EXECUTIVE SUMMARY:
It has become painfully obvious that cyber security is critical in enabling clinicians to provide quality care to patients. Recent cyber attacks against CommonSpirit Health compromised the personal data of over 600,000 patients, a hospital in Illinois closed its doors permanently after it was breached, and yet another hospital was forced to send emergency cases to other emergency rooms upon experiencing a cyber attack.
Unfortunately these are not uncommon occurrences. In 2022, the healthcare industry experienced a 78% year-over-year increase in cyber attacks, with an average of 1,426 attempted breaches per week, per organization. It cannot be overstated — In healthcare, cyber attacks are a matter of life and death. In fact, a survey conducted by the Ponemon Institute found that more than 20% of healthcare organizations reported an increase in patient mortality rates after experiencing a breach.
Why do cyber criminals target healthcare groups? Because healthcare entities need to serve patients in an immediate way, disrupting a healthcare facility increases the likelihood that a high ransom fee will be paid. A healthcare breach can also offer hackers massive volumes of valuable data, nearly-guaranteed media coverage and dark web acclaim.
The healthcare sector is vulnerable for several reasons. First, the increased sophistication and quantity of cyber attacks is not a threat that these organizations are set up to deal with. Many hospitals rely on a blend of old and new technologies, most of which are either not directly managed or have been forgotten due to improper documentation. This problem has only increased over time as more Internet of Things (IoT) and medical devices have been added, despite rarely being built securely by design. The current cyber security skills shortage also means there's a lack of expertise to help manage this widening attack surface.
Patients deserve quality care that sustains strong physical, intellectual and emotional health outcomes. The protection of their healthcare data is an essential component of that. A cyber attack has the potential to affect a given individual’s or population’s physical health, and it may cause social and emotional difficulties should personal information become compromised and find its way into public view. In fact, patients are currently suing One Brooklyn Health after the organization was breached by cyber criminals who leaked patient data. The patients are concerned that they are now at greater risk for fraud, identity theft, misappropriation of health insurance benefits and more.
The good news
Recently, the FDA announced new guidelines to secure medical devices against cyber attacks. Manufacturers of connected medical devices — Internet of Medical Things (IoMT) — now need to submit a plan detailing how they will monitor, identify and address cyber security issues, in addition to providing “reasonable assurance” that the devices are protected. Ensuring that IoMT devices are secure by design adds an extra security layer, easing the burden on healthcare CISOs and IT leaders.
In recent conversations with healthcare CISOs, the desire for understanding how to secure the health of everyone, everywhere, with certainty, was clear. The conversations are ongoing and there is a strong culture of collaboration in the industry, with the sharing of best practices and lessons learned regarding how to take action. We understand the importance of good health and remain dedicated to protecting our healthcare institutions and providers.
By taking a prevention-first approach to protecting hospitals, providers and patients, we can stop the disruption and destruction. Clinicians shouldn’t have to worry about whether they will be able to access digital medical records or whether they can rely on their medical instruments. Improving care outcomes for patients is already a big task. And patients shouldn't have to worry about undue and uncontrolled jeopardization of their health or health records. As physicians often say, an ounce of prevention is worth a pound of cure.
Cindi Carter is a Field Chief Information Security Officer at Check Point Software Technologies. She previously served as Chief Security Officer at MedeAnalytics and as Deputy CISO at Blue Cross and Blue Shield of Kansas City.