Picture this. You’re an administrator in charge of providing basic amenities and day-to-day needs across 1,000 beds in an urban multispecialty hospital. One fine morning, you notice that all the patients’ bedside monitoring systems (the computer-like devices that display patient vitals like heartbeat and blood pressure) have stopped functioning, leaving doctors and nurses in the dark.
Upon further inspection, you notice that critical ICU functions, like the oxygen supply, and key infrastructure for surgical operations, like anesthesia machines, are becoming inoperative one by one, endangering the lives of several patients and crippling medical procedures. While you’re still trying to minimize the danger and figure out why this is happening, you are informed that the hospital’s HVAC system has failed.
Amid the chaos, you are contacted by an anonymous person who claims responsibility for this cyberattack on the hospital’s operational technology (OT) and starts demanding a substantial sum of money to resume normal hospital services.
The example above is a typical blueprint of a cyberattack on hospital OT systems. The scenario above can go another layer deep and affect the hospital’s IT systems, endangering hospital records and possibly leading to a data breach of sensitive health information.
Though cyberattacks affect OT systems of several domains, from the automobile industry to aviation, of late, healthcare is being exploited the most.
Cyberattacks on the healthcare industry are on the rise
Healthcare cyberattacks are not confined to IT anymore. As medical devices and infrastructure become “smarter,” the attack surface for security incidents also increases. According to a report, healthcare organizations experienced the highest average cost of a data breach for the 11th year in a row. The average cost of a healthcare data breach stands at $9.23 million, almost double that of the finance sector (which placed second in terms of data breach cost).
On average, 2021 saw around two healthcare data breaches occurring every day. Some of the most common causes of breaches were:
Compromised business email.
A hacked network server.
An IT incident.
Keeping the above in mind, let’s see how you can minimize the cyberthreats affecting your healthcare organization’s IT and OT systems.
Ways to safeguard healthcare IT and OT
Restrict device access
Attackers can take control of hospital amenities just by plugging in a memory device or a laptop and then running a script that could render health facilities useless. One way to mitigate this is by blocking the use of external storage devices. This can be done using a device control solution that lets you keep tabs on devices and peripheral ports. You can also vet plugged-in devices and analyze user behavior.
Configure access control
From the chief surgeon to the most junior nurse, all hospital staff need quick, easy access to data to foster a positive patient experience. Adequate access control ensures that every user has the right amount of access, cutting down on the need to provide admin access. If healthcare personnel need access to resources that require admin privilege, you can temporarily elevate their privileges so they can get their work done smoothly. Access control secures your data, provides accountability by tracking user access, and ensures compliance with IT regulations.
Enable multi-factor authentication
With multi-factor authentication enforced, users will have to provide two or more layers of authentication in order to access your organization’s information. That way, even if an employee’s password is compromised, their other authentication factors will stop threat actors from logging on. These additional authentication factors are usually a time-based one-time password, a biometric scan, or a code from an authenticator app. Multi-factor authentication provides tons of benefits and is perhaps the easiest cyberdefense mechanism organizations can set up.
Data encryption simply means making your organization’s sensitive information, like hospital records and patient data, unreadable to anyone who shouldn’t have access to it—like unauthorized users or hackers. This is especially useful in the event of a ransomware attack. Even if your data is compromised, threat actors won’t be able to divulge the contents of the data, keeping your organization out of danger—just make sure you have adequate backup data.
Automate patches and critical software updates
There have been rapid strides in healthcare technology, but healthcare organizations can’t afford to downplay the role of patching and keeping their software up-to-date. More than just applying patches and updates manually, it is important to automate these processes to limit the exposure of healthcare IT to vulnerabilities. Unpatched systems remain a major target of cyberattacks, so installing patches and software updates as soon as they are released is the apt thing to do.
Work only with certified vendors
From communication and cloud storage to billing and IT software, your health organization will use a variety of third-party vendors to record, process, and store critical information. On the other end, these tools will also have to deal with critical patient information from other stakeholders such as the insurance team or financial institutions. Any weak point in all those interactions with third-party vendors can be exploited by hackers, and the information can be misused. Even worse, if one of the vendors you work with falls prey to a cyberattack, there is a possibility that it will impact your organization as well.
One way to eliminate these hurdles is to check if the vendor is HIPAA-compliant. If a vendor is HIPAA-compliant, it follows a standardized set of security measures to maintain the confidentiality and security of protected health information when it is transferred, received, handled, or shared. There are other compliance regulations such as PCI DSS and NIST 800-171 that have an additional set of practices to safeguard private information.
The field of healthcare has never been so intensely technology-driven. From telemedicine to face masks that can detect around 800 diseases, it will become more and more difficult to manage and secure these complex devices. Back when healthcare OT was in its nascent stage, one way to protect these systems was to isolate them from the network. However, that is not the case anymore. As IT and OT systems become more advanced and play a bigger role in improving our lives, it’ll be interesting to see how our current endpoint management and security solutions evolve to safeguard the next generation of healthcare infrastructure.