The unfortunate reality today is that hospitals are under attack. While some of the most valuable data to cyber criminals on the black market today comes from healthcare, that is far from the only problem. In addition to pushing global healthcare systems to their limits, the pandemic has highlighted the criticality and weaknesses of our healthcare systems. These concerns are compounded because not only are our medical systems statistically more vulnerable, but also because more is on the line. Unlike other industries, where financial loss or the theft of personal data is the greatest concern, in healthcare human lives are on the line. This situation creates a poor bargaining position for healthcare delivery organizations (HDOs) that opportunistic hackers have not been shy about exploiting.
In addition to the external pressures created by the rapid increase in attacks, are internal issues and a generally poor level of security displayed across the healthcare system. For instance, despite expanding networks and fleets of medical devices, the vast majority of US hospitals still do not have a dedicated “chief” of security on staff. That’s a lot for IT to manage especially given the new security concerns of their rapidly digitized environments which has led to a lack of security cohesiveness across every organization.
The result of the relative weakness is that hospital boards are also seeing the recent price tags of ransomware attacks. A Ponemon/IBM Security study cited the average cost of a breach in 2021 at $4.24M for all industries. Healthcare, however, is more than double that number at $9.23M. What’s more, the more high-profile cases are showing total losses far greater; with one topping $100M, as announced in May this year. These are trends that the industry simply cannot ignore.
These circumstances fuel several predictions for healthcare cyber security in 2022 which we don’t believe are a stretch by any means:
Hacking Strategies Will Continue to Evolve
We all saw what happened to cyber-attacks on hospitals in 2020. Fueled by the pandemic, triple digit increases in attacks on health systems were ignited because hackers knew hospitals would be completely engrossed in the pandemic and were easy targets. As a result, hackers blasted healthcare delivery organizations at an estimated cost of $21 Billion. For the most part, it was a “spray and pray” tactic that worked very well given how distracted and vulnerable hospitals were during that time. Given all the lessons hospitals have learned to stay ahead of patient surges, we can expect them to be better prepared for future attacks. Unfortunately, the bad actors have also learned a lot. They are better equipped to know what was successful and what was not and will fine-tune their attack models. Expect their largely “spray and pray” tactic to morph into a “bait and prey” strategy where, before launching an attack, they will assess which hospitals are lower hanging fruit based on their weaknesses and potential bounties.
Hospital Boards Will Mandate Action
As the chess match continues between hackers and healthcare security teams during 2022, hospital boards will push senior management (i.e., from CEO to CIO to CISO, etc.) to ensure the level of cyber security is raised. The overall risk to financials from ransomware attacks is now too great to overlook. It’s not the payouts that will be the main concern, it’s the revenue loss from potential shutdowns, as well as the fallout on reputational damage. According to an CyberMDX/Philips Ipsos study published this year, hospitals lose as much as $80,000/hour in revenue whenever operations are shut down. Recent attacks have been known to shut facilities down for days and weeks, and as we previously mentioned, one California based healthcare system reported $91.6m of lost revenue during the 4-week recovery period. That’s a lot of revenue to make up. In addition, cyber insurance is getting tougher to obtain and afford so boards will better understand its limitations and recognize this as another reason to want more assurances that operations will not be disrupted.
Supply Chain Will Demand Attention
Finally, we are all impacted by the post-pandemic supply chain issues. While it’s not hard to see those issues as lingering factors in 2022, what many may not recognize are their relationship to cyber security. Suppliers can be entry points for bad actors to get to their real targets. Remember Target? Home Depot? The same strategy to penetrate through retailers can also be applied to healthcare providers. Similarly, if a third party’s equipment that is widely deployed in hospitals were to have a vulnerability exploited then it could spread to many healthcare facilities and networks – à la Solarwinds style. The other way this can be impacted is if the supplier itself is attacked and shut down. If it’s a major supplier of a highly in demand medical necessity, that kind of bottleneck can have severe ramifications.
So what can providers do? It’s important to put things – especially the Internet of Things – in perspective. The foremost priority of any hospital is quality care. In the past, that meant having the best physicians, staff, accommodations, and medical supplies and equipment. Today, however, it must include protection of all the things that ensure quality care – from medical equipment to medical data, all the way down to whatever powers those systems and devices. As we move into 2022, the importance of IoT and medical device security will become undeniable. It is no longer an IT concern. It’s a vital part of the holistic mission for any health delivery organization.
About the author
Azi Cohen is the CEO of healthcare security leader Cyb
