Healthcare cybersecurity is a particularly complex and difficult task. With the goal of keeping patients safe while simultaneously protecting their medical data, it presents a challenging balancing act for cybersecurity professionals. If you add to those challenges the vast number of IoT devices, regulatory compliance such as HIPAA, GDPR, and NIS, and the unprecedented impact of the coronavirus pandemic, healthcare cybersecurity may seem like an overwhelming task. Healthcare organizations can reduce their risk surface by securing their distributed medical devices with machine identity management.
Healthcare organizations are increasingly targeted by criminals
The healthcare industry continued to be one of the the most targeted sector in 2021, witnessing a 51% increase in breaches since 2019. While patient privacy has always been a common concern when it comes to healthcare organization breaches, a new study has found that cyber-attacks in the industry can have devastating effects on patient safety as well.
Many organizations have reported that healthcare ransomware attacks have resulted in longer lengths of stays in hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality. And respondents reported an increase in the number of patients being diverted to other facilities and an increase in complications from medical procedures due to ransomware attacks.
In 2020 alone, 560 healthcare facilities in the U.S. were reported as victims of ransomware attacks in 80 different incidents. These attacks resulted in:
- Large amounts of Protected Health Information (PHI) and other sensitive data being stolen
- Electronic Health Records (EHRs) being rendered temporarily inaccessible and in some cases permanently lost
- Delayed procedures, tests, and treatment
Connected medical devices are vulnerable
Over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk, according to a new report from the healthcare cybersecurity company Cynerio. The report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform.
The most common type of internet-connected device in hospitals was an infusion pump. These devices can remotely connect to electronic medical records, pull the correct dosage of a medication or other fluid, and dispense it to the patient. Infusion pumps were also the devices most likely to have vulnerabilities that could be exploited by criminals—73% were found to have a vulnerability. Experts worry that breaches into devices like these, which are directly connected to patients, could be used to hurt or threaten them directly.
The more worrying threat is from ransomware groups that break into hospital systems through a vulnerable device and lock up the hospital’s digital networks—leaving doctors and nurses unable to access medical records, devices, and other digital tools—and demand a ransom to unlock them.
Lack of authentication creates man-in-the-middle risks
Another report from Kaspersky Labs found 33 vulnerabilities in the most widely used data transfer protocol for internet of things (IoT) medical devices, known as MQTT. These vulnerabilities were 10 more than the previous year, putting patient data at risk.
MQTT is a common solution in most IoT gadgets, including medical devices. As the Kaspersky researchers point out, authentication isn’t required, and encryption is sparse, making devices with MQTT exposed to man-in-the-middle attacks and data theft.
Healthcare organizations need to invest in machine identity management
The wide range of threats that healthcare organizations are facing demand quick response. As a result, healthcare entities are investing in cybersecurity solutions. According to the most recent study by Global Market Insights, the healthcare cybersecurity market size is anticipated to hit a record valuation of $35.5 billion by 2027. Among all security controls, medical device security accounts for 21.5% of the total investments. This increased investment is driven by two factors—the expanded attack surface and regulatory compliance.
The best way to secure medical devices is through a comprehensive machine identity management. Machine identities identify and authenticate the various connected devices to the organization’s network. Using unique identities for every connected device, healthcare organizations can validate the authenticity of the device and ensure the integrity of its communications with other medical devices.
To reap the benefits of machine identities, the respective private keys must be protected. Using a Hardware Security Module (HSM) is the best way to provide tamper-proof, hardware-based security of the secret private keys. If the private key is compromised, the whole machine identity’s structure falls apart like a castle in the sand.
In addition to having secure and robust machine identities, healthcare organizations need to validate the authenticity and integrity of the software running in the medical connected devices. Code signing process verifies that a software component is valid and authenticates the identity of the developer. Code signing also demonstrates that the code has not changed or tampered with since it was released.
Venafi Trust Protection Platform is the machine identity management solution that will allow healthcare organizations to reap the benefits of IoT devices while protecting TLS keys and certificates, SSH keys, and code signing keys across their enterprise. The Trust Protection Platform powers enterprise solutions that give you the visibility, intelligence, and automation to protect machine identities throughout your organization. To learn more, contact one of our experts.