The necessity of digitalization has made virtually every industry a potential target of cyber attacks. The healthcare industry, in particular, is not only dealing with biological problems but also cyber threats that have serious health and life impacts. According to Statista, healthcare was the seventh top target of cyber attacks in 2022.
It is safe to say that most in the healthcare sector are already aware of the cyber challenges. One study shows that 76 percent of non-IT professionals in the healthcare setting believe that they would perform their jobs better if they follow security policies. However, it is likely that not many understand the extent and gravity of the risks and can identify attacks or unsafe practices. Most importantly, the most urgent risks tend to be overlooked in many cases.
Healthcare system complexity
One of the biggest challenges of implementing healthcare cyber security is the complexity of the healthcare IT ecosystem. This is particularly more pronounced now with the advent of connected medical devices and the Internet of Things. Many hospitals and other healthcare facilities already use connected medical devices, which are certainly convenient to have. However, they carry new risks that complicate cybersecurity. They can become targets of unauthorized access, distributed denial of service attacks, spyware, the dissemination of viruses and other malware, patient data theft, and the unauthorized remote operation of devices.
Noted cybersecurity strategist Danielle Jablanski, who is associated with the International Society of Automation Global Cybersecurity Alliance (ISAGCA), refers to complexity as “the enduring enemy of medical cybersecurity.” In an op-ed, Jablanski cited a study that reveals alarming details on how connected medical devices constitute a significant part of healthcare cybersecurity vulnerabilities.
Around 75 percent of infusion pumps reportedly had at least one vulnerability. Some 51 percent of x-ray machines, 44 percent of CT scan equipment, and 31 percent of MRI machines have high-severity common vulnerabilities and exposures. These risks are already serious, and it is not reassuring that healthcare facilities do not have full visibility over them and lack the means to effectively oversee and address the threats.
How is this an urgent concern? Complexity of healthcare IT ecosystems is an urgent problem because many institutions still do not have effective ways to systematically address the complexity of healthcare cybersecurity. Add to this the continued use of old and obsolete devices in hospitals, which make healthcare cybersecurity even more complex because they are not compatible with modern security solutions. No less than the FBI raised alarm over the use of legacy medical devices.
How can this be resolved? The replacement of legacy devices should be a priority. However, it is understandable that not everyone can readily do this. One solution is to use consolidated cybersecurity solutions that can secure highly complex IT environments and unify existing security controls, including those in the medical or healthcare settings.
Budgetary constraints and other limitations
The year 2022 was one of the worst years for the healthcare industry in terms of funding, and 2023 does not seem to be any better. There is a financial crisis sweeping hospitals across the United States. The rest of the world is expected to be reeling from the same problem given the impact of economic tumult and uncertainties worldwide.
A 2022 BlackBerry research reveals that healthcare organizations understand that cybersecurity is costly and they are not prepared for it. Some 83 percent of IT and cybersecurity professionals from the healthcare sector say that establishing an effective cybersecurity program is expensive. The costs are largely driven by the required tech tools, licenses, and personnel.
Additionally, the BlackBerry research shows that only 45 percent of healthcare organizations are confident in their tools and knowledge in detecting and addressing cyber threats, especially zero-day attacks. Many have already invested in cyber defenses, but a considerable number of them are unsure if these protections are adequate. The problem of alert fatigue also emerges, as around half of the healthcare organizations admit that they do not have the capability to respond to the overwhelming stream of security alerts they get from their security controls.
Moreover, there is a cybersecurity skills shortage. Around 4 in 10 healthcare organizations say that they do not have enough security teams to effectively address cyber threats. Also, 8 in 10 of them are intimidated or daunted by the work involved in running a security operations center.
How are these urgent concerns? With rosy projections becoming elusive for the global economy, budgetary limitations are set to make healthcare cybersecurity more challenging. It would be logical for hospitals to focus their resources on their core services, but it is similarly important to pay attention to the risks brought about by using connected medical devices. The cybersecurity skills shortage is also notable because it continues to be a global concern. This shortage can make healthcare cybersecurity more expensive and difficult.
How can these be resolved? It is crucial to establish an effective cybersecurity system or obtain a third-party solution that provides efficient protection and harnesses AI to automate various tasks to compensate for the security skills shortage.
Insider cybersecurity threats in healthcare institutions include the lack of cybersecurity awareness and mindfulness among employees and admin teams, negligence, accidents that create opportunities for attacks, and the malicious actions of disgruntled employees and insider threat agents. Whether they are intentional or accidental, all forms of insider threats have the same adverse effects on healthcare cybersecurity. As such, they must be addressed accordingly.
According to the Insider Threats in Healthcare report of the US Department of Health and Human Services’s Cybersecurity Program, employee negligence is the leading form of insider threat. This constitutes 86 percent of incidents, with 25 percent attributed to stolen employee credentials. Malicious insiders or those who intentionally violate security rules and breach cyber protections only make up 14 percent of insider threat cases.
The report also notes that an overwhelming majority of organizations (82 percent) are clueless about the actual damage of an insider attack. It also indicates that insider threats often lead to serious consequences. These include critical data loss, operational interruptions or outages, reputational damage, competitive losses, legal liabilities to patients, penalties for regulatory violations, and the costs of remediation.
How is this an urgent concern? Hounded by funding challenges and the growing sophistication of cyber threats, healthcare organizations must aggressively address insider threats.
How can this be resolved? Since negligence is the biggest form of insider threat, the corresponding solution is adequate cybersecurity training for everyone. Also, stringent security rules should be in place and stringent rules enforcement must be ascertained.
It is not easy to implement effective cybersecurity in the healthcare industry and in other settings. However, it is a must for all organizations that embrace digitalization and new technologies. There will be complexities that make it difficult to establish and implement appropriate cyber defenses. There are also financial and other resource challenges worsened by the inevitability of insider threats. Still, there are ways to get around all of these difficulties and come up with an effective and efficient healthcare cybersecurity system