Hospital Security Teams: Are the Odds Stacked Against Them?

Written by

Stop me if you’ve heard this one before — hackers have infiltrated an organization, and critical data has been stolen, leading to damaged reputation, financial loss and possible legal action.

Of course, you have — it’s all over the news today.

What you may not have heard before is the way some hackers can infiltrate an organization’s network. In many cases, it’s not how you’d think. For example, consider the case of a North American casino, where their core system was breached and critical data of high rollers stolen by hackers via a connected thermometer in a fish tank.  

With hackers becoming increasingly creative and cunning with their methods, it’s no wonder hospital security teams feel the odds are stacked against them. The rate at which connected devices are coming online leaves IT teams little room to control how they secure these items, their networks, and ultimately the hospital's patients.

The number of IoT devices in healthcare is expected to reach more than 24 billion by 2030 and with good reason. These devices are helping physicians to provide better care and treatment for patients and improve the efficiency of hospital staff and operations. For example, with the recent COVID-19 pandemic, IoT and connected medical devices allowed hospitals to provide and offer patients telehealth options rapidly, lowering their potential risk exposure and delivering quality care to remote patients.

However, these devices — like the thermometer in the casino fish tank — can also be a real pain point for hospital security and IT staff. While staff may have been involved with the procurement and installation of certain IoT devices, such as connected HVAC thermostats or security cameras, many times they are unaware of that brand new internet-enabled coffee machine or refrigerator installed in the rehabilitation ward, and that can be an open door for hackers to gain unauthorized access to protected health information (PHI).

Many IoT and connected medical devices do not have the proper security controls that you might see on laptops or smartphones. As a result, they can also be impacted by vulnerabilities right from the manufacturer. Compounding the issue is that traditional IT tools also have difficulties identifying these devices and therefore have no ability to protect them from an external breach by malicious actors.

Many IoT and connected medical devices do not have the proper security controls that you might see in laptops or smartphones
Many IoT and connected medical devices do not have the proper security controls that you might see in laptops or smartphones

Now consider the risk of deploying these devices without adequately protecting them. First, there’s the financial risk of ransomware, which includes not only paying the ransom but the possibility of lawsuits from impacted patients. Second, there’s the threat of critical PHI data being stolen and sold on the Dark Web, exposing a hospital to fines imposed under HIPAA. Third, it can clearly expose key initiatives like digital transformation or telehealth and remote care — creating jeopardy for expansion plans. There’s even the risk to a hospital’s reputation, as a high-profile breach is newsworthy and could damage a patient's trust in the organization.

If that’s not enough to scare you into cashing in your chips, unlike other sectors, there’s the paramount threat to patient safety. A breached hospital network could lead to critical life-saving devices being shut down or altered to provide incorrect data about a patient or their treatment. In 2017, the WannaCry ransomware attack infected more than 250,000 medical devices in more than 150 countries, resulting in thousands of medical appointments, operations and treatments being canceled. Emergency rooms were unable to admit patients that needed urgent and immediate care. That no lives were lost was nothing short of miraculous.

This is where the C-Suite at major healthcare organizations around the world need to start paying attention. For whatever reason, far too many aren’t prioritizing cybersecurity.  

Some may not be aware of the potential impact. Others may think their IT teams cover it but don’t have visibility into their daily challenges. Others may feel a false sense of security because they have cyber insurance. However, a bit of inquiry would reveal that coverage amounts are shrinking while premiums are skyrocketing. Some insurers are starting to scale back what is covered because the risk is simply too high. Others, like AXA, a large insurer based in Europe, are beginning to exit the business. 

Hospital security and IT staff feel they are fighting a losing battle. Without the support and buy-in of their executive leadership, they will be overwhelmed by the sheer number of IoT and connected medical devices in their networks.  

Executives need to step up and invest the resources necessary to ensure the safety of their patients and their trust that personal information will not be exposed to a criminal underworld. They need their security and IT teams to conduct regular assessments of their networks, devices, and protection.  

This is no small task because it requires evaluating every connected device (IoT, IoMT, and medical) regardless of criticality or functionality.

Whether it’s alarm systems, monitors, MRI machines, guest networks or even fish tanks, hospital executives need to make a bet that this game is not over.

What’s hot on Infosecurity Magazine?