Understanding and Mitigating Cyber Risk in the Healthcare System

On October 28 2020, hackers attacked the University of Vermont (UVM) Medical Center in Burlington. According to the hospital, the hackers hit some 5000 computer systems and 1300 servers with a ransomware attack, first shutting down internal hospital applications, then targeting its electronic health records database. It was only at the end of December that services were nearly fully restored, with the outages costing the hospital tens of millions of dollars. Even worse, officials said the attack prevented the hospital from providing essential services – such as chemotherapy for cancer patients – who had to be sent out to other institutions for care.

Given the damage hackers inflicted on just one hospital in one attack, imagine the fallout that would ensue if hackers launched a coordinated attack against several hospitals in a major metropolitan area? And if such an attack happened at the height of a pandemic like COVID-19?

Unfortunately, the likelihood of such an attack is higher than we might think. The National Institute of Standards and Technology (NIST) has reported that health systems and hospitals have an average of 46% conformance with its Cybersecurity Framework (CSF) – the agency's best practices recommendations – “well below” what NIST believes is safe for healthcare, and significantly lower than many other industries.

Hospitals, similar to most organizations, have to contend with threats such as network vulnerabilities, human error, DDOS, ransomware and man-in-the-middle attacks, among others. These forms of attack are well-known, and there are a plethora of solutions out there to remediate them.

Given the combination of what is required to properly manage a hospital IT system, however, there are threats that are unique to medical organizations. For years, the FDA has been warning of the inherent security risks in medical devices, including defibrillators, X-ray machines, CT and MRI scanners, ultrasound and mammography devices. By attacking these machines, hackers can threaten to shut them down permanently if their demands are not met. 

Beyond the threat to medical devices, the inherent interconnectivity required to run a hospital also presents a severe threat. According to a US Department of Health and Human Services report, “the healthcare supply chain is at risk,” with third party vendors – including EHR processors, pharmaceutical companies that connect to hospitals electronically, cloud service providers and others – all vulnerable to attack, increasing the threat points for launching an attack against a hospital.

In addition, the COVID-19 crisis has exacerbated the problem of personnel insecurity. To cope with the influx of patients, hospitals have had to hire new staff. Yet, because of the crisis, there is less time to train them on cybersecurity issues. Additionally, the pandemic has led to hospitals accelerating their move to “digital” – more staff are working remotely, there has been a sharp increase in remote diagnostic applications and remote patient treatment –further exposing hospitals to potential security flaws on less protected remote networks.  

With a network handling tens of thousands of connected devices at any given moment, a hacker only needs one flaw in that ecosystem in order to reach the attack potential. Given this combination of factors, the threat landscape for hospitals is daunting, especially when considering that most hospitals have severely understaffed cyber-defense teams, who are unlikely to have the resources required to do a thorough – and ongoing – analysis of every aspect of their IT systems. 

When assessing risks, security teams must overcome the gap between their needs and limited resources. This requires them to efficiently analyze the relationships between data, medical devices, vendors, networks and the myriad of other IT considerations and then zero in on the points of contact that are vulnerable to breaches. Automated security analysis systems can most effectively provide security teams with a clear map of the potential risk in real time, allowing them to take action prior to the launch of an attack and develop a mitigation action plan that will address the hospital’s security needs for the immediate, as well as long-term, future. With that plan, CISOs can more effectively present a legitimate case – backed by data – to the Board of Directors. 

By improving their own cyber postures, hospitals will harden their entire ecosystems, while benefiting the dozens of organizations that are part of their wider network and decreasing the likelihood that a hacker will successfully launch a targeted attack.  

If poorly protected against cyber-attacks, even the world’s best hospitals are one vulnerability away from being crippled in their ability to carry out even the most basic of procedures. Anticipating and planning for attacks and implementing the proper cyber-defense layers, will ensure they can continue caring for patients, rather than worrying about their next cyber-attack. 

What’s Hot on Infosecurity Magazine?