Healthcare OT Cybersecurity Can Be a Matter of Life and Death

Close Up Shot of a African American Male Doctor Wearing White Coat Working on Tablet Computer at His Office. Medical Health Care Professional Working with Test Results, Patient Treatment Planning. (Close Up Shot of a African American Male Doctor Weari

Cybercriminals target healthcare and public health systems more than any other market sector.

According to the United States Department of Health and Human Services (HHS) Cybersecurity Program, health and medical clinics and healthcare industry services are more than four times as likely to suffer ransomware attacks than any other sector.

The financial impact of healthcare cyberattacks can be significant. For example, a university medical center that sustained a ransomware attack in 2020 and didn’t pay the ransom estimates associated costs of $54 million, including lost revenue and the costs of rebuilding their computer network.

More devastating than the financial cost is the potential threat to human health and well-being: The American Hospital Association’s Center for Health Innovation states that ransomware attacks on hospitals cross the line from an economic crime to a threat-to-life crime. Examples of high-profile healthcare cyberattacks include:

  • A ransomware attack at a large nonprofit health system shut down emergency rooms across the country.
  • A three-year-old received five times the prescribed amount of pain relievers because the computer system that automatically calculates medicine dosage was disabled by a cyberattack.
  • In the first case of its kind, a lawsuit against an Alabama hospital alleged that a ransomware attack led to the death of a nine-month-old child.

Healthcare OT is Uniquely Vulnerable

As healthcare cyberattacks increase, inadequate security can damage patient trust, incur large financial costs and, most important, interrupt the delivery of timely — and sometimes life-saving — health services. Healthcare operational technology (OT) is an attractive target for several reasons.

First, the number of medical devices is rising sharply. According to some estimates, up to 50 billion medical devices will be connected to clinical systems by 2030. While these devices can improve health and potentially save lives, their proliferation presents new ways for threat actors to enter and compromise systems.

Even as new devices are added, older legacy devices remain in use. Medical devices have an unusually long service life — some can remain in service up to 30 years. As a result, devices that were once state-of-the-art may now be running on older, less secure software, and many of today’s modern devices will likely stay in use long enough to become outdated legacy systems.

Legacy devices present a unique and significant security threat. While they can continue to function for decades, there may not be a way to update their outdated operating systems and software. For example, a 2020 estimate claimed that up to 50 percent of all in-service medical devices were still using Windows 7, and many couldn’t be updated to a more secure version because there is no upgrade path for the device.

The continued use of non-secured legacy systems places the devices — and all of the interconnected healthcare infrastructure — at risk. Every medical device presents a potential entry point into a vast technology ecosystem that includes IT/OT integration, creating the possibility of lateral attacks that originate in healthcare OT.

Healthcare OT Security Strategies

For every element of healthcare OT, security must be considered not only for the device itself but also its communications protocol and connections with other healthcare IT and OT including monitoring systems, apps, and all other associated devices and networks.

The FBI recommends four strategies to harden medical device security, including endpoint protection. Endpoint protection can be especially effective for medical device security because it treats every individual device as an endpoint whose behavior must be continuously and proactively evaluated.

AI-based endpoint protection can stop both legacy and zero day threats, even on devices that have not been recently updated. Predictive recognition capabilities ensure that all activity is evaluated to determine whether it’s a threat, and atypical activities are quickly recognized and halted. This is especially important for medical devices because their vast numbers and remote locations make constant updates of signature files impractical or impossible.

Some of the top considerations when evaluating AI-based endpoint protection healthcare OT and IT include the following:

  • To protect devices, patient data, and other connected systems, the solution must deliver the critical function of securing legacy devices, including ones that rely on outdated software.
  • The solution must be easy to deploy. This may require installation on active devices directly from the cloud, from a single image propagated to all devices in a network, in air-gapped environments, or as part of standard software and operating system updates.
  • Security features must not impact or interfere with the device’s clinical performance, with minimal demands on CPU, memory, and network resources. This is especially important to ensure that legacy equipment functions safely throughout its lengthy lifecycle .
  • The solution must be scalable to support the addition of future technologies without affecting the security of existing devices.

The MSSP Opportunity in Healthcare

A recent survey of healthcare organizations shows that while staff are aware of device security issues in general, many organizations lack practical security management and response plans. Healthcare security is also impacted by the well documented cybersecurity skills shortage, and cybersecurity professionals with specialized knowledge of healthcare technology can be even more difficult to find.

As a result, MSSP solutions can empower healthcare organizations to:

  • Improve quality of the patient care. MSSPs can provide around the clock monitoring and quick remediation of security incidents to minimize disruptions and the impact of attacks on the network
  • Maintain and document regulatory compliance
  • Manage costs
  • Deploy new technologies with confidence

Solutions such as Cylance Endpoint Security from BlackBerry can empower MSSPs to protect medical devices and the vital systems and data they support from known and unknown threats.

Learn more about the BlackBerry partner program, which delivers software and services that address every aspect of securing healthcare OT, IT, and the growing internet of medical things (IoMT).

Guest blog courtesy of BlackBerry Cybersecurity. Read more BlackBerry Cybersecurity blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program /our-sponsors/