Healthcare was created to help people. So why is this industry the most heavily targeted by cybercriminals and ransomware attacks?
In the first half of 2020 alone, the Department of Health and Human Services saw a nearly 50% increase in the number of healthcare-related cybersecurity breaches. The COVID-19 pandemic forced the healthcare industry to operate at a level that it wasn’t prepared for, which meant emergency facilities were erected without proper security measures in place in order to care for the largest number of patients possible.
While prioritizing personal health in this emergency situation was the right move, we’re now forced to face the implications of it. Security measures continue to take a back seat, as the healthcare industry’s cyber risk exposure is weak. But this isn’t new. It seems like every week there is a new headline detailing another attack – an increasing trend we’ve seen in the last several years. While global cybersecurity spending is gradually increasing, it’s nowhere near the $6 trillion predicted cybercrime damages we’re expecting in 2021 alone.
This begs the question: why is healthcare cybersecurity so hard? Detailed below are four unique constraints that hold the healthcare industry back from proper cybersecurity.
Constraint 1 – Healthcare optimizes for healthcare
Healthcare is optimized for healthcare, not security. And it must always be optimized to deliver healthcare. Unfortunately, optimizing for healthcare while aligning with federal regulations is largely separate from optimizing for security.
So why do we require healthcare professionals to be security experts? Expecting these professionals to deliver world-class medical care and also defend against cyberattacks is like requiring a world-class athlete in one sport to also be world-class in another sport – it can be done, but it’s rare and more than a little unfair. Do we really want companies that are working around the clock to care for those affected by a pandemic to also have to battle cyberattacks up and down the supply chain? If you try to make healthcare professionals security experts, you’ll get worse healthcare and inadequate security.
Constraint 2 – Adversaries exist, meaning healthcare must also be optimized for security
Cybersecurity is a public health risk and the ever-present reality of cyberattacks is a threat to our healthcare delivery supply chain. Attacks on both healthcare suppliers and providers, not only disrupt the operations of individual hospitals but also impact the entire health systems such as what happened during WannaCry, diverting patients contributing to delays in care and probably adverse events. Another example of how devastating a single cyber attack can be is NotPetya which disrupted supply chains for drugs and vaccines and caused collective economic damage of around $10 billion.
Constraint 3 – Security requires deep specialization
Security is a harsh discipline and is not kind to amateurs, which makes assessing the adequacy of cybersecurity a hard problem. Minimizing the vulnerabilities in hospital networks and medical devices takes a sustained, organization-wide commitment, plus resources to execute the design, implementation, and maintenance of new security features.
The burden of security increasingly lands on the shoulders of medical device manufacturers (MDMs). Because healthcare organizations are focused on healthcare, any budget set aside for security is usually inefficient, meaning the cost to internally develop foundational infrastructure and individual security features will likely cost far more than purchasing commercially available solutions. Without sufficient off-the-shelf solutions, MDMs are often put in a difficult position of having to “roll their own” solutions, which will cost more, be prone to errors, and require continuous maintenance. The level of commitment for security features that aren’t fully incentivized by the market is a tough sell for business leaders that are competing on clinical features.
Additionally, the Food & Drug Administration (FDA) has increasingly put pressure on MDMs to build processes and technology that provide reasonable assurance of security, safety, and efficacy. While it makes sense for the FDA to be arbiters of security, now the FDA also has to assess the security adequacy of each device given its clinical risk context. And because they are also part of the healthcare supply chain, their job, and first priority is healthcare, not security.
Constraint 4 – Security debt and fractured government regulations
Successful attacks reflect that the $20 billion invested in healthcare security is largely spent by the consumers of the technology, such as hospitals, where security problems manifest. Because of this, we need to recognize that they are the least empowered to make that technology fundamentally securable.
Until the larger healthcare supply chain optimizes for security, security debt will be passed on to the consumers. But the healthcare industry doesn’t have a choice. Hospitals, clinicians, and patients must consume that debt to deliver healthcare, otherwise, there is no healthcare.
When push comes to shove, clinical wins. It’s clear that security is necessary for healthcare, but the ability of the stakeholders in the supply chain to enforce those needs is extremely limited. The result is that there is no market incentive for producers to build security into technologies early on, so consumers manage the unmanageable risk of passed down and consumed security debt. Consumers try to manage the security debt by building the network and perimeter-based defenses that aren’t addressing the actual problem.
“Shifting left” is a term that has traditionally been used to convey the concept of reducing technological debt by designing security features directly into the devices early in the development process. Reactive solutions to this problem no longer cut it; cybersecurity must be built into the device from the very beginning, not as an afterthought.
In the absence of a single healthcare technology authority, enhancing healthcare security and resiliency will require a coordinated effort between existing regulators focused on creating legal requirements for security by design. Without a coordinated effort, healthcare will remain a massive attack target.
About Seth Carmody
Seth Carmody is the Vice President of Regulatory Strategy at MedCrypt, a proactive healthcare security provider. Prior to MedCrypt, Carmody worked as the cybersecurity program manager in the Office of the Center Director, Emergency Preparedness/Operations & Medical Countermeasures, within the U.S. Food and Drug Administration (FDA)’s Center for Devices and Radiological Health (CDRH). Carmody brings over nine years of experience in guiding medical device cybersecurity regulatory strategy as well as managing regulatory responses to cybersecurity matters.