It’s October -- the month when many countries around the world work together to raise awareness for cyber security. It’s our opportunity as an industry to educate all people about the importance of doing what you can to keep yourself, your organization, your friends, and family safe -- and it’s one that we all need to support.
It’s Cybersecurity Awareness Month. We’re Doing Our Part.
Once again, led by the U.S. Department of Homeland Security (partnered with the National Cyber Security Alliance) the message is Do Your Part. #BeCyberSmart. This year, however, the focus brings attention to the shift in all our lives when we moved from offline to online. The NCSA makes the point that the Internet impacts our homes, our economy, our national security, and societal well-being. The last one really resonates with me because health and well-being are essential to quality of life. If they are threatened, we have a problem.
US Department of Homeland Security
When you consider how connected hospitals have become over the past few years, you can see why the number of cyber-attacks on them were successful. There are, however, some more considerations we need to make others aware are possible. The IoT, IoMT and medical devices themselves are vectors.
Why are they potential vectors? Medical devices used to be offline; however, with the digital transformation that occurred in recent times that all changed. The same potential scale of greater efficiency, speed and cost savings offered by all the Internet of Things made its way to clinical assets. In fact, according to a Deloitte study, almost half of all medical devices were “connected” by 2018. That number is expected to approach 70% by 2023. So, they are surely vulnerable because they are now online; but there’s more. Because they were offline, security was not built into medical devices. The vast majority of medical devices (estimated around 80%) run on outdated systems. That means they continue to maintain out-of-date software, insecure protocols, misconfigurations, and password flaws – an ideal scenario for a bad actor. On top of all that, most hospital networks lack the ability to see and secure all their devices. This can’t identify critical events, pinpoint the source of the problem, or effectively respond.
European Cybersecurity Theme is ThinkB4Uclick
Whether medical devices are breached or whether they are shut down because the entire network was compromised, it’s a direct threat on patient care and lives. It also impacts a hospital’s bottom line so there is economic fallout as well. A 2021 Ipsos study, that CyberMDX co-sponsored with our partner Philips, found that ransomware is attacking the bottom line with 48% of hospital executives reporting either a forced or proactive shutdown in the last 6 months as a result of external attacks or queries. Costs from external shutdowns were reported as high as $80,000 per hour. For a 24/7 operation like a hospital, that’s $1M-$2M per day in lost revenue; and we know that several high-profile attacks this year shut down some hospitals for a week or longer. In addition, only 11% of the hospitals surveyed rated cybersecurity as a high priority for their IT spend. At least 60% said “other” spend was more important.
You may ask, what can be done? Like anything else, the first place we need to start is to create awareness. Everyone who works in healthcare delivery must be vigilant and help others become aware of the potential points of entry from emails, share drives, and IoT or medical devices.
Canada’s GetCyberSafeCA spotlight on Working and Networking
At CyberMDX, we make it our mission is to enable healthcare delivery organizations worldwide to provide quality care by securing and protecting the systems and devices they rely on every day to treat illnesses and save lives. In support of this worldwide effort, CyberMDX will be hosting a series of educational initiatives aimed at raising awareness and creating discussions about the offline to online impact for hospitals when connecting medical and other devices.
We also will continue with our ongoing commitment to contribute and share our own findings which leverage the knowledge base of the CyberMDX Research team. We work closely and frequently with regulatory bodies including CISA, MITRE and the FDA as well as with numerous medical device manufacturers and HDOs. The efforts here are specifically directed toward creating awareness and education of medical device and other IoT vulnerabilities and how to better protect organizations from those threats.
Below is a list of activities we have planned for this month to help raise awareness.
- Ipsos Research – CyberMDX and Philips will join Ipsos as they present the findings from the recent report on “Perspectives in Healthcare Security”. The live interactive webinar is open to all. (October 6, 2021)
- H-ISAC Panel – The CISOs from Metro Health, ChristianaCare Hospital, and H-ISAC will participate in the discussion, “October is Cyber Awareness Month – When offline goes online for Medical Devices” (October 13, 2021) – open to H-ISAC members only.
- Discussion with AWS – Welcome to a “day in the life” of a cybersecurity professional. CyberMDX and our partner, Amazon Web Services (AWS) will host this webinar where we will take an introspective look into what it’s like protecting a hospital from cyber threats. (October 21, 2021) – open to all (must create an account) - register here.
- Educational Tips from SMEs – With each week of cyber awareness, CISA and the NCSA have a different focus. As we hit those milestone dates, you’ll hear some specific tips and perspectives in the areas they’ve outlined. One of our team subject matter experts will post a video that we’ll share on our social channels. (4 videos)
We hope you join us in this important initiative.
For More Information:
If you want to learn more about the specific challenges that were created when medical devices and networks were connected to the Internet, below are several sources for your reference.
- White paper – Five Cybersecurity Best Practices for Connected Medical Devices
- Guide – Alignment with the HITRUST Framework
- Report – Perspectives in Healthcare Security (Ipsos)
- Videos – How Hospital Hacks Happen