foredefense-logo4
Reducing Cyber Risk in the Healthcare Sector

More than just traditional leadership skills are necessary for businesses to stay ahead of the curve. With the exponential growth of artificial intelligence (AI) technologies, businesses are finding themselves at a crossroads: adapt and thrive or risk falling behind. At the heart of this transformation lies the importance of hiring leadership that not only understands the significance of AI but also embraces its potential to drive innovation and growth. And in the world today, its importance is amplified.

The attack on Change Healthcare, attributed to the notorious BlackCat (aka ALPHV) group, highlights the crippling impact of these incidents. The disruption caused by the attack and the organization’s difficult decision to pay a hefty ransom ($22 million) underscores just how vulnerable the sector is to cybercrime.

Similarly, the ransomware attack on Ascension by Black Basta crippled its vast network of 140 hospitals, leaving medical professionals strained and having to rely on manual record-keeping for weeks on end. An online petition by Ascension Providence Rochester Hospital staff reveals the human cost of these attacks – patient care suffers as staff struggles with limited access to electronic medical records (EMRs). More than a month after the attack, the fallout continues, demonstrating the long-term consequences for both patients and healthcare professionals.

In this post, we’ll explore the complex web of cybersecurity challenges plaguing the healthcare sector. We’ll then examine potential solutions and, finally, the important role of information sharing and collective defense in building a more secure future for healthcare.

  • The Roadblocks to Cyber Risk Reduction in Healthcare

    1. ARPA-H, a US government agency focused on health research, is investing $50 million to develop an autonomous cybersecurity solution for hospitals. In its announcement of the program, called “Universal Patching and Remediation for Autonomous Defense” or UPGRADE, ARPA-H describes the challenge faced by the healthcare cybersecurity professionals as follows:

      “Deploying security updates in hospitals is difficult because of the sheer number of internet-connected devices, limitations in health care IT resources, and low tolerance for device downtime needed to test and patch. Despite the size of the cybersecurity industry, health care sector challenges remain under addressed, even as more pieces of equipment are network-connected than ever before.”

      The vulnerability of the healthcare sector to cybercrime was made evident by Change Healthcare’s massive ransom payout to ALPHV. Because of the critical nature of the services they provide and the lives that depend of them, hospitals cannot afford downtime. The bad actors have no hesitation exploiting this. In his testimony before the Senate Finance Committee, UnitedHealth (Change Healthcare parent company) CEO Andrew Witty said, “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year. These criminals… have increasingly targeted critical infrastructure, including schools, government agencies and the health care sector. (They) are willing to attack everything from community hospitals to pharmacies to networks like ours that enable the information exchange necessary to provide care.”

      The Cybersecurity and Infrastructure Security Agency (CISA) identifies the following as the primary cybersecurity challenges facing the healthcare sector:

      Large Number of Connected Devices Ripe for Exploitation

    2. The rapid development and deployment of internet-connected medical devices often overlooks critical security considerations. These devices can create new attack vectors for malicious actors, potentially compromising patient privacy and safety. The rise of unregulated mobile health applications, too, can leave sensitive patient health information (PHI) and personal identifiable information (PII) inadequately secured.

      Strained and Underprepared Hospital Staff

      Healthcare personnel are often overburdened and may lack comprehensive cybersecurity training. While training is essential, environmental pressures in busy healthcare settings can undermine even well-intentioned security practices. Balancing operational efficiency with strong information security remains a significant challenge.

      Balancing Speed, Efficiency and Security

      The daily demands of patient care can sometimes prioritize speed and information sharing over data security. Additionally, compliance requirements and business needs often necessitate large-scale data portability, creating a complex web of access points that require careful management.

      Supply-Chain Risks and Unprotected Legacy Systems

      The digitalization and integration of previously standalone technologies creates a multitude of cybersecurity challenges. Interoperability dependencies, supply-chain risks, and vulnerabilities in legacy systems – those no longer supported by their manufacturers – introduce significant security gaps. The interconnectedness of systems creates complex supply chain risks. Added to these are legacy systems that cannot be patched with the latest updates, leaving them permanently vulnerable to attacks, and in-turn exposing other connected systems.

    3. Inadequate Cybersecurity Budgets and Resources

      Hospitals often allocate a significant portion of their limited IT budgets to acquiring, implementing, and adopting new technologies. This leaves few resources for securing data, networks and devices. Furthermore, smaller healthcare organizations may lack dedicated internal IT or security teams, making the situation worse.

      The High Value of Healthcare and Research Data

      Patient Health Information (PHI) is a highly valuable commodity on the dark web. By some estimates, PHI is far more valuable to criminals than even credit card data. This data attracts not only financially-motivated criminals, but also nation-states seeking a strategic advantage. Compromised credentials can provide continued access to systems, allowing attackers to inflict widespread damage. Another enticing target is biomedical and pharmaceutical research and development data – worth hundreds of billions of dollars in total.

      The good news is that there are concrete steps healthcare institutions can take to overcome these challenges and mitigate risks.