HEALTHTECH: What are the biggest cyberthreats facing healthcare organizations today?
MCKEE: Ransomware is still one of the biggest threats to healthcare. We’ll soon be publishing a report specific to healthcare in 2024, and to give you a sneak peek of some of those stats, we’re seeing that 91% of data breaches in the healthcare sector result in a ransomware attack. Ransomware is still a huge problem when we’re talking about healthcare.
Something that’s unique to the industry is medical device vulnerabilities. The number of connected devices continues to increase in the medical space, and what’s interesting about that is a lot of these medical devices were unfortunately never architected or designed to be connected to an active network. This means that a lot of the appropriate security controls were not included, which is not the fault of the developers because it was never part of the original threat model for them to consider. There’s a lot of low-hanging fruit for attackers, or easy things for them to exploit.
The third threat, in conjunction with medical device vulnerabilities, is supply chain attacks, which can come in many forms. We often forget that a vulnerability in a dependency, or a security issue in a library that’s used by a larger piece of software or hardware, is considered a supply chain attack.
One of the biggest examples of this in recent times is Log4j, which is still a very big problem across the world. In fact, we reported last year that 43% of the widespread attacks that we’re seeing are still leveraging Log4j. The reason that’s relevant to the healthcare industry is that there are connected medical devices, typically with older libraries that are more susceptible to software-based supply chain attacks due to the difficulty of updating and patching these devices.
WATCH: Follow these best practices to improve cyber resilience in healthcare.
HEALTHTECH: What is the current state of cyber resilience in healthcare?
MCKEE: I want to preface this by saying it’s very different across the board depending on the healthcare organization. I’ll approach this question in two ways: the good and the bad that we’re seeing related to healthcare resilience capabilities.
From a positive perspective, over the past five years, we’ve seen a huge improvement in awareness of just how important cybersecurity is in the healthcare industry. Organizations are realizing that cybersecurity is actually connected to patient safety. When talking to CISOs and executives in the healthcare industry, we’re hearing a lot more awareness and understanding that this is a problem. They know it needs to be a priority, and that’s a very positive thing. We can’t see change in security if there’s no awareness of it. We’re also seeing more awareness on the ground: When talking to doctors, practitioners and nurses, there’s an increasing awareness that cybersecurity is a growing issue. I think that’s a positive.
Another thing the healthcare industry is starting to improve on is adopting more advanced technologies. This is going to be a slow process due to the nature of the regulatory requirements placed on healthcare, but we’re starting to see things like complete encryption. While it sounds basic, complete encryption was not seen in healthcare for the longest time. There were all kinds of protocols going over the network that were just completely unencrypted.
We’re also starting to see device manufacturers ensure that end-to-end encryption is implemented within medical devices. Now, whether those devices are adopted in healthcare is a different conversation and struggle, but at least we’re seeing more secure technologies being used in medical devices. That’s trending in the right direction.
READ MORE: Zero trust stands as a secure foundation for healthcare’s IoMT devices.
On the flip side of things, where healthcare organizations are struggling relates to resources and having the right people or technology in place to provide the right protections. Healthcare has one of the biggest struggles in any industry, and that’s because it’s hard to do anything when you have two No. 1 priorities: human life, which is the most critical thing, and cybersecurity. Organizations have to consider the fact that cybersecurity is connected to human life, and it needs to be one of their most critical priorities. Rectifying those two things is difficult. When an organization has limited resources, how does it compete for time, dollars, etc.? That continues to be a struggle in healthcare.
Last, as a result of having two major priorities, the healthcare industry is extremely focused on regulatory compliance. However, those compliance focuses often aren’t cybersecurity focused. They haven’t taken into account cybersecurity related to patient safety. Regulation is always a slow thing. I think it’s improving, but it’s still an area of struggle for healthcare organizations.
HEALTHTECH: What are some strategies and solutions healthcare organizations can implement to improve their cyber resilience?
MCKEE: People are often surprised by my answer to this question because it’s actually nothing technology-related. Most of the things that healthcare organizations can implement to improve cyber resilience are often process-based, believe it or not. A healthcare organization is never going to have enough resources, whether that’s people or technology, which means that prioritization is extremely important.
Prioritization and baselining are probably the two most important things that can improve an organization’s cyber resilience. Healthcare organizations shouldn’t rely on generalizations and say, “The attackers are coming for everything.” That might be true, but it’s not going to allow them to align their resources appropriately with what needs to be protected.
Instead, healthcare organizations should focus on what truly is mission-critical to their business. A good example of that is electronic health record solutions. Are we making sure that the security of an EHR, if that’s our business-critical system, is priority No. 1 when it comes to cybersecurity? If that means we have to pay less attention and time to some other things, then that’s OK, because we know that this is the crown jewel. Organizations have to prioritize the limited resources they have.