HEALTHCARE’S CYBERSECURITY PROBLEM: WHY THE INDUSTRY HAS FALLEN BEHIND ON PREPAREDNESS

By CHHS Extern Peter Scheffel

The healthcare industry is facing a dismal outlook in terms of cybersecurity in 2023 and beyond. A new report from Proofpoint and Cybersecurity at MIT showed that cybersecurity remains much lower on the priority list of healthcare boards versus other sectors. According to the report: 61% of healthcare boardrooms talk about cybersecurity monthly at minimum, and 64% of healthcare boards reported that they had invested sufficiently in cybersecurity. This is in stark contrast to the 75% of all other sectors which discuss cybersecurity at least monthly, and the 76% of all sectors who are satisfied with their investment in cybersecurity. Looking ahead is equally grim, with a smaller percentage of healthcare board participants (77%) expecting to see their cybersecurity budgets increase in the next 12 months compared to 87% of all other study participants expecting an increase. In addition, the healthcare industry has fallen behind in utilizing dark web intelligence, with only 57 percent of healthcare chief information security officers incorporating dark web intelligence into their strategies. The dark web acts as an exchange for malware, ransomware, and stolen information among other illegal activities, and collecting information on this activity as part of pre-attack planning can help companies prevent cyber intrusions before they take place.

It is therefore troubling then, to consistently find such an important industry struggling to counteract the myriad of cybersecurity threats it constantly faces. In terms of outlook, it is critical that the healthcare industry improve its cybersecurity measures and grow in capability and response.

The first issue one must analyze in assessing the state of the healthcare cybersecurity system is why it is so susceptible to attack in the first place? The answer is directly connected to healthcare’s importance in everyday life, and the valuable information the industry utilizes. For one, healthcare organizations engage with enormous amounts of personal and private data. For criminals engaged in malicious cyber activity, healthcare organizations also offer higher chances of compliance with, for example, ransomware (a form of malicious software that prevents access to computer files, systems, or networks until a ransom is paid) given the higher consequences if the attack continues unobstructed to patients, necessary medication, and devices with which medical practitioners rely on to provide care to patients. And as with most criminal enterprises, laziness continues to be a facet of the perceived opportunity. Healthcare appears as an easy target regarding this malicious actor laziness because healthcare organizations continue to lag behind in funding, planning, and promoting of cybersecurity measures.

Over the last few years, several circumstances have exacerbated this problem. First of which has been the continuous uptick in ransomware attacks on U.S. hospitals, which have doubled since 2016. This inevitably overwhelms already unprepared organizations, only worsening the present healthcare cybersecurity problem. Second, malicious hacking groups are becoming bolder in their consistency in healthcare sector attacks. Indeed, healthcare was the most targeted sector for cyberattacks as early as 2021, and groups such as the KillNet, a pro-Russia hacktivist collective continue to increase distributed denial of service (DDoS) attacks on healthcare organizations (DDoS attacks send too many connection requests to a server, overloading it and slowing down/freezing systems). According to Microsoft’s Azure Network Security, DDoS attacks from KillNet rose from 10-20 daily attacks in November of 2022 up to 40-60 daily attacks as of February of 2023. Targets varied and included hospitals, health insurance companies, pharmaceutical companies, and other general medical health services. Third is COVID-19. The healthcare industry at large has had to operate with the difficulties brought on by the pandemic, which only compounded pre-existing pressures, thereby widening opportunities for exploitation. Hospitals and the healthcare industry unsurprisingly then experienced higher cybercrime activity during the height of the pandemic, with ransomware and phishing attacks (an attempt to trick users into for example clicking on a bad link that will download malware) being the dominant method of infiltration by malicious actors. Even medical equipment within the healthcare industry has been subject to cyberattacks and can act as an easy entry point into the healthcare system.

Several recent responses do highlight a desire for broad improvement for healthcare cybersecurity. Examples include the Food and Drug Administration (FDA) releasing updated guidance on cybersecurity measures for medical devices the week of March 26, 2023. The FDA now recommends that medical device manufacturers submit a plan which identifies and addresses cybersecurity vulnerabilities discovered after market. The FDA is also asking medical device manufacturers to implement measures which provide reasonable assurance that the medical device and its systems are secure from cyber vulnerabilities and to release patches both for discovered critical vulnerabilities and routine maintenance. Lastly, the FDA is requesting newly manufactured medical devices include a software bill of materials (a record of components used to develop the applicable software and its relationships in the supply chain).

On March 8, 2023 the Department of Health and Human Services also released a cybersecurity framework implementation guide to help bolster cybersecurity efforts within the healthcare sector. In summary, the framework aims to implement the 2018 National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity by gap-filling identified risk practices and providing risk management principles and best practices as well as promoting application of a comprehensive industry specific cyber risk management structure. This includes a seven-step implementation process and five high-level functions.

Lastly, in March of 2023, President Biden signed a provision into law as part of government funding legislation. This provision, based on drafted legislation by United States Senators Gary Peters (D-MI) and Rob Portman (R-OH), will require critical infrastructure owners/operators to report substantial cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) inside of 72 hours; and within 24 hours after a ransomware payment is made. Under the provision, CISA is also required to create a program capable of warning relevant organizations of ransomware exploitable vulnerabilities and provides CISA with authority to institute a joint ransomware taskforce for coordination with industry of these efforts. Organizations which fail to report are subject to subpoena and may be referred to the Department of Justice if the subpoena is ignored. This legislation may promote better communication and awareness of vulnerabilities in the healthcare sector and serves as a starting point for increased coordination.

Despite potential improvements from government policy, the most recognizable change will have to begin inside the healthcare sector and its organizational boards. Core issues continue to hinder cybersecurity progress in healthcare, including problematic misplaced confidence within the healthcare sector. Unfortunately, only 50% of healthcare boards believe their organization is at risk of substantial cyberattack in the next 12 months. And only 43%  believe their organizations are unprepared to deal with a targeted attack (65% and 47% for all other sectors). Other ongoing issues include lack of cybersecurity expertise by healthcare board directors and poor communication with the organization’s CISO.

Improvement must be sought after with higher urgency because lack of preparedness affects patient wellbeing. Of the critical infrastructure sectors, healthcare arguably has the closest connection to life and death outcomes in the near-term post cyberattack. Testing and procedure delays affect people’s lives. Therefore, a continued responsibility to improve cybersecurity exists within the healthcare sector. Knowledge and planning serve as the first step towards industry wide improvement if the industry is to ‘wake-up’ and engage in stronger cybersecurity before the consequences escalate further.