2021’s Top Healthcare Cybersecurity Threats, What’s Coming in 2022

In fact, those responsible for these attacks have sought to take advantage of the global chaos in order to wreak further havoc on healthcare.

These attacks, in particular the DarkSide ransomware group’s attack on Colonial Pipeline , has spurred the US government into action. Days after the aforementioned attack, President Biden issued an executive order fast-tracking a number of federal initiatives aimed at dealing with cyber security threats. This was soon followed by meetings with other world leaders and government wide cybersecurity initiatives.

Chatting with HEALTH IT Security , EY Americas Life Sciences and Health Cybersecurity Leader Elizabeth Butwin Mann, had this to say: “Cyber has become dinner table conversation. Every executive knows that cybersecurity is an issue. Our parents and grandparents know that cybersecurity is an issue. It's not a hidden back-office topic anymore.”

Mann further suggested that the unpredictability of the pandemic, in addition to vulnerabilities in medical devices were some of the leading healthcare cybersecurity challenges of the past year. However, organizations can still put themselves in a better position entering 2022, by learning from the threats faced in the past year, and creating and implementing better EHR EMR Systems cybersecurity threat response plans, as well as investing in cybersecurity.

THE IMPACT OF COVID-19 ON HEALTHCARE CYBERSECURITY

One of the major difficulties introduced by the pandemic was the change in how people work. “One of the things that cybersecurity professionals rely upon is knowing what normal looks like,” Mann said, “And suddenly there was no way to know because what was normal was gone.”

Due to this shift in the landscape, over 500 providers suffered ransomware attacks in 2020 as the pandemic was beginning to take hold.

“Unfortunately, criminals don't seem to care that there's a crisis going on,” Mann posited. “Ransomware attacks are incredibly powerful, and they work. The more ransoms get paid, the more attackers use those techniques to continue.”

While ransomware attacks are in no way limited to just the pandemic, cybercriminals are well known for taking advantage of exactly the type of chaos the world has been in recently. With networks in disarray, it becomes easier for these attacks to succeed without administrators noticing or having the time to respond.

According to the FBI , paying these ransoms only incentivizes these criminals to continue with their attacks, and there is no guarantee that the data will be even be returned. Healthcare organizations are particularly at risk to these attacks, as patient safety is often threatened.

“Stealing healthcare data is much more lucrative than stealing credit cards. So, they keep stealing them,” Mann explained. “And when you're under pressure, especially during a global pandemic and dealing with so much intensity on the care side of things, ransoms get paid.”

The pandemic created a perfect environment for cybercriminals to grow their networks, whilst simultaneously carrying out a disproportionately large number of attacks. According to Mann, this shows that ransomware organizations have improved their efficiency and sophistication., taking advantage of the fact that people were logging into work networks from home.

“People are logging in from home, from vacation homes, from wherever. So that expands the attack surface. Then, when we saw things like the SolarWinds breach take place, we started to become more aware of the fact that the providers who give us devices, software, and hardware are included in our attack surface now” Mann observed.

“With a larger attack surface, the vulnerability goes up because the institution doesn't have control of everything that they're exposed to.”

As a result of these changes, the pandemic has seen a far larger number of successful attacks than any preceding period of a similar length.

MEDICAL DEVICE SECURITY VULNERABILITIES

Ransomware is, of course, not the only threat healthcare organizations face from a cybersecurity perspective. Medical device security has also faced increasing scrutiny, with McAfee researchers discovering vulnerabilities in two types of B. Braun infusion pumps just this past August . These vulnerabilities could allow hackers to double the dose of medicine being delivered to patients, putting them at serious risk.

This discovery served to highlight how vulnerable healthcare organizations could be to attacks on their devices, with the US Food and Drug Administration issuing a Class 1 recall on all Medtronic MiniMed remote controllers for similar reasons, in early October. While there were no reports of any incidents at the time, the manufacturer had discovered that the device was susceptible to unauthorized use.

With devices becoming increasingly more portable, with many being implanted into patients, these vulnerabilities to the networks that they operate on are only growing. Their portable nature also makes it difficult for healthcare organizations to keep tabs on all of the devices that are active on their networks.

“It's not only the device themselves, but also the manufacturing distribution of those devices,” Mann explained. The attack surface encompasses the entire medical device supply chain. I think that the medical device manufacturing industry recognizes this. We see a lot of things improving, but we also recognize that a lot of older devices cannot be patched. There’s the cost factor and healthcare implications as well.”

While the innovation and advancement that medical devices have seen in the recent past are positive, there also needs to be recognition that these innovations are worthless if they compromise cybersecurity.

THREATS TO TRACK IN 2022

The unfortunate reality is that ransomware, phishing and vulnerabilities in medical devices will continue to threaten healthcare organizations as we move into 2022 and beyond. There are still, however, steps that can be taken to somewhat mitigate the risks.

Mann stresses the importance of continued investment into cybersecurity, counseling organizations to include these in their annual budgets. “My hope is that as dinner table conversation progresses, this notion of prioritization will improve,” Mann emphasized.

“I think we're seeing a little bit of catch up, and we’re seeing boards of directors asking many more questions. Executive orders are coming out of the White House, and agencies are putting out specific guidelines.”

Recent research by CyberMDX and Philips found that most hospitals still fail to identify cybersecurity as a priority for investment, despite the risks and extreme costs associated with a cyberattack. The mean annual IT budgets for midsized hospitals was around $3.5 million, with large hospitals spending $3.1 million. Spending on IoT and medical device cybersecurity averaged $293,000 for the former group and $329,000 for the latter.

Events have shown, however, that this is still far too low. Healthcare organizations must reorganize their spending priorities to place a greater emphasis on cybersecurity, though this will not be easy in the short run. The pandemic has already stretched budgets for most far too much, making any large investments in any area difficult to sanction. Just as important as this investment, however, is creating and implementing an incident response plan.

“Be prepared, practice, pull together a team, understand what you would do if you get hit and devices are down and access is cut off,” Mann suggested. “Do you know who to call? Do you have someone on retainer? Do you have help that you can access at a moment's notice? Do you have an industry team that you can reach out to? What do you have that would allow you to respond and recover as quickly as possible? If you can't build the defenses, at least build the resiliency so you know what to do.”

Preparing for known threats will remain important, however organizations must also be wary of any new threats that may be on the horizon. An area that might be at threat in the near future is medical research, Mann suggested, “I think that the research environment is an area that is increasingly vulnerable as we move to virtual clinical trials and increased collaboration. I think there's a tremendous amount of transparency to the public about what's going on in medical research, which is a good thing for care. But it's also an exposure when it comes to attacks.”

As we continue to deal with attacks in 2021, we must be aware that continued innovation will always bring with it newer risks and vulnerabilities, providing cybercriminals with newer avenues of attack. Eliminating these risks altogether is impossible, though organizations should be proactive about preparing for and responding to any cyberattacks that they may fall victim to, creating, implementing and practicing the previously mentioned response plans.

“The thing I’d like to underscore for healthcare institutions in particular is to really challenge themselves to practice,” Mann concluded. “Do you have people on speed dial so that you can get help if you're an institution that's underfunded from a cybersecurity perspective? This is a real threat that needs to be a priority. Preparation is a big thing and I hope people are doing that. Some are, but many aren't.”