Experience OT & IoT Cybersecurity from the Endpoint to the Air at RSAC 2024
Meet Us at RSA
Academy
Labs
Careers
Partner Login
Support
search bar
A Guide to Healthcare Cybersecurity

A Guide to Healthcare Cybersecurity

by
Nozomi Networks
|
March 21, 2023

Today, hospitals and other healthcare organizations face cybersecurity threats that put both patient safety and operations at risk. This guide is intended to help security professionals, facilities managers and healthcare practitioners better understand their cybersecurity challenges and how to overcome them.

Table of Contents

  1. What Is Healthcare Cybersecurity?
  2. Why Is Securing Healthcare Facilities & Hospitals Important?
  3. High-Profile Hospital Cyberattacks
  4. Challenges Faced by Healthcare Cybersecurity Teams
  5. Recommendations
  6. Healthcare Cybersecurity Resources

What Is Healthcare Cybersecurity?

Healthcare cybersecurity is the process of applying a variety of prevention, detection and response strategies to protect hospitals or other healthcare facilities from cyberattacks to ensure patient safety, business continuity, protection of confidential data, and compliance with industry regulations.

Why Is Securing Healthcare Facilities Important?

Because they are classified as critical infrastructure, healthcare facilities and hospitals are attractive targets for bad actors. Cyberattacks have been identified as the top threat in many healthcare systems’ annual hazard vulnerability analyses (HVA).

To protect themselves from cyberattacks that could directly impact the health and safety of patients and the community, hospitals and healthcare facilities should adopt proactive protection measures for their connected cyber-physical systems.

High-Profile Hospital Cyberattacks

These are a few of the noteworthy cyberattacks on hospitals since 2020:

  • In March 2020, a malware attack on a Fortune 500 healthcare provider based out of Pennsylvania resulted in 250 hospitals losing use of their systems for three weeks.
  • In November 2020, a university-based healthcare network in Vermont was targeted by a cyberattack which disrupted 5,000 systems and resulted in 300 staff being furloughed. The attack was estimated to cost $1.5 million per day.
  • In August 2021, dozens of hospitals in West Virginia and Ohio shut down operations for days due to a ransomware attack.
  • In April 2022, a cyberattack on a large Dallas-based healthcare company resulted in significant outages that cost the company over $100 million in lost revenue.
  • In October 2022, a ransomware attack hit the fourth-largest US-based healthcare system with 140 affiliate hospitals. The attack led to delays in surgeries and other patient operations.
  • In December 2022, a ransomware attack at French hospital resulted in a data leak and disruption of operations.

Our latest security research reveals that healthcare is one of the most targeted industries in 2022 due to the sensitive nature of their data and dependence of critical systems for operations. It was also one of the top 5 most vulnerable sectors.

Top 5 sectors affected by disclosed vulnerabilities
Most Vulnerable Sectors in the Second Half of 2022

Aside from the broader threats of ransomware and other malware attacks, we expect in 2023 that, apart from using scanners to exploit vulnerabilities, threat actors will access medical systems used to aggregate device data for broader intelligence collection.

You can access our complete findings in the report below.

OT Secur
Download Now

Deep Look into the ICS Threat Landscape

Insights from our custom honeypots on how malicious botnets are attempting to access Internet of Things (IoT).

Most vulnerable industries, statistics on vulnerable products, and most exploited vulnerability types following Common Weakness Enumeration (CWE) classifications.

What Challenges Do Healthcare Cybersecurity Teams Face?

Legacy Technologies

Many hospitals rely on legacy technologies which are expensive to replace and extremely vulnerable to cyberattacks because of a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many of these systems use outdated operating software, like Windows XP and Windows 7, with limited options for applying critical patches and updates across widely distributed, heterogenous and unmanaged deployments.

To mitigate these risks, cybersecurity teams should limit network connectivity to these devices as much as possible and put strong preventive measures in place, including identifying and baselining to monitor legacy systems for anomalous activity, and enabling user-based controls, including MFA.

Connected Facilities & IoMT

At the same time cybersecurity teams are struggling to protect vulnerable legacy devices, newer, IP-connected devices, including IoMT devices, BAS systems, HVAC, elevators, CCTV, physical security systems and more, have made their way onto the scene.

These newer, unmanaged devices also provide a potential entry point to disrupt hospital operations, disable physical safeguards or pivot through the network to other areas of the business. To ensure cyber and operational resilience, healthcare security practitioners and facilities managers need a single source of visibility into this expanding device landscape. Here’s an example of the types of systems and devices that contribute to a patient’s experience in a modern hospital.

Connected cyber-physical systems in a hospital.
Connected cyber-physical systems in a hospital.

It’s clear that IoMT and building automation systems (BAS) create a positive and safe patient experience, which is why it’s so important to protect them with holistic prevention, detection, and response security controls.

Getting Executive Support for Cybersecurity Projects

As we see above, healthcare organizations have embraced connected technologies to improve patient outcomes and facility efficiencies. However, they lag in cybersecurity investments and expertise compared to other industries. Boards and executives at healthcare organizations often view cybersecurity as yet another operating cost, when it should be seen as a risk reduction investment.

If we take the example from above about the cyberattack on the Dallas-based healthcare system, we can see that in their Q2 earnings report, the company disclosed the financial impact of the attack, with quarterly earnings down approximately $100 million. When framing cybersecurity investments at the executive level, it’s important to reference concrete examples of the potential cost of a cyberattack and compare that to the investment into security talent and technologies.

The Cybersecurity Talent Shortage

The view of cybersecurity as an expense has led to another challenge facing healthcare systems, the shortage of security talent. Organizations in sectors that prioritize security spending like technology, financial services and energy are better positioned to win the battle for talent. They offer more attractive compensation packages with better career advancement opportunities, including the chance to work with the latest and greatest cybersecurity tools and technologies. Healthcare organizations tend to not offer these perks, so aren’t the first choice for talented job seekers.

Complex Compliance Requirements

Data privacy and security regulations are more restrictive in healthcare, and with good reason. Beyond the financial implications, patient safety can be put at risk if a healthcare organization experiences a cyberattack, so there is less room for error.

The most well-known regulation in the United States is the Health Insurance Portability and Accountability Act, or HIPAA. HIPAA is a series of US federal laws signed into effect in 1996, with the purpose of regulating the disclosure and protection of health information in the country. One shortcoming of the HIPAA rules is that they focus heavily on data breaches and don’t consider how the cyber-physical threat landscape has evolved over time. It wouldn’t be surprising to see HIPAA rules expand in scope in the future.

In Europe, the NIS2 Directive published in 2022 also designates health as an Essential Entity. Although enforcement levels and prescriptive controls will vary by country, the NIS2 Directive sets the baseline for cybersecurity risk management measures and reporting obligations across Europe for all sectors that are covered by the directive.

Nozomi Networks Doc Thumbnail Template 1200x628 copy
WATCH NOW

Building and Managing a Complete Asset Inventory in Healthcare Facilities

Watch this demo video to see how Nozomi Networks’ platform helps healthcare cybersecurity teams build and manage a complete asset inventory, including IoMT, IoT and building management devices, to detect and protect facilities from cyber and operational threats.

Healthcare Cybersecurity Recommendations

While the scope of mandatory compliance regulations differs by country, a robust cybersecurity program should cover every connected device and system, including building automation systems, medical and IoT devices, and energy systems.

We recommend using the NIST Cybersecurity Framework as a high-level best practice guide, especially for those just beginning to understand what good looks like in cyber, because of its straightforward language and comprehensive view. Every good cybersecurity program should include protective measures (Identify and Protect), detection methods (Detect) and incident response playbooks and plans (Respond and Recover).

Below, we provide our recommendations based on each of the five Functions of the NIST CSF specifically for the healthcare sector.

The 5 Functions of the NIST Cybersecurity Framework
The 5 Functions of the NIST Cybersecurity Framework

Identify

Good security starts with great visibility. As hospitals integrate a growing number of IoT, BAS and operational technology (OT) devices into their healthcare and facility systems, implementing an automated asset inventory management tool will make this process simpler. Look for a tool that allows you to see your entire healthcare ecosystem and its risks in one place to prioritize risk mitigation efforts that keep patients safe and facilities running.

Protect

Healthcare cybersecurity teams should invest in strong identity & access management and network segmentation, as well as security awareness training for their employees. Creating a culture of cybersecurity is critical to the continued success of your efforts.

Detect

To detect a potential cybersecurity event, you should monitor both network traffic and device baselines. Choose a detection solution that combines multiple types of threat detection and supports a wide range of IT, OT and IoT protocols for the broadest level of coverage. It should also provide detailed threat indicators, such as Yara rules, packet rules, STIX indicators, threat definitions and vulnerability signatures.

Respond

Develop and implement a plan for responding to cybersecurity incidents, including procedures for finding and isolating affected devices and systems and communicating about the incident to relevant parties.

When a potential cybersecurity event is detected, your threat detection solution should be able to group alerts into incidents, providing security and operations staff with a consolidated view. It should also offer contextual and actionable information, like IR playbooks and threat intelligence, to respond quickly.

Recover

Create and practice a recovery plan to restore impacted services and communicate to employees and the public about what happened and how you are fixing it. Your asset inventory management solution should support fast forensic analysis to help you restore impacted operations by providing up-to-date asset profiles along with a time frame of when devices were impacted so that you can quickly restore them to their known good state.

It’s important to continually test both your response and recovery plans with penetration testing and/or purple team exercises to improve defensive training and assess current performance levels.

Healthcare Cybersecurity Resources

Securing hospitals and healthcare facilities is a complex challenge. That’s why we created our resource library which provides guidance and solutions for today’s cybersecurity challenges. We hope these resources supply helpful information to support your overall cyber resilience strategy.

Ready to anticipate, diagnose and respond to cyber risks? Learn more about our IoT security solution, Vantage here.

How the Nozomi Networks Solution Supports NIST CSF 2.0 Compliance

This mapping guide describes how Nozomi Networks can help you implement the NIST Cybersecurity Framework to manage risk.
View Resource
No items found.
No items found.
Nozomi Networks
ABOUT THE AUTHOR

Nozomi Networks

Nozomi Networks protects the world’s critical infrastructure from cyber threats. Our platform uniquely combines network and endpoint visibility, threat detection, and AI-powered analysis to minimize risk and maximize resilience.

RELATED POSTS

How AI & ML Are Transforming OT Cybersecurity

Combining Passive and Active Detection in OT and IoT to Enhance Cyber Resilience

How to Navigate Cyber & Operational Risk Conversations with Your Board

ISA/IEC 62443 Explained: Best Practices for IACS Cybersecurity

Subscribe

LinkedIn

Demo

PLATFORM

Platform OverviewVantageCentral Management ConsoleGuardianGuardian AirArcAsset IntelligenceThreat IntelligenceSmart PollingPSIRT

Professional Services

OverviewDesignDeploymentFast TrackOptimizationProject Management

Solutions: Business needs

Threat Detection & ResponseContinuous Network MonitoringAsset Inventory ManagementRisk & Vulnerability ManagementIoT SecurityData Center Cybersecurity

Solutions: Compliance

NERC CIPNIS2 DirectiveTSA Security Directives

Solutions: Industry

AirportsElectric UtilitiesHealthcareFederal GovernmentManufacturingMaritimeMiningOil & GasPharmaceuticalRailRetailSmart CitiesWater & Wastewater

Learn

PartnersResourcesCompanyContact UsAcademyCareersLabsLegal
© 2024 Nozomi Networks Inc. All Rights Reserved. Privacy Policy and Certifications. System Status.