Cybersecurity and healthcare: When infosec is a matter of life and death

We’ve talked about how cybersecurity affects enterprises and schools. But there’s another sector that is increasingly being targeted by cyberattacks: healthcare. The stakes are more than just financial—a cyberattack on a hospital or healthcare facility could literally become a matter of life and death.

In this article we’ll take a look at the state of cybersecurity in the healthcare sector, and detail the unique challenges faced by information security teams working to keep our hospitals safe.

The scope of the problem

The healthcare sector is vast. The US alone has over 6,000 hospitals and more than 40,000 outpatient care centers. The industry employs a staggering 18 million people. Healthcare spending hit $3.6 trillion last year, and is poised to grow. 

That combination of size, money, and headcount makes the healthcare sector extremely difficult to secure, while at the same time making it the most attractive of targets for malicious actors.

It’s perhaps unsurprising, then, that healthcare led all industries in data breaches last year. And there’s more bad news on the horizon: Risk researchers at Moody’s predict an increase in the scope and sophistication of cyberattacks faced by hospitals and healthcare facilities.

Despite this, the healthcare sector stills lags behind industries like finance, banking, and retail when it comes to investment in cybersecurity—with hospitals spending, on average, only 5% of their IT budgets on security. And while larger medical organizations may be able to allocate more resources to security in the future, the same Moody’s report notes that smaller regional hospitals and critical care facilities may lack the funding to do so.  

What are the risks?

The most obvious risk of a cyberattack on a healthcare facility is privacy-related. Patient medical records contain the most sensitive of personal information, as well as things like names, birthdates, and Social Security numbers, all of which can be used for fraud and identity theft.  

But beyond privacy and financial impacts, a successful cyberattack on a hospital could directly affect patient care as well—with potentially life-threatening results. 

For one thing, healthcare, like virtually every other industry, is seeing a huge influx of networked devices—many of which are simply not designed with security in mind. Unlike smart TVs and refrigerators, however, networked medical devices like insulin pumps and pacemakers are directly responsible for keeping people alive. The results of a malicious actor interfering with the functioning of one of these devices could be tragic.

But an even more likely risk comes from ransomware, which is a popular form of cyberattack for malicious actors going after large, well-funded organizations like enterprises, governments, or, increasingly, hospitals. It makes sense from a hacker’s perspective: Freeze or disable vital systems that an organization needs to function, ask for a ransom that’s well within their budget, and profit. 

But in a healthcare setting, a ransomware attack could disrupt emergency systems, render critical medical records unavailable, and generally make it impossible for doctors, nurses, and other healthcare workers to care for their patients while they wait for management or IT to decide what to do about the attack. In a field where a few minutes can mean the difference between life and death, ransomware attacks are not merely disruptive. They’re dangerous.

The challenges facing healthcare

Hospitals and healthcare facilities, by their very nature, present unique challenges for the information security professionals attempting to keep them safe. Three of these stand out as especially problematic.

1. 1

   A broad and changeable attack surface

   Hospitals are, of course, packed with technology.

   But much of it is highly specialized, made by a variety of obscure or even defunct manufacturers, making it much more difficult for infosec staff to gain visibility into what’s actually happening with these devices. This, in turn, makes it harder for them to monitor for suspicious behavior on their networks.

   Additionally, some of the devices found in hospitals are simply quite old, and are running on unpatched legacy software or outdated operating systems, making them vulnerable to attacks. Compounding the problem is the fact that a great deal of medical equipment relies on embedded systems—and the hardware in these systems often requires extremely specific software environments in order to function. In other words, there are some cases in which patching or updating software could make a piece of medical equipment less stable, and affect its core functionality.

   Beyond this, hospitals contain huge numbers of connected medical devices (on average, as many as 15-20 per room). As mentioned above, many of these are not built for security, and prove difficult to integrate into a secure network. Additionally, device manufacturers will often offer free samples or demo models to physicians, making it even harder for security teams to keep track of the endpoints on their networks.

2. 2

   A large and non-technical staff

   Healthcare facilities require an extraordinarily large staff in order to function. There are, of course, patient-facing medical workers like doctors, nurses, medical technicians, and orderlies. But there are also large numbers of support staff as well, from building maintenance and food service workers to administrative and medical billing groups. Truly large hospitals may have marketing, legal, and public relations offices on the premises as well.

   That’s a lot of people coming and going on any given day, which creates an environment in which physical device security becomes almost impossible to guarantee. What’s more, outside of the actual IT department, few of these people have technical backgrounds in computer science or programming—or even basic cybersecurity training. Simple phishing or social engineering attacks may be all it takes for a threat actor to access the network.

3. 3

   An industry stretched thin

   Healthcare is changing, as is the world around it. The economic realities of the medical and insurance industries, coupled with an aging population, have led to a serious shortage of nurses and doctors in hospitals and healthcare centers across America.

   As a result, organizations are being forced to do more with less. Many in the medical profession feel overworked and overwhelmed, and are doing all they can just to keep up with their day-to-day responsibilities. This situation makes it extremely difficult for security teams to ask frontline medical workers to make cybersecurity a top priority—even when it should be.

Prognosis?

Healthcare clearly faces some major challenges in the coming years. But if there’s a silver lining in all of this, it’s that the seriousness of the problem has attracted the attention of people with the power to do something about it.

The FDA has taken note of the cybersecurity issues caused by medical devices, and has issued stronger guidance for device manufacturers in order to protect patients. And hospitals themselves are projected to increase their spending on cybersecurity in response to the threats they are facing. 

So while there is much work to be done, there are some signs that—at least on the cybersecurity front—the big ship of the healthcare industry is slowing moving in the right direction.