Healthcare Security 2020: In accordance to the most recent report in TechCrunch, over one billion medical images from patients around the world – including CT Scans, X-Rays, Ultrasounds (USG) – are available online for download to anyone with “an internet connection and free-to-download software.” It’s a pretty jarring number and while it is certain to induce people talking, the question is: will this revelation improve anything?
More vulnerabilities are being found in the healthcare space, and yet very little action seems to come as a result. It’s a scathing indictment on the state of digital risk management in healthcare providers today, but the fact is that it’s not even surprising anymore.
While more than 50% of healthcare leaders report that “contending with fast evolving cyber threats” represent the single most significant challenge facing the industry, 32% still admit to never auditing their medical devices for known vulnerabilities!
From top to bottom, healthcare security in the medical industry is treated as a secondary issue and not a primary concern. Medical device manufacturers, hospitals and regulators acknowledge the problem, and yet too few are proactively investing and taking the necessary steps to improve their cyber postures.
The medical community has observed the amount of patient data exposed nearly triple year-over-year for the past two years – going from 15 million breached patient records in 2018 to some 40 million in 2019: and the numbers show no signs of slowing down.
Healthcare Security 2020: The Double Edge Sword
Even when the system works exactly as designed, every vulnerability disclosure is a double edged sword. While equipping device manufacturers and healthcare providers with the ability to patch their vulnerabilities and improve healthcare security, it also focuses a spotlight on design flaws that can be exploited in the wild. That’s when everything goes to plan. Regrettably, the material world is chaotic, and things don’t consistently go as intended.
The point subsequently is that the system designed to defend ours is not in itself strong enough to “get the job executed.” That will require a degree of productivity, and conscientiousness from all involved, and a commitment to the mission of hunting down and rooting out unnecessary healthcare security risks. So far, that’s been far from the case.
Almost three years ago, the WannaCry Ransomware attack knocked NHS computers offline, impacting patient care with 19,000 appointments canceled and costing an estimated £92m to the NHS. Despite the aftereffects of the breach and numerous patching guides published, hundreds of thousands of devices remain vulnerable to the exploit.
According to a 2019 report, 71% of medical devices run on Microsoft legacy systems that were no longer supported as of January 14, 2020, and the security of these devices will be even more precarious than before.
Medical devices are still manufactured with generic passwords available in the manufacturer’s manual – often hard-coded and unchangeable by the user. Simultaneously, healthcare providers are, however failing to act with the required alacrity to improve security protocols and update software.
In fact, a recent CyberMDX survey found that less than 40% of hospitals install security updates as they’re issued. The rest continue to operate deprecated and vulnerable software for extended periods of time.
How deep does the problem go? Well the TechCrunch article about the billion+ exposed medical images doesn’t pertain to a difficult-to-solve or hard-to-manage healthcare security issue, but a super simple and easy-to-avoid server misconfiguration.
Healthcare Security 2020: What Will It Take To Create Change?
Given the state of healthcare security across the medical community, the threat of potential monetary fines or the PR impact doesn’t seem to motivate the industry at large to action. Those that have experienced a ransomware attack or demonstrate a vulnerability exposed in the media is shamed into patching their healthcare security, but this is hardly a good strategy for improving the situation on a meaningful scale.
While oversight bodies such as the United States’ Cybersecurity and Infrastructure Security Agency (CISA) work to promote more cosmic awareness to the issue of digital vulnerabilities in public infrastructure and industrial control systems, there are limits to their influence and power.
CISA is meant to encourage healthcare security research and coordinate the dissemination of vital cybersecurity, information through its alert and advisory system, but the body lacks a strong enforcement mechanism to compel best efforts from device manufacturers.
As a result, even when the agency is engaged by a responsible party with vital information about insecurely designed medical devices, the process of disclosing that information to the parties at risk can be needlessly dragged out and endlessly debated while unbeknownst to them, patients may be placed in a state of persistent risk.
The FDA additionally retains a role to play, but short of issuing wide scale recalls on account of cybersecurity issues – which seems a particularly remote and unnecessarily disruptive prospect – there is no reliable way to enforce cyber secure design and management of medical technologies.
The threat of steep financial penalties may offer the jump-start the community needs. If a regulatory body developed the capability to issue burdensome fines for healthcare security and management negligence, manufacturers and healthcare providers might finally forego a finger pointing and buck passing to make much needed improvements to their own internal processes.
One thing is certain that if we don’t at least try to add some new and more powerful incentives to the equation, nothing will change promptly. That is, unless, left to its own devices (The pun very much intended.), the course of nature introduces its own corrective forces. But we’d be sensible not to wait for that.
Earlier last year, a joint research paper out of Vanderbilt and University of Central Florida noted a 3.6% increase in cardiac event fatalities at hospitals that recently suffered cyber attacks.
That means that, all other things being equal, for every 30 cardiac event patients admitted, statistically, one would die in an impacted hospital that would have survived elsewhere. Think about that for a moment. That’s where things stand today. How much worse does it need to get for us to begin acting reasonably?
If it’s not already abundantly clear that our lax attitudes to healthcare security 2020 or cybersecurity in hospitals amounts to a game of chicken, it will likely soon become more lucid. The thing is we don’t essentially need to wait for a soul shaking wake up call just to wake up. We need to act instantly, and we need to use all available instruments to compel others to act too.