Getty Images/iStockphoto
Top Mid-Year Healthcare Cybersecurity Trends
Experts share insights on this year’s healthcare cybersecurity trends, citing the continued prominence of ransomware and ongoing medical device security risks.
A constant stream of ransomware attacks, increasing technological complexity, and escalating medical device security concerns across the sector have put pressure on healthcare cybersecurity efforts so far in 2022.
In conversation with HealthITSecurity, several experts offered their thoughts on current cybersecurity trends and predictions for what’s to come.
BREACHES, RANSOMWARE CONTINUE TO OVERWHELM HEALTHCARE SECTOR
In the first six months of the year, covered entities reported 337 healthcare data breaches (impacting more than 500 individuals each) to the HHS Office for Civil Rights (OCR).
According to a report by Fortified Health Security, 80 percent of those breaches were attributed to hacking/IT incidents, compared to 73 percent at this time last year. Ransomware attacks continue to account for a large portion of healthcare data breaches as threat actors repeatedly go after healthcare’s hold on sensitive, high-value data.
“At the end of the day, healthcare is low-hanging fruit for these criminals,” Ferdinand Hamada, managing director of healthcare at MorganFranklin Cyber, explained in an interview with HealthITSecurity.
“It's a lucrative business for them because they know healthcare is going to pay the ransom.”
In fact, a recent Sophos report discovered that healthcare was the most likely sector to pay a ransom. Just over 60 percent of survey respondents who experienced encryption admitted to paying the ransom, compared to a cross-sector average of 46 percent.
Hamada also noted an uptick in attacks against managed service providers (MSPs), a renewed emphasis on IoT security risks, and the prominence of ransomware-as-a-service (RaaS) operations.
Adam Kujawa, director at Malwarebytes Labs, also brought attention to the vulnerability of the healthcare sector when it comes to cybersecurity.
“The attackers who focus on healthcare organizations know that many of their targets have more endpoints than they can keep track of, which creates an opportunity for an attacker to take advantage,” Kujawa explained.
The Malwarebytes Labs team has observed an uptick in Trojan malicious scripts, malicious adware, and information-stealing malware.
“If these exploits remain effective, we’ll continue to see attackers attempt to use them to gain access. However, as with all vulnerabilities, the longer we go from the initial discovery, the more protected and patched systems get, reducing the pool or potential victims.”
ORGS INCREASE MITIGATION EFFORTS TO COMBAT RANSOMWARE
As exploitation attempts increase in severity and scope, many healthcare organizations are recognizing that they must also bolster their cybersecurity efforts.
Kujawa recommended that healthcare organizations immediately remove vulnerable endpoints from direct internet access and deploy anti-exploit technology to prevent intrusions.
“Being able to quickly scan, update and isolate systems remotely is a high priority and can make a huge difference between a single infection and dozens of infections,” Kujawa noted.
In addition to technical safeguards, Hamada urged to organizations implement cyber and operational resilience programs to combat cyber threats.
“Having an effective resilience program that integrates business continuity and emergency response is very critical for healthcare,” Hamada reasoned.
Resilience programs should contain communications plans, incident response plans, EHR continuity plans, and other response and recovery considerations. As more healthcare organizations reluctantly accept the “it’s not if, but when” mentality when it comes to cyber risk, they must match the severity of the current cyber threat landscape with equally strong mitigation tactics.
Hamada also said that he has been seeing more organizations using data vaults and air gaps to provide an additional layer of defense to their data, along with actionable ransomware playbooks and tabletop exercises to further enhance security efforts.
Kujawa similarly noted the importance of having business continuity and response plans for when things go awry.
“Without having a preexisting plan for when things inevitably go wrong, organizations will waste precious time trying to understand the threat rather than containing it,” Kujawa said.
INCREASING COMPLEXITY INTRODUCES NEW RISK
“There are so many interdependencies within the industry. There are different personas and identities, and supply chain risks with separate organizations, people, and resources,” Hamada explained.
“It is difficult to understand security measures at every step of the supply chain. If you don’t pay attention, the results can be disastrous.”
Increasing complexities across the industry make it even harder for cybersecurity teams to manage risk, especially amid a cybersecurity workforce shortage. Along with supply chain risks, the sector is increasingly outsourcing business-critical functions to third-party vendors.
Hamada also noted the recent surge in merger and acquisition (M&A) activity across the sector. The latest edition of Kaufman Hall’s M&A Quarterly Activity Report showed that healthcare M&A revenue hit a record high in the second quarter of 2022, with 13 transactions generating $19.2 billion.
Introducing new business partners or taking part in a merger or acquisition comes with new security risks that must be considered. Hamada predicted that a high volume of M&A activity would continue into the rest of 2022 and encouraged healthcare organizations to conduct thorough risk assessments and make sure that new business partners are aligned with the organization’s existing security processes and controls.
MEDICAL DEVICE SECURITY CHALLENGES PERSIST
Healthcare organizations face a multitude of troubling systemic medical device security challenges. Many organizations rely on legacy devices, and others lack a reliable inventory of all the devices on their network. Threat actors have taken note of these challenges and are increasingly targeting devices to gain entry into an organization’s network.
Vidya Murthy, COO of MedCrypt, shed light on persisting medical device security challenges that healthcare organizations and manufacturers continue to face in 2022. Along with searching for solutions to escalating security issues, providers and manufacturers alike are looking for unified guidance from the US Food and Drug Administration (FDA) and HHS.
“A lot of us were waiting for the FDA's finalized version of its premarket guidance,” Murthy explained, referring to the FDA’s long-awaited April 2022 update to its premarket cybersecurity guidance for manufacturers.
The FDA initially released its final guidance regarding premarket expectations in 2014 and additional drafted guidance in 2018. However, the administration explained, the rapidly changing threat landscape “necessitates an updated approach.”
Within the guidance, the FDA proposed that device manufacturers follow Quality System Regulation (QSR) requirements by conducting software validation and risk analyses, and recommended that manufacturers implement a Secure Product Development Framework (SPDF), which is a set of processes that aims to reduce the number and severity of vulnerabilities.
The guidance also emphasized the importance of evaluating third-party software components, utilizing threat modeling, performing security risk management practices, and creating a software bill of materials (SBOM) for each device and software component.
But the updated guidance received mixed feedback from the industry, Murthy explained. Some thought that it unexpectedly deviated from past FDA guidance.
“But in my opinion, there is a lot more alignment in this guidance document to how devices are actually built,” Murthy noted.
“I think the alignment with quality and that clear build into life cycle management really benefits the device maker because it's no longer Bob down in security arguing for prioritizing security. It is now as equivalent to patient safety as your quality system would otherwise tell you.”
A more systemic approach to medical device security and risk management may be needed to unify the industry. As the industry continues to wait for final versions of federal guidance, Murthy advised organizations to get started on improving medical device security from within.
“Don't keep waiting for the perfect moment when engineering has a cycle, when regulatory is alive, and when everybody is saying yes,” Murthy said.
Implementing a more robust threat model and strengthening your organization’s security architecture is a good first step toward securing IoT and medical devices.
The back-and-forth dialogue between device manufacturers, healthcare organizations, and regulators is likely to persist through the remainder of 2022 and beyond. Even as medical device security issues evolve, ransomware continues, and complexity increases, healthcare organizations can implement technical and administrative safeguards to reduce cyber risk as the year forges ahead.