We Have Met the Enemy, and He Is Us
By: Axel Wirth
July 20, 2021
Categories: AAMI News, HTM Professionals, Medical Device Manufacturers
Cybersecurity: Quo Vadis?
Watching what is happening right now in the world of cybersecurity is, admittedly, making my head spin. For years, we have seen attacks becoming more sophisticated, the number of breaches increase, and businesses suffering steep losses due to cyber incidents. Yet, what has happened in the past 12 months has been on an entirely different level—think SolarWinds (twice now), Colonial Pipeline, or Kaseya, just to name a few examples. We have entered a new realm of attacks of unprecedented scale and with unmatched impact and consequence.
Not surprisingly, pressure to improve cybersecurity is growing both domestically (e.g., by the U.S. government) and internationally (e.g., in Japan). Here in the U.S., a recent Executive Order (EO) addresses a wide range of needed improvements, from policy over transparency and technology to improving response capabilities and supply chain security.
It is no surprise that healthcare is one of the industries called out in the EO, though none of the funding under the EO would target improvements in the healthcare sector directly. This specifically was called out by the Healthcare and Public Health Sector Coordinating Council (HSCC), which stated in its response that “the healthcare sector faces an urgent need to strengthen the cybersecurity of healthcare and public health data, medical technology and information technology systems.” HSCC further added: “Cybersecurity incidents are a threat not only to national security, they also jeopardize patient safety, as attacks can cause denial of service, medical device corruption, and data manipulation that directly impact clinical operations, patient care and public health. In addition, healthcare data and information remain lucrative targets for theft and exploitation, particularly through ransomware attacks and COVID-themed social engineering by criminal groups and adversarial nation states.”
Ransomware and then Some
Ransomware attacks on healthcare organizations, and its ugly cousin extortion, have skyrocketed and are causing disruption and financial loss. Yes, we have seen occasional law enforcement success in taking down cyber adversary organizations or recover payments, but these successes are far and few in between.
Paying the ransom has resulted in a mere 8% of victims getting all their data back and 29% being able to recover half their data. And, to make matter worse, an estimated 80% of victims suffer a repeat attack, either because the attacker left “hooks” behind or the vulnerability that was exploited in the first attack was never properly remediated. Regardless, ransomware victims usually look at weeks of recovery efforts, impact on care delivery, and consequently steep financial losses.
|Ransomware is often spread through phishing emails that contain malicious attachments.|
The Problem Is Not Only Technical
An old dogma in cybersecurity is that good cybersecurity requires an approach of “People, Process, and Technology.” The key in this statement is the phrase “and”—meaning that it takes a balanced approach of all three. This is a complementary approach, and a shortcoming in any one of these areas cannot be compensated by the other two. For example, an underinvestment in security technology cannot be compensated for through people and process (and vice versa).
But also, all three span the range from strategic to tactical. “Technology” requires a good strategy and solid tactical execution (security operations). “Process” needs to cover the range from high-level governance to specific tasks like incident response. And “people” means everybody, no matter their role (technical or clinical) or whether they are an individual employee, strategic decision maker, or board executive. Only an organization that understands security as a risk to its business objectives (which, in healthcare, includes care delivery and patient safety) will succeed.
Another challenge is the lack of consistency in security. We are currently lacking a consistent approach, as, for example, some aspects of security in healthcare are governed by the Health Insurance Portability and Accountability Act (HIPAA) and others by the Food and Drug Administration (FDA), regulating providers and medical device manufacturers, respectively. This results in regulatory and enforcement gaps—for example, a recent Office of the Inspector General (OIG) report concluded that “Medicare Lacks Consistent Oversight of Cybersecurity for Networked Medical Devices in Hospitals.” Food for thought.
As a cybersecurity expert, I try to walk a fine line in the way I communicate. Cybersecurity education is an important part of what I focus on, and I hope I am contributing to making this a better world by providing insight on good security practices and resources. We discussed this in more detail in our recent presentation at the AAMI Exchange (Grimes, Wirth, “Preparing for the (R)Evolutionary Changes Coming to CE/HTM Education”, June 9th, 2021). But I also need to talk about the growing cyber risks and analyze examples of incidents—which, I realize, can sometimes be interpreted as spreading FUB (fear, uncertainty, and doubt). However, I willingly accept the occasional criticism, as I believe that complex and pervasive problems cannot be solved by not talking about them.
Trying to make a problem go away by ignoring it did not work in the global pandemic, is not working for climate change, and will not work for cybersecurity. Instead, we should look at examples where the honest acceptance of a crisis and an all-community approach to solving it has produced results. The often-quoted examples is aviation, where a combination of regulation, enforcement, voluntary collaboration, and analysis has created what is now one of the safest modes of transportation.
We are only at the beginning of this process in healthcare. A recent study found that 73% of health systems, hospitals, and physician organizations assessed their infrastructures as unprepared to respond to cyberattacks. The report further stated that 96% of information technology (IT) professionals confirmed the sentiment that attackers are outpacing the ability of their enterprises to rebuff them, while the talent shortage for cybersecurity professionals continues unabated.
FUD or not, no matter if you are an executive and decision maker at a manufacturer, healthcare delivery organization, or government entity or are a technical specialist fighting the daily trench battle, we have to stop burying our head in the sand (which even ostriches don’t do, in spite of the myth) and recognize cyberthreats for what they are—an existential threat to the healthcare industry.
Improvements are happening, no doubt, and I think that culturally the healthcare industry has the right mindset and is heading in the right direction. However, turning culture into action and results will require hard work and patience and I will not stop complaining until the data show us that we are making progress.
Time to roll up our sleeves—the longer we wait, the more difficult it will get.
Axel Wirth, CPHIMS, CISSP, HCISPP, AAMIF, FHIMSS, is the chief security strategist at MedCrypt in San Diego, CA. Email: email@example.com