We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning:
By Steeve Huin, vice president of strategic partnerships, business development and marketing, Irdeto.
The Internet of Things (IoT) market is booming, with IHS Markit forecasting there will be 73 billion connected devices in use around the world by 2025. IoT technology has moved beyond speakers and smart fridges and is increasingly being utilized for critical applications across the healthcare industry, such as pacemakers, insulin and infusion pumps and medical imaging systems.
This Internet of Medical Things (IoMT) is subsequently opening up a new world of possibilities to improve upon patient care, while also improving operational productivity and effectiveness. However, as the proliferation of connected and complex medical devices grows, healthcare providers are more susceptible to cyberattacks.
The key challenge is that cyber criminals often operate as businesses themselves and will focus on targets that will provide the greatest return on their hacking investment. Therefore, as the healthcare sector becomes increasingly connected, we could see an extremely costly impact of IoT-focused cyberattacks, if security is not prioritized. Insecure devices, and potentially companion apps, present a variety of risks to safety and privacy in a critical industry such as healthcare.
The IoMT Threat Landscape
Unfortunately, cyberattacks are already an all too common reality for many organizations in the healthcare space. A recent survey by Irdeto of security decision makers in the healthcare, transport and manufacturing sectors, found that 82% of healthcare organizations have experienced an IoT-focused cyberattack in the past year, with 30% of attacks resulting in compromised end-user safety.
IoT devices are often targeted by cybercriminals as they are much easier to compromise than businesses’ more sophisticated perimeter cyber defenses. The problem is that growth in the use of IoT has far outstripped the increase in trained professionals emerging. As a result, healthcare organizations often don’t have the expertise internally to ensure the connected devices they are using within their organizations are secure.
The research also emphasized this point, revealing that only 6% of healthcare organizations have everything they need to tackle IoT cybersecurity challenges, with an urgent requirement for increased skills and more budget for security identified. In addition, the research found that 98% of respondents in healthcare organizations believe the cybersecurity of IoT devices could be improved and one in four manufacturers of IoT devices for healthcare only update the security of devices they manufacture while they are in warranty.
These alarming findings, combined with reported cyber incidents to critical connected devices in the last few years, make for worrying reading. For example, in the last two years we have seen pacemakers recalled to install a critical patch to update firmware against cybersecurity issues, as well as cybersecurity warnings for insulin pumps from the FDA and Health Canada.
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
Network Shutdown
As we become more and more reliant on electronic medical records, the susceptibility of a hospital suffering a cyberattack or struggling because of a network failure is continuing to increase. To reduce the risk of this happening, all hospitals will need to have an extremely complex network security system that is resistant to hackers. They also need to make sure they have back-up files in case they have to deal with network failure.
Telemedicine
Telemedicine is the practice of remote patient care, so the patient and the provider won’t be physically present with each other. This modern technology has been developed to enable consultations with patients over easy and robust telemedicine software. Although this is convenient, it may create challenges when trying to ensure the quality of care. If things go wrong, then a lawsuit could be filed for medical negligence. In these cases, a Miami medical malpractice attorney should be contacted.
Wearables
Recently, there has been a huge development in medical device technology and there is a wide range of medical devices on the market. These wearable sensors are constantly transmitting a vast amount of health information to doctors. This has already been proven to increase the expectations of patients because they believe doctors are constantly monitoring and will act upon this.
The trend in cybersecurity news is to focus on the latest buzz words like artificial intelligence, blockchain, ransomware, denials of service or HIPAA fines. Recent hacks are front page news. Trends also includes the increasing cybersecurity regulatory mandates such as state laws providing private consumer rights (class actions) against offending healthcare providers and their officers and directors. Another hot topic is the dearth of cybersecurity skills.
CISOs and other business leaders responsible for security of ePHI and business continuity are the intended audience and are being inundated with the tornado of cyber security trends—much of which is vendor driven. They’re also being pulled in many different directions internally with competing priorities. At a recent panel discussion of CISOs at Northern California HIMSS’ CXO Summit, one busy CISO described how he is repeatedly added to committees on all sorts of different subjects, some of which he had never heard of.
Whitepapers discussing the “top 10 priorities” or “top 10 trends” are commonplace. They’re usually vendor driven and focus largely on the most prevalent asset type — computers. That is, desktops, laptops and servers about perimeter security or internal threats from user behavior; including training users not to click on suspect emails to prevent phishing attacks.
Overlooking Second Most Prevalent Asset Type — Printers
But no one is talking about, or including in the top 10 lists, the second most prevalent asset type in all healthcare providers’ IT enterprises — their printers. For some reason, networked printers (any device that creates an image, electronic or otherwise, including multi-function, single-functions, faxes, scanners, label printers, etc.) are not perceived as the same risk as other computers, even though in the past few years there have been reported hacks of 50,000 to 150,000 networked printers. Also, a research house exposed that faxes can be easily exploited to hack printers and the corporate networks where they reside.
Why is this trend not hot on the minds of top security professionals? It could be because of the origins of today’s modern business printers as “dummy copiers” or the fact that they are often not procured or managed by the information technology department or visible to the information security department. Or, it could be because vulnerability management, intrusion detection and information security consulting vendors driving today’s messaging do not include printers in their solutions.
Little Known Facts about Print Fleets
Whatever the reason, here are few important facts that you should know about almost all printers in healthcare:
Printers are mission critical to patient care and part of providers’ tier one applications.
Printers are everywhere. There can be as many as one printer to one employee or between 1:6 and 1:10.
Printers are often accessible or visible in public areas and not in protected data centers or offices like many other computers.
They aren’t assigned users like desktops or laptops, or system administrators like servers in data centers.
Printers have built-in security settings, but they are not being set or maintained.
HIPAA requires that all printers be included in the comprehensive risk analysis and cyber hardened for security of ePHI regardless of make, model, age or type.
Printers are shipped and regularly deployed and maintained on networks with factory default settings including published factory default administrator passwords to enable bad actors to take control of them.
Even if security settings on printers are set at time of deployment, they get unknowingly reset back to factory defaults (turned off).
Why Act Now to Secure Printers?
The easiest answer: because it’s the law (HIPAA) and you’re exposing your company to serious and long-lasting financial risk if you are not acting now to secure (and keep secured) all the printers in your print fleet. Also, the fact that other regulations are being regularly enacted that go beyond HIPAA mandates exposing companies to even more severe penalties.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
Unfortunately, this is the reality that healthcare industry professionals are facing today. And while 92% of healthcare organizations are confident in their ability to respond to cyberattacks, there is a plethora of malicious activity that poses a great threat to their networks. Here are the main cybersecurity challenges faced by the industry today:
The Rise of Ransomware
You might recall the WannaCry attack of 2017, the ransomware worm that attacked hospitals as well as other industries by exploiting a weakness in Windows machines. This worm infected thousands of computers around the world and threw the United Kingdom’s National Health Service into chaos. This resulted in the Health Care Industry Cybersecurity Task Force to conclude that healthcare cybersecurity was in critical condition.
Why was the healthcare industry so impacted by this cyberattack? Many hospitals struggle to keep up when it comes to upgrading their operating systems due to the sheer volume of devices on the network. However, much of the software in a medical-specific device is often custom made, making system upgrades difficult. Additionally, manufacturers tend to avoid prematurely pushing out modifications that could potentially impact patient safety. For these reasons, medical machines continue to exist with outdated software, putting them at greater risk of cyberattacks such as ransomware.
Lack of Investment
Many organizations within the healthcare industry suffer from a lack of investment in cybersecurity solutions. Despite the number of breaches that occur, healthcare is behind other sectors when it comes to taking security measures. Only 4-7% of healthcare’s IT budget is allocated to cybersecurity, while other sectors allocate about 15% to their security practices. However, the finances associated with a cyberattack if these solutions aren’t put in place can take an even greater toll on an organization. Some hospitals and healthcare insurers see estimates of over $5 billion in costs as the result of cyberattacks on their systems. On top of the costs incurred finding a solution to fix these breaches, healthcare organizations then have to deal with fines from the Department of Health and Human Services Office of Civil Rights.
Securing Connected Devices
With the growing adoption of IoT, more and more devices are being connected and used in healthcare systems. However, as connected medical devices become more powerful and widely adopted, they become greater targets for malicious actors to exploit. According to the Cybersecurity in Healthcare report, over 16% of IT professionals can’t patch their own operating systems, leaving the network wide open for attack. Now imagine if a cybercriminal gained access to just one medical device on the exposed network. This could lead to the theft of sensitive patient data or even unauthorized access to an implanted device that could cause physical harm to the user.
More than 100 C-Suite and director level executives voted and then ranked the top 10 critical challenges, issues and opportunities they expect to face in the coming year, during this week’s HCEG Annual Forum. The HealthCare Executive Group (HCEG), a 31-year old networking and leadership organization, facilitated interactive discussions around such issues in their 2.5 day marquee event in Boston.
Executives from payer, provider and technology partner organizations were presented with a list of over 25 topics. Initially compiled from webinars, roundtables and the 2019 Industry Pulse Survey, the list was augmented by in-depth discussions during the Forum, where industry experts explored and expounded on a broad range of current priorities within their organizations. The HCEG Annual Forum concluded with HCEG Board Members announcing the results of the year-long process that determined the 2020 HCEG Top 10.
2020 HCEG Top 10 Challenges, Issues and Opportunities
Costs & Transparency — Implementing strategies and tactics to address growth of medical and pharmaceutical costs and impacts to access and quality of care.
Consumer Experience — Understanding, addressing and assuring that all consumer interactions and outcomes are easy, convenient, timely, streamlined, and cohesive so that health fits naturally into the “life flow” of every individual’s, family’s and community’s daily activities.
Delivery System Transformation — Operationalizing and scaling coordination and delivery system transformation of medical and non-medical services via partnerships and collaborations between healthcare and community-based organizations to overcome barriers including social determinants of health to effect better outcomes.
Data & Analytics — Leveraging advanced analytics and new sources of disparate, non-standard, unstructured, highly variable data (history, labs, Rx, sensors, mHealth, IoT, Socioeconomic, geographic, genomic, demographic, lifestyle behaviors) to improve health outcomes, reduce administrative burdens and support transition from volume to value and facilitate individual/provider/payer effectiveness.
Interoperability/Consumer Data Access — Integrating and improving the exchange of member, payer, patient, provider data and workflows to bring value of aggregated data and systems (EHR’s, HIE’s, financial, admin and clinical data, etc) on a near real-time and cost-effective basis to all stakeholders equitably.
Holistic Individual Health — Identifying, addressing and improving the member/patient’s overall medical, lifestyle/behavioral, socioeconomic, cultural, financial, educational, geographic and environmental well-being for a frictionless and connected healthcare experience.
Next Generation Payment Models — Developing and integrating technical and operational infrastructure and programs for a more collaborative and equitable approach to manage costs, sharing risk and enhanced quality outcomes in the transition from volume to value. (bundled payment, episodes of care, shared savings, risk-sharing, etc).
Accessible Points of Care — Telehealth, mHealth, wearables, digital devices, retail clinics, home-based care, micro-hospitals; and acceptance of these and other initiatives moving care closer to home and office.
Healthcare Policy — Dealing with repeal/replace/modification of current healthcare policy, regulations, political uncertainty/antagonism and lack of a disciplined regulatory process. Medicare-for-All, single payer, Medicare/Medicaid buy-in, block grants, surprise billing, provider directories, association health plans, and short-term policies, FHIR standards, and other mandates.
Privacy/Security — Staying ahead of cybersecurity threats on the privacy of consumer and other healthcare information to enhance consumer trust in sharing data. Staying current with changing landscape of federal and state privacy laws.
For the second straight year, ransomware attacks accounted for over 70 percent of all malware incidents in the healthcare sector, according to the recently issued 2019 Verizon Breach Investigations Report. Beazley reported that almost half of the ransomware incidents reported in 2018 involved healthcare companies, while CSO Online estimates that healthcare-related malware attacks will likely quadruple by 2020.
Adding salt to the wounds, a private practice in Battle Creek, Michigan, was forced to close its doors in the aftermath of a devastating healthcare ransomware attack in 2019—the first public report of a ransomware-related business failure. Every day we read about another headline breach in healthcare.
Being in the ransomware hot seat is a lot to swallow for an industry responsible for the security of our most sensitive data. And therein lies part of the problem. Cybercriminals are always after the most lucrative targets and they have learned that healthcare providers are more likely to pay the ransom to get their patients’ data back.
CEO of A1care, Percy Syddall, a 25-year healthcare veteran who helps grow and manage businesses in the Home Care field is sharing his story to help others avoid the business disruption and financial woes caused by cybercriminals. Syddall said, “I always strive to do what is best for my clients, which includes leveraging innovative technologies and maintaining the privacy of their personal data. Still, our company was attacked by ransomware, which almost forced us out of business. The cybercriminals threatened to expose private client data if we did not pay the ransom.”
“The hardest thing I’ve ever had to do was call each client and explain that the personal information they trusted my business to protect, may have been compromised. At that time, very little was known about ransomware and I ended up paying the ransom to get my client data back,” continued Syddall.
Even though medical records contain rich personal health information (PHI) that can be sold for high value, cybercriminals are discovering they can get faster payment through ransomware. Unlike stolen medical records that take time to acquire and commoditize, ransomware locks healthcare professionals out of critical systems and demands payment or immediate action.
It’s hard to understate how much the internet has benefited society. It distributes knowledge to the world, it allows us easy access to myriad services, and it makes it easy to communicate with people the world over, bringing us all closer than ever before. And that’s just the basic things the World Wide Web provides.
But, wonderful though it may be, the internet also holds its own perils. Cybercrime has turned into one of the greatest threats to businesses and by extension the whole of society. In 2018, a hacking attempt took place somewhere in the world about every 40 seconds. Billions of dollars in damages are attributed to cyberattacks every year. The health industry has become a favored target for hackers, mainly because of patient data which is valued more than financial information.
It’s a sad fact, then, that many businesses do not take cybersecurity, the only line of defense against this online onslaught, as seriously as they should. Around half of all businesses admit that they do not consider cybersecurity a very high priority.
That is a mistake that could cost a company everything. This infographic, brought to us by HostingTribunal, serves to warn everyone about the incredible danger that are hackers. It lists all the most devastating and notorious cyberattacks to take place in recent history. These hacks caused monumental harm to their victims, and this visual journey details the exact extent of the damage as well as how the attacks happened — and lots more. So read on if you wish to learn about the biggest hacks in recent history.
The Internet of Things (IoT) market is booming, with IHS Markit forecasting there will be 
Modern technology can be seen as a blessing and a curse, especially when it comes to the technology used in healthcare. Some of the medical technological advancements seen today are astonishing. They are there to improve our quality of life and to make us live longer, healthier lives, but everything good comes with risks. The technology we deal with today is rapidly developing and as it does, new threats are being presented to both doctors and hospitals. Today, we will be taking a look at six technologies currently being developed that could potentially become hazardous in the field of medical technology.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
