predicted to be more holistic and preventative where digital transformation drives “radical data interoperability” between streams of health data, AI, and open secure platforms. The stream of health data will potentially include many relevant sources including next-generation wearables and monitoring systems that monitor wellbeing.
However, creating this new product is not a turnkey operation. Healthcare organizations today are a patch quilt of legacy and new digital systems that when stitched together create a huge target surface for hackers and espionage actors. Not only are hospitals popular because of what they do, but they are also highly susceptible to attacks that limit their ability to conduct operations.
Healthcare organizations and systems need a specialized security approach to build the capabilities that will enable the security of the radical interoperability of data needed in the future.
Supply Chain of the Future
A company’s supply chain is one of its most important business assets. In this global business arena, companies rely on vendors from global to glocal, but they must all be properly vetted from a security perspective to ensure your business can keep running and their business can keep supplying you with what you need.
The vendor security program is one of the foundational programs in your security arsenal to ensure you have done your security due diligence before signing supplier contracts, when you negotiating leverage is optimal.
Linking enterprise healthcare and supply chain systems together to harness the power of the data which can unlock business agility and uncover past inefficiencies is table stakes now for competitive healthcare firms and will need to grow to reach the “radical interoperability” levels in the future.
This generally means the introduction of new and powerful data-sharing applications and third-party relationships and the need for significant data and access governance to meet security and privacy goals.
Typical High Maturity Security Programs for Healthcare
At the end of the day, healthcare lines need to be running to make the organization money, and ransomware attacks against Healthcare environments are on the rise due to a combination of old or unprotected systems and the high financial cost of downtime making them a great extortion target.
One of the most prudent program expenditures an organization can invest in today is a robust ransomware defense program, including the technology, procedures and preventative systems to keep the threat out.
Defining an architecture that both enables the care of patients and increases data flow intensity to deliver the enhanced security needs is the role of healthcare security architecture. Healthcare can be challenging because the data network team and healthcare workers do not always see eye to eye or have the same technical knowledge.
Applying sound security architecture skills, assessments and design principles is still possible and will deliver the greatest overall value to the organization as the healthcare environment evolves and faces increased security threats.
Innovation in Protection
One common challenge in healthcare environments can be an inability to provide an exact inventory of all hardware and software at work in the patient service delivery environment. This inability can lead to missed patches and upgrades or reduced qualitative data in risk assessments, so some risks are left unaccounted for. One solution is to get a hyper-accurate view of your assets and their traffic flow. Tools are available that can provide you with this information while being delicate to patient systems sensitivities, providing the optimal hardware and software inventory available.
Zero Trust Technology
Another exciting development is the intersection between Zero Trust, Micro-Segmentation, and Software-Defined Networking in protecting IT and ICS assets from hackers and malware. New tools and protocols exist that can literally make your IT assets invisible to hackers and malware. This reduces the need for urgent security and maintenance investment while delivering advanced security results.
Ready to Speak to an Expert About Your Cybersecurity Needs?
If you're ready to ramp up your organization's defenses against the cybersecurity threats that put you at risk, click on the button below to speak to one of our experts.