Technology: we can’t live with it; we can’t live without it. This especially rings true throughout the healthcare industry – maybe too literally at times. The rise of connected healthcare systems and medical devices has had a tremendous impact on the industry. In fact, Gartner predicts that by the end of this decade, 30% of nurse call systems will have been replaced by real-time health system (RTHS) solutions. Not only do these technological advances streamline efficiency – reducing information input from seven to 10 minutes, down to less than 60 seconds – but patient outcomes are also improving.
Securing healthcare technology is a double-edged sword. While networks need to remain open to enhance patient accessibility and care, the interconnected framework between doctors, providers and patients is a virtual welcome mat for hackers. These medjack (medical device hijacking) attacks can result in a variety of consequences from stolen data and systems being held for ransom to, worst case scenario, fatalities.
Difficulties securing the network
The proliferation of connected devices (66% of hospitals have between 10,000 and 100,000 network connected devices) has made moving across a healthcare organizations’ network easier than ever. While this adoption rate is positive for doctors and patients, it’s also a win for threat actors, as 65% of those surveyed answered “no” or “unsure” as to whether the security of medical devices is part of their overall cybersecurity strategy.
While new healthcare technologies save time and money, they also can be exploited by attackers to breach your environment. The HHS June 2017 Health Care Industry Cybersecurity Task Force report found that over the next few years, most machinery and technology involved in patient care will connect to the internet, despite most network-connected medical equipment having not been originally intended to be internet accessible or designed to resist cyberattacks. Here’s why that’s troubling – many of these devices have no built-in security software, yet connect directly to the internet, leaving them vulnerable to brute-force attacks and probing. Typically, these technologies go for long periods of time without updates, and many manufacturers never offer updates.
Of the top 1 million websites analyzed, 93.45% earned an “F” for failure to implement basic security measures that would protect them from cross-site scripting, man-in-the-middle, and cookie hijacking attacks. Additionally, as scanning these devices for vulnerabilities and security threats is challenging, most antivirus vendors do not protect these systems. All an attacker needs to do is break into one device to move laterally throughout the network, obtain access to an administrator’s computer, and alter the performance of IoT medical technologies, such as an insulin pump, fetal monitors, life support equipment, etc.
Another vulnerability in many healthcare organizations’ networks is the existence of legacy systems and disruptive technologies, such as cloud, mobile, big data and IoT. These put patient information at risk by increasing the complexity of managing and securing the environment.
Understandably, healthcare professionals are more focused on the physical safety and wellness of their patients than they are worried about securing networks, which explains why such a vast number of devices are left unsecured. With the reliance on the latest and greatest medical technology, comes the responsibility to secure it to ensure patients’ virtual safety as well. From open devices to legacy systems, and everything in between, a determined cybercriminal is sure to find a vulnerability to exploit. Making defense-in-depth security strategies to protect both patients and their data that much more important.
Security-as-a-service as healthcare solution
Digital transformation is a must, and these new technologies are no less vulnerable than older generations. No matter where your latest technologies are housed, on premise or in the cloud, you need continuous visibility into your data and devices to view the movement of an adversary within your environment. Spotting your attacker is only the first step. You must be able to provide immediate remediation, which is where most healthcare organizations fail, as they don’t have the staff or budgets.
For organizations faced with managing a complex security environment, security-as-a-service represents a cost-effective opportunity to obtain the visibility needed to secure hybrid, cloud and on-premise environments. Leveraging the speed and scalability of cloud computing, the right security-as-a-service vendor will automatically scale up as a healthcare provider’s environment grows with the newest devices and applications.
These outsourced security providers deliver strong detection, remediation and response capabilities for your environment and can eliminate the need to buy and manage expensive equipment like a Security Incident Event Management (SIEM), intrusion detection/prevention systems (IDS/IPS), or endpoint detection and response tools. Meeting the challenge of managing threats that stem from thousands of technologies is nearly impossible without the right staff and latest technologies.
Security-as-a-service providers help fill this gap between the need and lack of skilled cybersecurity professionals to monitor for, detect, and respond to the onslaught of today’s cyberthreats. Partnering with a reliable and strong security-as-service provider will ensure a team of talented cybersecurity professionals is protecting your healthcare environment 24/7/365. With new threats facing healthcare providers every day, a security-as-a-service offering will ease the burden of employing a full or part-time security operations center (SOC) staff that may or may not have the ability to monitor and detect every movement within your network.
Today’s doctors, providers and patients are using connected devices and web-facing applications to access electronic protected health information, book appointments, perform surgeries and diagnose illnesses. These technologies expedite medical processes and procedures, yet they also present additional security risks, which simply aren’t acceptable. Securing medical technology doesn’t have to be difficult or expensive. With far less time and costs of doing it yourself, security-as-a-service can simplify it all.
To learn more about securing your environment, see our healthcare security white paper.