Industry Takes

Industry takes: Keeping healthcare businesses cybersecure

Industry experts weigh in on key cybersecurity dangers in healthcare following attacks on Change and Ascension. Isaac Hanson reports.

Credit: Andrew Angelov / Shutterstock

Cybersecurity is vital for all industries, but there are in which breaches have more impact than healthcare. 

Threats like patient data leaks and attacks affecting vital hospital machinery can have major impacts on patients’ lives. Due to confidentiality and liability clauses, they can also be disastrous for healthcare providers. 

Knowledge of this, often alongside the use of outdated computer software, makes hospitals and healthcare administration services tempting targets for hackers. 

It's something of which the industry is well aware. According to GlobalData, the parent company of Hospital Management, cybersecurity has been the 8th most mentioned theme in healthcare company filings for the past eight years, racking up 57,404 mentions in 2023 alone. Awareness alone is not enough, though. 

An FBI report found that cyberattacks on hospitals are increasing at an alarming rate, and a survey performed in January suggests that the ability of healthcare providers to defend against these attacks may in fact be falling

This year, there have already been two major attacks on healthcare providers. Payments manager and subsidiary of UnitedHealth Change Healthcare was attacked in February, locking practices out of payments for insurance claims. The damage has threatened many practices with closure and reportedly cost the company $22m to fix. 

Earlier this week (8 May), private healthcare provider Ascension was also hit by an attack, though few details are known at this time. 

In light of these attacks, Hospital Management has reached out to cybersecurity experts in the field to hear companies need to make cybersecurity a key priority, and how they can stay safe. 

Administration and legislation concerns

Due to the highly sensitive nature of healthcare records, most of the world has strict regulations for confidentiality. A records breach can therefore cost more than just a ransom if it falls foul of legislation like HIPPA (US) or GDPR (EU/UK). 

Of some of the other regulatory concerns of attacks, Victoria Hordern, partner at Taylor Wessing's technology, IP and information team, explains: "Keeping health data secure in our technology-charged world is not an easy feat. Companies have lots of new rules from both a UK and EU perspective to get used to – like the recently enacted security requirements under the UK Product Security and Infrastructure Act and the forthcoming EU Network and Information Security Directive (NIS2).  

“The UK's Product Security and Infrastructure Act (through its regulations) requires manufacturers to comply with a higher standard of security, concerning aspects like the setting of default passwords on devices. The EU's NIS2 imposes obligations on a broader range of companies who will be required to carry out additional security measures such as risk assessments and timely reporting to a Computer Security Incident Response Team (CSIRT) if a significant security incident occurs. 

“Non-compliance with NIS2 will result in hefty fines. But not only that, increasingly devices and apps that provide healthcare are in the hands of patient users and are being influenced by the impact of new AI technologies.  Where there is a multiplication of devices and a variety of different parties involved (i.e. NHS trusts, healthcare providers, tech support), there are also more points of weakness and vulnerability where bad actors can seek to gain entry into and control systems. 

“A health data repository is a tantalising prospect for a cyber criminal intending to carry out a ransomware attack since they know that a healthcare body will be paralysed if it can't access data to provide patient care. Just witness the recent chaos caused to US hospitals and medical providers by the successful cyber hack of Change Healthcare, the largest billing and payment clearing house in the US, which reportedly could cost the company as much as $1.6bn. 

“Consequently, health companies and public sector health bodies should regularly test for potential vulnerabilities within their security infrastructure. But it's not just checking technical aspects and system design. It's also testing the resilience and understanding of staff to identify and not fall victim to phishing attempts and to spot where activity on a network doesn't look right.” 

Medical devices as attack vectors

It is also of vital importance to remember that any internet-connected device can act as a vector for attack. In order to stay safe, networks need to worry not only about patient data, but the lifesaving machinery in their hospitals as well. 

Mohammad Waqas, CTO of Healthcare at cybersecurity firm Armis, explains: “In 2023 alone, healthcare organisations saw a consistentmonth-over-month increase in attack attempts of 13%. Costs of healthcare breaches soared, and the UK’s healthcare sector saw anaverage of 1,383 cyberattacks per week. This constant barrage of attacks has resulted in millions of patients having their privacy violated, jeopardising trust in the healthcare system and potentially delaying critical care.  

“The rapid proliferation of connected medical devices, from infusion pumps and patient portals to media writers and imaging equipment, has created a vast and vulnerable attack surface. Nurse call systems have been identified as one of the riskiest medical and IoT devices in clinical environments, with 39% having critical severity unpatched CVEs and almost half (48%) having unpatched CVEs.   

“More worryingly, millions of medical devices in NHS Trust hospitals across England are either incapable of running security software or rely on EoS versions. In many cases, they’re totally unmonitored. Therefore, healthcare organisations must consider the criticality of assets within the care process. Not all devices are equal – an infusion pump in an ER carries a higher risk than one in a day clinic. Only by understanding and seeing all potential vulnerabilities, can organisations prioritise remediation efforts and effectively mitigate risks. 

“This means having complete visibility and security for all connected medical devices, clinical assets and the entire healthcare ecosystem. Other steps include segmenting the network and creating barriers between critical systems and older devices to help contain potential breaches and limit the damage attackers can inflict. Implementing best practices like strong passwords, firmware updates and access control – alongside complete visibility of the attack surface – can improve cyber hygiene and make organisations less vulnerable.” 

These thoughts are echoed by Spencer Starkey, VP of EMEA at cybersecurity firm SonicWall, who sees medical equipment and telehealth platforms as a key target for future hacks. 

“Internet-connected medical equipment can be expensive,” she says. “When a hospital invests in a new device, they expect it will give them many years of use. But what happens when the original device maker stops developing updates for it? It’s not always as easy as buying a new one, especially if said device costs hundreds of thousands of dollars. 

“Suddenly, that priceless device has become an inexpensive threat vector. In 2024, we expect to see an increase in medical device hacks that will enable cybercriminals to target medical devices to steal patient data, disrupt healthcare operations or even harm patients. We believe we'll also see threat actors targeting telehealth platforms.  

Telehealth platforms are becoming increasingly popular, and cybercriminals are taking notice. A compromised telehealth platform can enable a bad actor to steal patient data, disrupt healthcare operations and even impersonate healthcare professionals. Healthcare organisations need to take steps to secure their telehealth platforms and protect patient data.” 

What can be done?

While there are some very basic steps that all healthcare providers should adopt – including investing in cyber insurance, something Change Healthcare went without – a robust approach requires rather more involvement. Eoghan Casey, VP for cybersecurity strategy and product development at software-as-a-service (SaaS) provider Own Company, offers a checklist: 

  1. Perform regular electronic protected health information (ePHI) check-ups. Like regular check-ups with your doctor, routine risk analysis of your SaaS data helps identify gaps in your security posture before a successful attack exploits them. 
  2. Maintain ePHI Health and Hygiene. Although SaaS providers are responsible for the security of their platform, it is up to the customer to protect their data. The first line of defence against unauthorized access to ePHI is multi-factor authentication and restricting API access. Routinely backing up mission-critical SaaS data to a secure third-party system is essential to recover from incidents, including data loss and corruption.
  3. Diagnose ePHI problems and misuse. An ongoing challenge is to prevent people from putting ePHI at risk. The solution is a combination of raising awareness and routine monitoring. Effective data breach and data loss prevention starts with employee education. It’s critical that all staff members understand evolving data security risks and are well-equipped to prevent an outside attack.
  4. Address problems promptly. When it comes to cybersecurity protection, take inspiration from the ultimate defender: the human body’s immune system. Similar to an infection, organizations that experience a serious cybersecurity incident learn from the experience, creating digital antibodies that improve their data security posture and incident response capabilities. An effective approach to building incident preparedness without actually suffering a major disaster is to conduct periodic exercises that test response processes.
  5. Cultivate operational continuity. Being prepared for the worst-case scenario makes it easier to restore normal operations when something actually happens.
  6. Understand legal obligations. Healthcare providers are required by law to perform certain actions after experiencing a data breach. For instance, the HIPAA Breach Notification Rule includes notification of impacted individuals, informing Health & Human Services (HHS), and, under certain circumstances, publishing a press release for prominent media outlets, all within 60 days of discovering the breach.
Go to article: Home | Cybersecurity in the age of AIGo to article: ContentsGo to article: BriefingGo to article: Foreword: Cybersecurity in the age of AI Go to article: Navigating the AI-driven cybersecurity landscapeGo to article: Key trends impacting cybersecurity Go to article: Timeline: a history of cybersecurity Go to article: Explainer: The most common types of cyberattacks Go to article: AI attacks now ‘the main cybersecurity concern’ for businesses across sectors Go to article: The state of cybersecurity: AI and geopolitics mean a bigger threat than ever Go to article: Companies’ own AI applications are ‘a huge cybersecurity problem’ Go to article: Regulators must protect the cybersecurity market from a private equity takeover Go to article: HealthcareGo to article: The impact of cybersecurity on healthcareGo to article: Case studies: cybersecurity in healthcare Go to article: Leading cybersecurity adopters and providers in healthcareGo to article: How healthcare cybercrime is predicted to escalate Go to article: Healthcare cybersecurity risk ‘higher than ever’ due to pandemicGo to article: Industry takes: Keeping healthcare businesses cybersecure Go to article: Rubrik’s Richard Cassidy on cyberattacks and resilience in healthcare organisationsGo to article: Cyberattacks on healthcare: Russia’s tool for mass disruption Go to article: Traceability technologies tighten supply chain fakery Go to article: Could brain-computer interfaces be hacked? Go to article: Deal activity related to cybersecurity in the pharma industry since 2021 Go to article: Deal activity related to cybersecurity in the medical industry since 2021 Go to article: EnergyGo to article: The impact of cybersecurity on the energy sector Go to article: Case studies: cybersecurity in energy Go to article: Leading cybersecurity adopters and providers in power Go to article: Cyberattacks on critical energy infrastructure ‘have increased dramatically’ Go to article: Report: Nuclear industry faces acute cybersecurity threats Go to article: The energy transition means increased attack surfaces for hackers Go to article: Deal activity related to cybersecurity in the power industry since 2021  Go to article: Cyber threat to oil and gas driven by geopolitics, extortion Go to article: How has cybersecurity changed since the Aramco hacks? Go to article: Deal activity related to cybersecurity in the oil and gas industry since 2021  Go to article: MiningGo to article: The impact of cybersecurity on miningGo to article: Case studies: cybersecurity in miningGo to article: Leading cybersecurity adopters and vendors in miningGo to article: Proactive approach to cybersecurity key for minesGo to article: ‘Operational disruption’ the main cybersecurity threat in miningGo to article: Why the mining sector should prioritise investment in cybersecurityGo to article: Will the Northern Sea Route become commercially viable in the near future?Go to article: Deal activity related to cybersecurity in the mining industry since 2021Go to article: DefenceGo to article: The impact of cybersecurity on defence Go to article: Case studies: cybersecurity in defence Go to article: Leading cybersecurity adopters and providers in defence Go to article: Latest news: Ukraine war dominant in cyber operationsGo to article: Sweden’s Nato accession: a cyberattack-filled saga Go to article: Germany recalls ambassador to Russia over cyberattacks Go to article: Why have cyberattacks in Poland spiked since Donald Tusk’s election? Go to article: How did China hack the UK Ministry of Defence? Go to article: Will IoT in defence continue to grow amid cybersecurity concerns? Go to article: AI Innovations wants to use semi-autonomous drones to save lives in Ukraine Go to article: Deal activity related to cybersecurity in the aerospace & defence industry since 2021  Go to article: Consumer GoodsGo to article: The impact of cybersecurity on the consumer goods sector Go to article: Case studies: cybersecurity in the consumer sector Go to article: Leading cybersecurity adopters and providers in consumer goodsGo to article: Latest news: Cybersecurity in packagingGo to article: Cybersecurity rising concern for packaging firms as digitalisation raises threat Go to article: Packaging companies must protect production lines from cyberattacks –analyst Go to article: Cybersecurity boost: Packaging learns from recent IT outages Go to article: Deal activity related to cybersecurity in the packaging industry since 2021  Go to article: Latest news: Cybersecurity in drinks Go to article: Drinks industry faces cybersecurity challenges from smart manufacturing Go to article: Brown-Forman chief talks cybersecurityGo to article: Modern supply chains open up cyber weak spotsGo to article: BankingGo to article: The impact of cybersecurity in banking and payments Go to article: Case studies: cybersecurity in banking Go to article: Leading cybersecurity adopters and providers in banking & payments Go to article: Latest news: cybersecurity in bankingGo to article: AI needed to tackle AI fraud – cybersecurity expert Go to article: What are the main cybersecurity trends of 2024? Go to article: What does the Economic Crime Act mean for foreign investors to the UK? Go to article: Regulators make crypto more attractive to institutions – NYU professor Go to article: Finance firms and ex-spies: strange bedfellows in a war-torn world Go to article: Monzo adds friction to fight fraud—but the features may not be popular with customers Go to article: Looking to stop payment fraud? Modernise your approach to bank validation Go to article: Governments must intervene on anti-fraud funding for real-time payments Go to article: Knowledge sharing puts finance sector among best for cybersecurity Go to article: Deal activity related to cybersecurity in the retail banking industry since 2021  Go to article: Sponsorship opportunitiesGo to article: GlobalData Thematic IntelligenceGo to article: Next issue