Nearly 90% of healthcare organizations surveyed have experienced a cyberattack within the past year—many face them almost weekly. Each healthcare cybersecurity breach compromises patient care and costs more than $10 million on average. More than 20% of healthcare system cyberattack victims reported an increased mortality rate, and more than half saw poorer patient outcomes after delayed procedures and tests. These statistics illustrate the importance of an effective cybersecurity program.
In addition to the value of patient information, medical care’s critical (and often urgent) nature makes these organizations a lucrative target for hackers because healthcare providers do not have the luxury of time when determining a response. In 2021, the healthcare sector had the highest increase in both cyberattack volume and complexity and has endured the highest average data breach cost of any industry for the last 12 years. With the ever-increasing stakes, leaving vulnerabilities unmitigated is not a viable strategy. A proactive and optimized cybersecurity program is essential to an effective breach prevention, detection, and response strategy that reduces the impact on an organization’s patient safety, quality of care, reputation, and trust.
To tackle cybersecurity head-on, healthcare organizations must address one of their most significant weaknesses—connected medical devices.
Unaddressed medical device vulnerabilities can provide a way in
Exploiting cyber vulnerabilities is the primary way ransomware groups gain entry into a vulnerable network. Healthcare organizations have an average of more than 26,000 network-connected devices, and 53% have a known vulnerability. According to a recent healthcare cybersecurity survey, 64% of respondents reported concerns about medical device security, but only 51% included clinical assets in their cybersecurity strategy.
Complete inventory assessment
To properly gauge risk, health systems must complete an inventory assessment to gather a complete list of clinical assets. Accurate inventory visibility is required to establish an effective cybersecurity strategy and program. Many organizations lack an exhaustive record. Some have inaccuracies as high as 40%, preventing them from seeing the complete picture. By accounting for every medical device and evaluating individual device attributes, systems can view the scope of risks and vulnerabilities on a device, network, and organizational basis to create an accurate risk profile.
Remediating vulnerabilities
Although original equipment manufacturers (OEM) provide some security patches, in many cases, a vulnerability may not meet the FDA’s current criteria for a recall, meaning OEMs are not required to remediate those vulnerabilities. This leads to diverse responses by OEMs—they may provide a remedy, a compensating control (mitigation), or not address the issue at all. Additionally, response time and financial cost vary between vulnerabilities.
If no OEM patch is available—which can be the case for up to 68% of vulnerabilities—healthcare systems will need a different approach to improve their risk posture and address the vulnerability. Strategies include compensating controls such as removing a device from the network, segmenting a network, or disposition and replacement—which can be costly if many devices are impacted.
Medical device cybersecurity planning challenges
Addressing medical device vulnerabilities is not straightforward due to the many crucial variables involved. Medical device management teams must remediate vulnerabilities while ensuring the fix does not detract from the device’s safety and effectiveness or impact care quality. Determining a remediation strategy involves three areas of consideration:
1. Cyber vulnerability
Cybersecurity teams must evaluate the ease of exploitation, what will be exposed in the event of a compromise, how the device is used in patient care, and the OEM remediation status.
2. Device risk
The critical components of device risk include the severity of potential harm if the vulnerability is exploited and the probability of exploitation.
3. Patient safety and context of use
This consideration involves evaluating the risk to patient safety and the consequences of device failure. The device’s location and use both need to be taken into account. The same device operating in different clinical settings can pose different risks. For example, an EKG machine in the emergency department fulfilling urgent medical needs and requiring a network connection has a different context of use and risk profile than one in use in a doctor’s office.
With this information, medical device teams can prioritize risk remediation. Priorities will vary depending on a health system’s risk tolerance, lifecycle management criteria, and budget. Risk mitigation is an ongoing process requiring technology, people, and process. People carry out the assessment and repairs. A defined process and strategy enable effective vulnerability management and threat responses. Technology manages inventory, automates processes to reduce errors, calculates risk, detects anomalies, and delivers actionable information.
Healthcare systems can maintain continuous risk assessment and device, network, and behavioral monitoring with a comprehensive clinical asset management program. The technology helps device teams understand the inventory, cyber vulnerability, device risk, network activity, and patient safety. As the number of connected medical devices grows, network monitoring becomes increasingly vital. Devices are constantly connecting and disconnecting from the network. By continuously tracking each piece of equipment, the software can alert users to network abnormalities, including unusual behavior and unauthorized or unverified devices. This enables the cybersecurity team to identify threats sooner. A comprehensive program centralizes information to provide visibility, increases efficiency, and facilitates better strategy.
To take a truly proactive cybersecurity approach, a health system’s strategy must evolve with technology and cyberthreats. Healthcare leaders can’t rely on playing catch-up when so much is at stake.
Building a robust cybersecurity program that adequately addresses healthcare systems’ current threats involves a significant investment in people, processes, and technologies. Healthcare organizations face substantial financial challenges right now, but investing in prevention is necessary given a breach’s high monetary cost and potential negative impact on patient safety and brand reputation. Take this opportunity to examine your current approach to cybersecurity and ensure it is the right fit for your health system.
About the Author
Scott Trevino is senior vice president of cybersecurity at TRIMEDX, and in this capacity, he leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions. He is responsible for identifying trends in cybersecurity technology, as well as recognizing and anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.
Scott Trevino
Scott Trevino is senior vice president of cybersecurity at TRIMEDX. He leads efforts to define the strategy to deliver value, growth, and evolution of TRIMEDX’s cybersecurity solutions, including Vigilor from TRIMEDX, independent cybersecurity services available to all health systems. He is responsible for identifying trends in cybersecurity, technology, as well as recognizing & anticipating the evolution of clients, market, and industry needs to translate them into market-leading solutions that meet the needs of and bring value to clients.