Malware—often arriving as ransomware—can devastate healthcare providers. Viruses can take down and impair the output of devices that impact care delivery while also stealing confidential patient data. One such attack even forced a hospital to close its doors for good.
Since 2017, when WannaCry was the first malware to disable medical devices, ransomware has turned into a healthcare epidemic. The average hospital in the U.S. is hit by 43 attacks every year while many large hospitals are targeted every day. In fear of having to shut hospitals down and transfer patients, administrators elect to pay the ransom 61% of the time.
According to an IBM report, when attacks succeed, cyberattacks on hospitals cost an average of $10.1 million, excluding the ransom payment. That’s the highest cost among all industries.
A Vulnerable Industry Sector
Healthcare is a particularly vulnerable sector for many reasons. Private patient data can be sold relatively easily on the black market. Hospital cybersecurity budgets are also often limited. As a result, there are not enough resources with the required expertise on staff, and they don’t have the necessary tools to build strong security postures and defend hospital networks.
Another weakness is the many legacy devices hospitals use. Often a device can be clinically useful for more than a decade, long after typical computing devices would have been retired. Medical devices as well as servers, laptops, and network gear on the IT network—not to mention IoT devices like video cameras and HVAC controls—tend to be unpatched. They all offer easy network access to cybercriminals who can then move laterally across the network to breach mission-critical medical devices.
There’s also a sense of urgency when ransomware strikes. It’s one thing to be hit with an attack when you have time to consider your options. Perhaps there’s a way to recover the use of your computer devices and access to data without paying off cybercriminals. But in healthcare, there is no time. Patient lives are on the line. You can’t ask someone recovering from a heart attack to wait a day for their heart monitor to come back online.
That’s why many hospitals infected with malware simply choose to pay the ransom. They do whatever it takes to bring devices back online so they can care for their patients right away.
Strong Defense Requires Cross-Department Collaboration
One of the challenges in solving the ransomware dilemma for hospitals is that they need to bring three teams together and synchronize their efforts. Healthcare Technology Management (HTM) teams (including the third-party OEM support firms they contract with) specialize in the nuances of maintaining medical device hardware and software. They ensure the devices operate optimally in helping doctors and nurses care for patients.
The second team is Security Ops (or InfoSec), which specializes in technologies, processes, and policies to defend against cybercriminals attempting to breach hospital systems. The key to securing medical devices is to coordinate the expertise of both HTM and Security Ops so that together, they can create a strong risk management program that secures medical devices without impeding their performance.
It’s just as critical to deploy a program that allows these teams to identify, prioritize, and mitigate risks efficiently in order to contain costs as much as possible—the key concern of the third player in the risk management scenario—the CFO. By working together, HTM and Security Ops can also help the CFO understand the risk of not doing anything when it comes to defending the hospital against ransomware attacks. This paves the way for the CFO to allocate the necessary budget despite the thin margins that today’s hospitals contend with.
Securing the Necessary Budget
Getting the necessary budget for a risk remediation platform is challenging because of the razor-thin operating margins most hospital CFOs contend with—the average hospital operating margin is 0.4% according to a Beckers Hospital report. But it’s more critical to look at the ROI of a vulnerability management solution from the perspective of the consequences.
To get the budget you need, it also helps to quantify the work you are doing now for risk remediation. This includes enumerating the number of devices (medical and IT as well as building IoT devices). Then document how many have vulnerabilities, what the risks are, and how long it takes to fix them in the event of a crisis.
From there, compare that information against the hours the organization will save by implementing a holistic risk remediation platform. You can supplement this data with an industry average risk score to further illuminate your security savings and security risk trends to compare how your hospital is doing in comparison to the rest of the field.
Combining a Proactive Defense with Streamlined Incident Response?
To deploy a cost-effective risk remediation platform, many hospitals have turned to Asimily, which has developed a software platform that provides five key capabilities:
- Inventory Management: Identifies all devices on the network, and classifies them usefully.
- Vulnerability Mitigation: Determines device vulnerabilities and prioritizes which ones to fix first.
- Anomaly & Threat Detection: Detects sophisticated under-the-radar cyberattacks in real-time.
- Remediation: Provides guidance for how to mitigate vulnerabilities and access to vulnerability patches.
- Forensic Analysis: Analyzes data to reveal attacker tactics, techniques, and procedures.
By combining proactive measures to identify vulnerabilities with incident response aids such as packet capture, Asimily enables HTM and Security Ops teams to quickly identify and mitigate risks as well as pinpoint attacks to restore operations quickly and avoid paying ransoms.
The Time to Act Is Now
Given the current state of cyberattacks in the healthcare industry, the time is now for hospitals to implement risk remediation capabilities like those provided by Asimily. If you are hacked, the consequences may include the interruption of life-saving services as well as HIPAA fines and investigations for any leaked data.
If you pay a ransom, you may face fines from the U.S. Department of the Treasury. Consider too how the loss of data will impact not only your healthcare services but also your business operations. There are also potential legal liabilities, should any patients file lawsuits for medical malpractice or privacy invasion.
All of this—regardless of whether you are at fault—can lead to reputational damage. And that may cause a decrease in the number of patients choosing to use your hospital for their healthcare needs.