Mike has over 15 years of experience in healthcare, including extensive experience designing and developing medical devices. MedCrypt, Inc.
In a time of growing global and domestic tension and conflict, critical infrastructure and the public sector will continue to be targeted. Digital operational technology (OT) also faces the threat of kineticised cyberattacks. Based on these trends, it is certainly advisable to heed the insight from Condoleezza Rice, former U.S. National Security Advisor: “Today, the cyber economy is the economy. Corrupt those networks and you disrupt this nation.”
In this climate, another WannaCry-like attack with broad socioeconomic implications is certainly possible, including an impact on the health care industry. Although we can’t precisely predict the future of cyber events, we can draw conclusions from broad trends, and we do need to ensure that all the proper cybersecurity components are in place.
Health Care Cybersecurity Now And Into The Future
As a critical infrastructure industry, health care faces unique risks as a result of evolving cyberthreats. Any cyber compromise of a health care organization has the potential to impact patient safety, timeliness and quality of care; the confidentiality of sensitive information; and can result in reputational, legal and/or financial harm.
Many discussions on health care cyber risks focus on these factors. However, health care is also unique in how evolving technology can impact patient care, resulting in the need to broadly consider and prepare for a range of cyber scenarios:
• The dependency on the availability of digital systems heightens the urgency to restore operations, a fact that is not lost on ransomware gangs that have made health care organizations a desired target.
• From a technology perspective, health care infrastructure is far more complex than other industries. As an environment of disparate technologies—with varying ages and security maturity—it offers a broad attack surface that is challenging to protect. Opportunistic attackers may not necessarily seek out health care organizations as a target but may merely be looking for a system with a weakness that fits their attack capabilities.
• Transformation of care delivery to new models of telehealth and hospital-at-home, utilizing new technologies and improved digital infrastructure while at the same time inheriting the new cyber risks that come with them.
According to my company’s analysis of the Health and Human Services breach data from 2009 through 2021, as published on the so-called Wall of Shame, shows a continual growth of reported breaches at a 12.3% CAGR. Most noteworthy is the fact that since 2015 that growth can be solely attributed to the “Hacking & IT Incident” category, now accounting for almost 75% of reported breaches. This clearly indicates that the industry’s security capabilities are no match for the increasingly skilled adversaries. Consider these specific examples that are on the threat landscape of the future:
• Already profitable ransomware attacks will evolve into new business models that find new ways to monetize data, including hack-and-leak attacks or blackmail.
• Attacks with destructive consequences are becoming more likely.
• Adversaries will continue to hone their skills and capabilities to launch more targeted and sophisticated attacks, including via the software supply chain and via outsourced services and supporting cloud infrastructure.
• As mobile technologies evolve and their networks become more powerful, they could be exposed to a wide range of attacks with adversaries benefiting from our digital lives committed to these devices.
• Politically motivated attacks could increase and become more damaging than traditional cyberattacks. These may range from disinformation campaigns to infrastructure attacks resulting from national conflicts, as well as domestic terrorist or activist attacks.
How The Health Care Cyber Defenders Can Prepare
On the side of the cyber defenders, we will need to change from a reactive approach to one of preparedness. For example, in order to fully prepare for this future, we must see these changes in response, at a minimum:
• A culture of compliance and breach prevention should be replaced by one focused on resilience and safety.
• Law enforcement should step up cyber practices on a national level, including more aggressive cyber defense.
• On a security-operational level, risk reduction and security maintenance should increasingly be aligned with integrated cyber defense tools.
• Buyers of digital technologies, be it individual consumers or companies, should become increasingly aware of their risks and seek assurance that their purchases are sufficiently secure and protected.
As the risk of security-induced losses increases, and as company boards’ security responsibilities continue to grow, we should see a shift from seeing security as a cost center and roadblock to one that is a business enabler. Security technology and service providers should align with customers’ needs and deliver and implement security at scale and with demonstrable ROI.
At the same time, industries and governments are starting to recognize the challenges of security skills shortages and burnout. Consequently, cyber education efforts should step up to attract and utilize the opportunity offered by a diverse workforce.
The health care industry will need to develop a collective strategy that improves the resilience of the sector by including all stakeholders and their cybersecurity responsibilities. But also, the industry needs to understand its unique weaknesses and improve its security posture from the ground up.
At present, we are experiencing health care as a changing industry that is getting ready for the future. With that comes the opportunity—even the obligation—to build something more secure, reliable and resilient.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?