Healthcare standards and regulations

Healthcare Cyber Security in 2022 - It’s not about predictions. It’s about provisions.

3 min read

We’re almost at the end of another tough year for healthcare providers. It would be great to say that the worst is over. I don’t think we know that about either Covid related issues or cyber-attacks.

The silver lining here is we’ve learned a lot about both. It’s made us all more resilient, if not exhausted and frustrated. We can look back and feel good about threats to our healthcare that were prevented, the awareness that was raised for them in mainstream media, and even the recognition from governments and boards that more needs to be done to keep patients and data, as well as all critical infrastructure, safe.

As we look toward 2022, there are several cyber related activities we think are likely to happen. Below are some recommendations that you can take to ensure your organization is prepared.

Prediction Preparation

Hospital boards will demand better security and incident response – With the record number of attacks over the past two years still trending up, hospital boards will push CEOs, CIOs and CISOs to reduce risk.

  • Be ready to demonstrate that you can close the largest and most likely threat vectors to reduce the likelihood of successful attacks.
  • Require protocols in place to cut recovery times from weeks and months down to days or even hours to limit the losses from network and device downtime.
  • If you haven’t already, then better that you do this now vs your board asking you to do it later.

Experience gained from previous years will alter attack strategies – Cyber-attacks on healthcare providers will become more targeted and sophisticated. Bad actors will use what they’ve learned so far to shift from a “spray and pray” approach to a “bait and prey” one, where there is more up-front research and analysis of a hospital’s weaknesses, vulnerabilities, and potential payouts.

  • Early detection is key here. Don’t allow the bad actors to do any reconnaissance. Ensure you have the right tools here to both assess who is in your network now and to ongoingly get alerted if anyone comes in for future.
  • If you don’t know who might be in your network now and want to know, we can help.

Hackers will also explore new attack vectors – As anti-ransomware measures and medical asset software patching become more rapid and widespread, hackers will keep searching for other easy entry/persistence points while attacking the clinical information systems.

Supply chains will demand priority attention – Supply chains will dominate the news in 2022 — but not just from pandemic related supply issues. As suppliers and customers attempt to rein in their supply chains, we expect to see potential ripple effects across healthcare provider suppliers that will range from 1. being cyber threat entry points to 2. extending or spreading known vulnerabilities to 3. causing bottlenecks in supplies due to their own shutdowns from ransomware attacks.

  • Vet your suppliers and make sure you have a process to know how cybersecure they are (e.g., NIST, ISO 27001 and other standards)
  • Don’t stop there – compliance is important but a risk-based framework where you establish your comfort level is a better approach.

Medical device software patching no longer an afterthought – For years, hospitals have not always given more than low priority to patching or upgrading of the software on their medical devices.

  • As the rising number of known vulnerabilities continues to be one of the largest threat vectors, it’s critical to have tightly honed processes for patching and updating software. Inspect this now and ensure it’s being done -- and expeditiously.

Cyber insurance will also require better cyber resilience – Pressure will rise as cyber insurance availability and safeguards will continue to shrink simultaneously as insurance premiums grow.

  • To qualify for and maintain cyber insurance, take a closer look at what your team is doing. Ensure their strategies include tactical actions like micro-segmentation as part of a holistic Zero Trust approach.

Expect More Governance and Compliance – As clinical networks become more and more complex and heterogeneous, spreading from campus and branches up to the cloud, Governance, Risk, and Compliance (GRC) teams will require greater assurances.

  • Prepare your security teams with technologies that automate security governance and compliance, based on common security frameworks and on an end-to-end visibility basis.

 

As they say, fail to prepare and prepare to fail. With the estimated $21Billion in losses to healthcare last year, as well as numerous re-routings of patients (with two known incidents of death) that happened during ransomware attacks, there’s more than enough justification to take this to task.

 

For More Information:

If you want to learn more, below are several sources for your reference.

Subscribe