Bearing the weight of a global pandemic, the healthcare system is struggling with medical surge and runs on vital equipment. Sadly, hospitals have also been beset by a marked increase in cybercrime — threatening their very efficiency, safety, and security.
Today there are around 480 million healthcare IoT devices globally. The US share of the overall healthcare IoT market stands at about 40%, which adds up to some 144 million networked healthcare assets in the US alone. That means that, with 6,146 hospitals across the United States, a statistically average US hospital will host around 30,000 connected healthcare assets.
With so many devices in play, calling the IT environment of an American hospital complex and difficult to manage would be an understatement. In fact, hospitals typically task each of their biomedical technicians with managing some 1,400 devices. That's a very tall task made even taller by the fact that the pandemic has rendered hospitals increasingly vulnerable!
With more to protect, less time to do it, higher stakes, and fewer available resources, just delivering quality care in a reliable manner seems to be more challenging that ever.
HIT Management In A Burgeoning Threat Landscape
Healthcare is the number one most cyber-targeted industry in the US. A fact that's unfortunately only become truer since the outbreak of the COVID-19 pandemic.
Since the virus first broke out internationally, organizations across the globe have reported a dramatic increase in attempted cyberattacks. Focused on addressing the crisis, already stretched super thin, and forced to improvise at each new turn, healthcare organizations in particular presented an attractive target for hackers.
At the start of the COVID 19 crisis in the UK, clinical research organization Hammersmith Medicines Research (HMR) was one of the firms involved in testing potential vaccines. On March 14th, hackers launched a ransomware attack that compromised the organization's digital infrastructure and temporarily locked staff out of company devices and connected systems/records. Though HMR eventually managed to restore functionality of affected devices, the attackers still succeeded in exfiltrating a trove of confidential data, including patient records.
When hackers target institutions like clinical labs, testing facilities, and major hospitals, it could put all of their patients at risk since the resources needed to treat them are not available.
Under normal circumstances, healthcare organizations can ill-afford downtime. In the midst of a pandemic, the criticality of uninterrupted operability is only heightened, prompting Interpol to issue an alert warning that healthcare organizations, already overwhelmed by COVID-19, were under increased threat of attack.
Healthcare Under Attack: A Story of Means, Motive & Opportunity
The status of the healthcare industry as a preferred target for cyberattacks is well-established. The why of the matter though is not quite as well understood. Like any other crime, it boils down to means, motive, and opportunity.
Means and Opportunity
Standard hospital network segmentation deviates considerably from established best practices. What’s more, even when conscientious administrators try to build secure-by-design architecture, they can falter when applying general best practices to an industry with very distinct network norms and needs. Network segmentation that does not take into account a device’s intended clinical application, normal network behavior, and internet requirements can open the device to access from external networks and malicious hosts.
On top of that, medical devices and clinical assets are some of the least updated machines around. It is not at all uncommon, for example, to see acquisition workplaces (AWPs) running severely deprecated versions of the Windows 6 operating system and interfacing with highly sensitive equipment like imaging devices. This leaves the whole network much more vulnerable to attack.
If that weren't bad enough, hospital's are dealt an even weaker hand by virtue of the fact that medical devices were among the earliest machines to be networked — answering the need for electronic documentation, remote access, and central HIT management, while assisting workflow and process efficiency. For most hospitals, that meant that the network was built in pieces — gradually and according to emergent needs. The network layout, therefore, is seldom pre-planned in a tidy end-to-end manner. Instead it exists as an amalgamation — incorporating no small amount of legacy infrastructure and outdated frameworks.
Needless to say, when it comes to security, the landscape has changed very dramatically in the last ten years, and anything planned based on common wisdom of a time prior will not stand up very well to today’s security threats. These networks often lack basic security features and are exceedingly difficult to bring up to standard via retrofitting.
Finally, from a technology point of view, hospitals represent highly complex and highly interdependent environments. To maintain workflow continuity, hospitals demand extensive system, process, and technological interoperability across a multi-vendor, multi-generational operational ecosystem. Backward compatibility is therefore built into devices to help achieve this. Backward compatibility though is anathema to security and can nullify many of the desperately needed improvements made between versions and open gaps in the network's defenses.
MotiveHealthcare organizations are unique from other businesses in their use of medical devices. The network-enabled versions of medical devices often hold sensitive data, such as protected health information (PHI). This data isn't only sensitive, but very valuable as well — fetching as much as $1,000 per record (compared to $110 for credit card details). As such, healthcare breaches offer attackers access to PHI that can be profitably held for ransom or sold on the black market.
PHI attracts such hefty bounties for a few reasons. First, it typically includes PCI (payment card information) and a slew of other useful information already built in. All those data points combine to form a much more rounded and personally identifiable profile of the data subject. Accordingly, PHI has a wider range of illicit applications. It can be used for identity theft, financial fraud, and a basis for still more and deeper information gathering.
What’s more, other data assets, like PCI and bank details can be easily changed or may naturally expire. Not so with PHI. Once PHI confidentiality is compromised, the victim is under threat in perpetuity.
There's also the prospect of more indirect financial gain, for example, by accessing the medical records of a corporate keyman or titan of industry to manipulate the market or gain an insider advantage. Imagine the market reaction, for instance, if someone leaked MRI results showing that Warren Buffet was terminally ill. A shrewd hacker could easily make millions.
Finally, the increasingly active and brazen theater of cyber-warfare factors in too. It's not hard to imagine one state undermining civil confidence in another by stirring up a healthcare related panic. Similarly the specter of a terror motivated attack should not be ignored either — with destruction itself being the objective and hospitals offering a relatively short and straight path to the finish line. Of course, in the context of COVID-19, nation states are also ramping up their offensive cyber activities in the hopes of gaining access to proprietary treatment and vaccination research.
Sensitivity of the Connective Tissue
It's plain to see that bad actors don't lack for sufficient means, motive, or opportunities to attack healthcare organizations. Being aware of this and mindful of the industry's increasing digital dependence, industry leaders are rightly concerned.
To help combat these risks, healthcare institutions need to improve their cyber posture and achieve better operational oversight — including with respect to their third-party solutions. The combination of so many unmanaged endpoints and such highly motivated threat actors demands more proactive cyber intelligence — based on simultaneously granular and panoramic visibility.
Moving Forward with Vision and Conviction
With healthcare institutions flooded with the intense care-side demands of a global pandemic, hackers are keen to take advantage. Operating from a position of fundamental vulnerability, it's crucial for healthcare organizations to establish robust cybersecurity measures.
What's more, to survive this new normal hospitals will need better business intelligence and smarter interdepartmental alignment.