The consistent digital transformation in healthcare, fueled by improvements in interconnected medical devices and clinical processes, has increased cybersecurity threats that often overshadow the advantages to patient care.
Healthcare organisations face a particular set of security challenges as cybercriminals become more skilled and the effects of cyberattacks change.
The Extended Internet of Things (XIoT), a comprehensive term encompassing all cyber-physical devices connected to the internet, including Internet of Medical Things (IoMT) devices, plays a significant role in this scenario. HIPAA compliance auditors are crucial in addressing these evolving security challenges and ensuring that healthcare organisations meet the stringent requirements of data protection and privacy mandated by the Health Insurance Portability and Accountability Act.
Irrespective of its undeniable advantages, the growing cyber-physical connectivity of XIoT has introduced various cybersecurity challenges by expanding the potential targets for attacks. Threat actors now go beyond targeting traditional IT systems; they have shifted their focus to cyber-physical systems (CPS), ranging from IoMT devices to critical building management systems (BMS) like elevators and HVAC systems, crucial for maintaining a safe environment for patient care.
According to Mr. Manish Chaudhari, CISO of Cybernetic Global Intelligence, an internationally recognised provider of cybersecurity services, “an incident involving IoT in healthcare has consequences that extend beyond money. Patient outcomes may be directly and negatively impacted by malfunctions or other disruptions to these systems and devices. In the worst situation, it might cause harm or even death to the patient. Healthcare professionals who are responsible for mitigating cyber risks are faced with this harsh reality.
Important new information about how healthcare organisations are currently tackling cybersecurity challenges arising from digital transformation has been provided by an independent survey that was conducted recently among 1,100 full-time professionals working in the fields of cybersecurity, engineering, IT, and network management.
Key findings from the study include
Cyber- physical systems, or CPS, are experiencing serious problems as a result of cybersecurity incidents, and the study shows a discernible rise in ransomware payments.
>Globally, a minimum of 78% of respondents encountered at least one cybersecurity incident in the past year.
>47% reported at least one incident affecting cyber-physical systems, including medical devices and/or building management system devices.
>Financial implications were predominantly in the range of USD 100,000–1,000,000 (or AUD 160,000–1,600,000).
>Despite being discouraged by government authorities and cybersecurity industry experts, 26% of respondents admitted to paying ransoms.
Encouragingly, companies are demonstrating a willingness to boost their cybersecurity budgets in response to the expanding threat landscape:
>Globally, 51% of respondents noted an increase in security budgets.
>Prioritising the patching of vulnerabilities in medical devices is a primary focus, followed by managing asset inventory and segmenting medical devices.
However, recruiting skilled cybersecurity professionals has proven challenging, necessitating cost-saving measures:
>Over 70% of organisations aim to hire cybersecurity professionals, but 80% of them find it difficult to identify qualified candidates.
>Respondents highlight optimising device utilisation as the key opportunity to reduce costs.
An increasing emphasis by organisations on cybersecurity regulations and standards has played a crucial role in advancing the field:
>Regulatory developments, like compulsory incident reporting, are considered the most influential external factors shaping an organisation’s overall cybersecurity strategy.
>In Australia, all organisations are advised to implement essential mitigation strategies outlined by the Australian Cyber Security Centre, known as the Essential Eight.
>Globally, respondents recognize the NIST and HITRUST Cybersecurity Frameworks as the most significant for their organisations.
Top Recommendations for Strengthening Security
The survey emphasises how healthcare organisations are placing a greater focus on cybersecurity compliance. Nonetheless, security initiatives to strengthen operational and cyber resilience still have room for improvement, given the frequency, diversity, and impact of cyberattacks.
Luckily, the study indicates that healthcare organisations are proactively adjusting their course to maximise cybersecurity and operational resilience. This involves effective leadership, comprehensive security initiatives, and adherence to guidelines and frameworks provided by regulatory authorities.
1. Achieve complete visibility into all connected devices in the clinical environment
Protecting assets becomes impossible for healthcare organisations if they lack the ability to see or comprehend them. Obtaining this visibility is a crucial yet challenging task, mainly because new assets and devices are being connected to healthcare networks daily, often without proper authorization.
Thorough asset inventory management, overseen by HIPAA compliance auditors, is essential for identifying and mitigating potential threats. Recognizing that each healthcare environment is unique and contains complexities that may render certain device discovery tactics unsuccessful, it is critical to ensure that security solutions, in collaboration with HIPAA compliance auditors, offer multiple, highly flexible discovery methods that can be tailored to provide full visibility based on distinct needs.
2. Integrate the existing IT tech stack and workflows
Healthcare organisations already utilise various solutions and tools in their cybersecurity programs. Rather than expanding an already extensive tech stack, it is essential to find cyber-physical system (CPS) security solutions that seamlessly integrate with them. By extending existing tools and workflows from IT to CPS, organisations can uncover potential risk blind spots without compromising patient outcomes.
3. Expand current IT security measures and oversight into the clinical setting
Unlike their IT counterparts, most Extended Internet of Things (XIoT) environments lack crucial cybersecurity controls and consistent governance. This is primarily because many medical devices were initially designed with a focus on functionality rather than security and were not intended for internet connectivity. The surge in interconnectedness has led these previously “air-gapped” devices and systems to merge with IT networks, which were not originally designed for the same level of connection and management.
The rapid adoption of digital transformation, along with the prevalence of remote and hybrid work environments, has left security teams with limited awareness and understanding of the distinctive challenges presented by these newly interconnected XIoT environments. Healthcare organisations will struggle to maintain consistent governance and controls if they don’t have a dedicated security team or support from a specialised solution focused on securing Cyber-Physical Systems (CPS).