The cybersecurity risks of healthcare’s hyperconnected future

May 4, 2020

How systems and small practices alike can start preparing now.

Electronic Healthcare Record (EHR) implementations and numerous other interoperability initiatives have dominated healthcare industry technology agendas for nearly two decades. Although the resulting “connected landscape” has driven a treasure trove of operational efficiencies and patient care improvements, it also serves as host to the most lucrative attack surface across industry. Put bluntly, for an increasingly sophisticated, global community of cybercriminals, healthcare pays, both figuratively and literally. In 2017, attacks like WannaCry demonstrated the point. Clinical networking vulnerabilities and the consequences of a successful breach were exposed in dramatic fashion. Whether history will record WannaCry as the industry’s wake-up call already seems irrelevant, as healthcare networks continue to be compromised in an increasing number of ways, and at unprecedented pace. 

Cyberattacks against healthcare organizations jumped 60% in 2019, while crippling Trojan ransomware programs like Emotet and Trickbot climbed by 82% between the second and third quarters of the year. Whether the subject of an external attack or based on internal human error, the problem is that most Healthcare Delivery Organizations (HDOs) don’t have the technology or expertise to detect and react to either in a reasonable timeframe.

Trending: 8 Things Your Practice Should Do to Stay HIPAA Compliant

In fact, research conducted by the Ponemon Institute confirmed that the average time for a hospital to identify a breach is 55 days. Even more alarming, that same research showed that it takes an average of 1,037 days to contain one. With that much time, the damage, whether to patients, devices, care delivery systems or record keeping infrastructure is hard to imagine. And keep in mind, these are self-reported numbers. 

That’s why cybersecurity is now top of mind with healthcare leadership. It’s not that the lack of clinical network cybersecurity was an oversight, it’s that the tools required to solve the problem didn’t exist. Not surprisingly, risk capital poured into the problem space, a solution market was born, and healthcare’s established early adopters are already driving new best practices in partnership with their selected vendors. Although the solution market is relatively immature, it has made dramatic strides in short order. And, as there is no such thing as “plug and play” cybersecurity, the market’s leaders are quickly differentiating, both in terms of innate capabilities and the ability to bring them to life in successful implementations. 

 

More About the Problem

Sometimes referred to as “bringing down silos,” the interoperability trends of the last several years are essentially a push for new front, middle and back-office connections. Specific to cybersecurity, the adoption of “smart devices,” also known as the Internet of Things (IoT), has exploded. It seems that every device in-use anymore, whether to facilitate patient care directly (e.g. patient monitors, infusion pumps, radiology, etc.) or to improve the way systems are managed (e.g. from cameras to elevators to HVAC) are “talking” to one another. As expected, the data being generated is proving to be immensely valuable and strategic, as the resulting operational efficiencies include improved clinical workflow coordination, faster revenue cycles, smarter major system management and better patient care. 

Read More: Protecting physician’s families from COVID-19

Of course, the downside with every added “endpoint” is the increased risks caused by poorly managed devices, many of which can cause financial harm, not to mention system-wide care delivery issues and patient safety nightmares. And while debates over the severity of direct patient risks continue to be debated, those arguments are losing traction, as the disruption caused by a successful breach can impact patient care many other ways. Although the very idea of a hack to a connected medical device is horrifying, a successful compromise of an HVAC system or an elevator complex can also have a shutdown effect. While all connected assets are not created equal, it is important healthcare leaders understand how they are all part of a larger, interdependent system. 

Unfortunately, the reality is many healthcare systems have little visibility into which medical (and general IoT) devices are connecting to their networks, where these devices are located, how they are connected, who is using them, how they’re being used and their respective security posture. This makes it nearly impossible for even the most tech-savvy organizations to create an effective security strategy, as you can’t manage what you can’t see. It also makes capital planning, ongoing management and maintenance unnecessarily difficult. 

Continue reading on page 2...

The Common Solution Denominator-Visibility

For these reasons, connected asset visibility must be comprehensive and include highly granular device profiling detail. This is definitely a case where more data is better and enriched, contextualized data is best. So, it’s not just about discovering what’s connected inside your network. Instead, what’s required are detailed device-specific profiles, including an understanding of the device’s needs and workflow, knowledge of how the device interoperates, how it is being used and its security posture.  

Due to the proprietary nature of both clinical and medical devices and the unique, often undocumented communication protocols that they use, visibility remains a major challenge. And given how these assets are maintained, updated, patched, etc., a continuous view into their status is essential, whether for good, safe operations or security purposes.

Read More: 6 Ways to Stop Burnout Before It Spreads

When that kind of continuous, real time visibility is available, most things are possible. For example, instead of basing maintenance cycles around timeframes, they can be based on actual usage. Instead of Healthcare Technology Management workers scrambling to determine if a newly published threat is relevant, it means that any/all existing and newly published threats can be instantly correlated. Armed with knowledge of device workflows and operating requirements, anomalous behaviors at the network level (e.g. a rogue connection between devices/systems that should not be communicating) can also be detected and safely terminated. The list goes on. The operational benefits can actually change the organizational profile of those enlisted to execute the improvements. 

In short, you must establish an accurate baseline and build security programs from the ground up. You must know your endpoints at the individual level and build from there. In doing so, appropriate security policies can not only be created and enforced, but preventative maintenance programs can be overhauled, and replenishment programs can be rationalized. 

 

The Hyperconnected Future

Telehealth and the Bring Your Own Device (BYOD) trend are driving an even more connected landscape. And as COVID-19 will result in permanent changes that continue to drive both, management and security challenges will clearly increase. Looking ahead, it’s not difficult to envision a future where a majority of care is delivered through mobile, remote-capable monitoring solutions, so leaders must take notice. 

Recognizing that budgets and cybersecurity experiences vary, a logical first preparatory step is to take inventory of the devices used by clinicians to conduct remote consultations, followed by an inventory of mobile devices used to remotely monitor their conditions. Are they hospital-issued devices or personal? What type of information are they transmitting and what, if any, security policies exist? What is the difference between device counts under Mobile Device Management (MDM) pre-COVID, versus the number of devices in-use post-COVID? 

Trending: Practicing social distancing in the practice and more

As stated, the good news is that the market’s leading solution providers are genuinely on top of the problem space. The bad news is that separating the marketing hype from reality can be difficult. Choosing vendors that are focused on the acute care sub vertical makes sense, as cross industry solutions rarely work in healthcare. A focus on relevant, referenceable customer experience, data quality, and operationalized examples of integration(s) enabled by that data quality, are also logical qualifiers. Along those same lines, ask your vendor how the data being captured are being operationalized because,  if the right vendor is selected, financial offices can justify their investments against a business case that is no longer based on fear, but on operational improvements that can actually be monetized --and ultimately benefit patients. 

Jonathan Langer is the CEO of Medigate