Hospitals need “tribal approach” to protect against hackers, says expert


Cyberattacks on healthcare institutions can quickly turn deadly. And while larger organizations are starting to adapt to the new cyber reality, smaller local hospitals are mostly left to fend for themselves. Closer collaboration might help to solve the crisis.

While downtime can seriously harm any organization, the consequences of taking out a hospital can be devastating. A recent study from the University of Minnesota’s medical school has shown that mortality rates for patients at hospitals experiencing a ransomware attack increased by around 20%.

Meanwhile, mortality rates were even higher for patients at hospitals experiencing the most severe ransomware attacks (mortality rate increase of 36-55%) and for patients of color (increase of 62-73%).

ADVERTISEMENT

Worse still, cybercrooks have little incentive to stop targeting healthcare institutions. First, since downtime is extremely dangerous, hospitals are more incentivized to pay hackers a ransom. Not only that, but unlike financially motivated businesses, hospitals deal with life-and-death situations, which may force them to enter negotiations a lot faster, Richard Cassidy, Field CISO (Chief information security officer) told Cybernews.

For example, the UnitedHealth Group (UHG) subsidiary Change Healthcare paid attackers a $22 million ransom after patients who were unable to fill prescriptions started to panic.

Healthcare organizations are also data-wealthy, making their servers particularly attractive to hackers. Even if hospitals decide not to pay up, threat actors can keep the stolen data and sell it on the dark web afterwards.

“What we discovered through our own analysis was that a typical healthcare organization has 50% more sensitive data within their estate than the global average. Moreover, that volume of accumulated data for such organizations is growing at a rate of seven times over the next five years,” Cassidy explained.

Why aren’t hospitals protected?

The crucial problem that most hospitals face is outdated technology and infrastructure. Even though healthcare organizations are more than capable of adopting novel technologies, organizations are often forced to rely on legacy software to retain the ability of equipment interoperability.

“There aren't options to move towards newer technology platforms. Especially in certain medical testing scenarios. Which leaves them relying on legacy systems that are often not as best supported by manufacturers as they should be,” Cassidy continued.

Additionally, hospitals depend on very complex ecosystems. From patient interaction with healthcare systems to those that work at the coalface of healthcare and all of the third-party integrations and systems that they rely on.

ADVERTISEMENT

“The sheer complexity creates problems with staffing. Not in the sense that there's a different shortage for professionals, most industries are struggling to find defenders, but it’s very difficult for healthcare to find the right talent at the levels they need it,” explained Cassidy.

At the same time, because they hold a trove of sensitive data, hospitals are subject to strict data regulations which, according to Cassidy, force many CISOs to spend most of their time on compliance. Sometimes at the cost of innovating with real-life security measures.

Resilience, resilience, resilience

The last two years saw attacks on hospitals skyrocket. According to the US Office of the Director of National Intelligence (DNI), attacks against the healthcare sector in the US last year were up by 128 percent, with 258 recorded victims.

Cassidy believes that while healthcare providers have started to operate under the presumption they will be attacked, additional steps are necessary for the preparedness to have an actual impact.

“I think we've become too hyper-focused in the industry on real-time detection responses to these threats. That's all well and good, but when they fail, and they only have to fail once, what happens next?” the Field CISO pondered.

Instead, organizations should play out attack scenarios under different circumstances. For example, how would a healthcare provider operate if its blood test vendor gets knocked out, or if the hospital can no longer perform X-rays?

Cassidy believes that regulators should step in, prioritizing resilience as a core foundation of security. The government should also take care of smaller healthcare providers that often lack resources to strengthen their cybersecurity defenses.

“I think we need a real tribal cybersecurity approach in the market. Hospitals, small finance companies, and other organizations with much more limited budgets and operations could proactively share their expertise that helps these organizations stay ahead of the curve where possible. Because at the moment, people are left to just work it out for themselves and it doesn't scale,” Cassidy concluded.

ADVERTISEMENT