In parts one and two of this series, we focused on the challenges and solutions to help hospitals and healthcare systems improve asset management and medical device security. In the final installment, we will cover why asset management alone is not enough.
In the evolving threat landscape facing hospitals and healthcare systems today, asset management—the process of creating an inventory of the devices connected to a network—is critical to identifying potential threats. With thousands of IoT and connected OT devices on a hospital’s network, and thousands more being connected every year, this has become increasingly difficult, but there are steps a hospital can take to improve asset management and visibility across the network.
However, with ransomware attacks on hospitals increasing 123% in 2020 and continuing to plague hospitals and healthcare systems throughout 2021, asset management alone is not enough to stop cybercriminals. Try as we might to keep hackers at bay, cybersecurity preparation and resiliency—not just prevention and threat detection—have become crucial components of a hospital’s cybersecurity strategy to ensure they can continue providing care in the event of an attack. If prevention is no longer enough, what does a robust cybersecurity program look like for hospitals, and how can you prepare?
Cyber resiliency—not just cybersecurity
A new buzz word has emerged in the cybersecurity space over the last several years: cyber resilience. This refers to an organization’s ability to bounce back and even continue to operate in the event of a cyber attack. With new and increasing cyber threats throughout the Covid-19 pandemic, resiliency—and not just prevention—has become all the more important.
With limited funds and resources to address cybersecurity threats, many hospitals and healthcare systems are not yet truly cyber resilient. Cybersecurity providers—including Cynerio—are partially at fault for placing too much emphasis on asset management without ensuring hospitals have the tools they need to mitigate attacks and continue patient care in the event of an attack. This can come with damaging or even deadly consequences in the event of a ransomware or other attack, with a recent Ponemon Institute report finding that ransomware can lead to increased mortality in healthcare environments.
Unfortunately, this has already become a reality for one hospital. Alabama-based Springhill Medical Center made headlines last year for a 2019 cyber attack that left healthcare providers without access to critical medical equipment and records. Without tools and resources, healthcare providers missed a newborn in distress, ultimately resulting in the infant’s death nine months later.
Preparing for a cyber attack
In light of these recent events, there are several steps and strategies hospitals can adopt to improve their cyber resiliency.
- Cybersecurity training: How do cybercriminals get into a hospital’s network? Often, through employees. Maybe they click a suspicious link or download a malicious file from an email, or they bring an unsecured device and connect to your hospital’s network. Education is key to helping employees recognize signs and practices that could leave your hospital vulnerable to cyber attack.
- Zero trust security: Zero trust is exactly what it sounds like—it is a cybersecurity model that eliminates trust by restricting access to an organization’s network and the devices contained on it. Rather than allowing anyone, or any device, to automatically join your network, hospitals should require strict identity verification for all users and devices.
- Network segmentation: Network segmentation divides a network into multiple parts, with each segment acting as an isolated sliver of the network. More segments mean a more secure network, since they make traversing the network without authorization much more difficult for adversaries. Network segmentation can address the vast majority of critical device risks, yet most hospitals still operate on a flat network, allowing cybercriminals free rein to access critical data and resources once they’ve entered the network.
- Prepare for the worst: Even with the above steps, there is always a chance that cybercriminals will find a way into your hospital’s network to carry out an attack. This is why preparation is key. Just as you would carry out a fire drill to ensure staff are prepared in the event of a fire, you must make sure that all staff—both in and outside of the IT department—are aware of the steps to take in the event of an attack. As in the case of Springhill Medical, it is also important to ensure healthcare providers are either properly trained to continue providing quality care offline, or that a device remediation solution is in place to ensure devices can continue operating safely while under attack.
Prevention strategies, such as asset management, are still necessary for protection against cyber threats. But asset management alone is no longer enough to secure hospital networks. Cyber resiliency provides an added layer of protection to ensure operations can continue, patients remain safe and healthcare providers have the tools they need in the event of a cyber attack.
Moving forward, cybersecurity providers need to place a greater emphasis on cyber resiliency, providing hospitals with solutions to remediate and mitigate in the event of an attack. After all, with visibility alone, all hospitals can do is watch as an attack happens, when we need to give them the tools to fight back. In the new world of cyber threats, it could be the difference between life or death.
Photo: traffic analyzer, Getty Images