Don’t Wait on DC: Why Healthcare Organizations Need to Beef Up Cybersecurity Now

Imagine this: A hospital facilities manager decides to buy a smart thermostat—not an atypical scenario given how ubiquitous, affordable, and easy-to-install the devices are these days. Without giving it much thought, they go to Amazon.com, order one with good reviews, and install it in their facility.

While the employee thinks they found a cost-effective way to improve operations, they just unwittingly exposed their entire organization to a potential cyberattack that could eventually cost hundreds of millions of dollars, compromise equipment like medical imaging or oxygen delivery systems, and jeopardize sensitive patient data.

Every business now faces significant cyber risk. But few face as much risk as healthcare organizations. Attacks rose 32 percent last year, according to an industry study, higher than any other sector. This is partly due to underinvesting in cybersecurity and a lack of preparedness for attacks to protect a trove of valuable, confidential data.

After major breaches at Change Healthcare, Ascension Health and other organizations, regulators and lawmakers are angling to put new compliance requirements on the industry. Yet with the uncertainty in Washington D.C., the fate of these efforts—including new rules issued by the Biden administration at the end of 2024—is unknown.

Healthcare leaders shouldn’t wait for the federal government to act first. Under increased regulatory pressure, here’s what many organizations are missing about the current threat landscape, and the strategies they must take to mitigate them.

Identify failing investments

According to a recent Deloitte survey of C-suite executives in the healthcare industry, 90 percent expect to accelerate their organization’s use of digital technology, including new IoT and OT devices. But the advanced solutions they’re investing in are outpacing cybersecurity defenses designed to protect legacy systems.

For example, organizations continue to rely on classic techniques, like segmenting systems from the network, which increasingly don’t work in today’s hyper-connected environments. Hackers can now take advantage of compromised devices connected to the Internet to infiltrate the network to reach the sensitive patient data they believed was protected.

And the vulnerabilities are everywhere, even in the supply chain. Often, device manufacturers are sourcing components from all over the world, providing ample opportunity for nefarious actors. In some instances, the products are compromised before they even reach the customer. Or manufacturers may install devices with default credentials, bypass basic encryption, or ignore critical patches.

What healthcare organizations need are modern tools and techniques to defend themselves. For example, AI is quickly amplifying the ability to detect abnormal behavior in the network with greater speed and precision. It can help scour the dark web to find stolen credentials, or bolster the ability of junior analysts to help take on more responsibility, alleviating the pressure on overworked security teams.

Healthcare organizations will never be able to patch every vulnerability but AI can help direct professionals to the most pressing threats. Although a stronger defense is important, it can’t overcome the cultural challenges that continue to undermine security.

Lead from the top

Before healthcare leaders allow any employee to plug a device into their networks they must ask themselves: How will this affect my cybersecurity posture?

Very few are doing this because they are focused on outcomes. They want AI and automation to drive up productivity and efficiency, and drive down costs. Leaders aren’t preparing for the impact each individual investment will have on their organization’s overall cybersecurity maturity. And many Chief Information Security Officers struggle to even understand all the systems and devices in use.

New requirements may eventually be imposed on healthcare organizations, but those additional compliance measures won’t be enough to turn the tide. In fact, reporting requirements can actually introduce new cyber risks by forcing companies to connect previously isolated systems to the corporate network, injecting new vulnerabilities.

Take a proactive approach

CISOs and other healthcare leaders must:

•            Understand their organization’s unique cyber maturity: Pinpoint the priority data and systems, as well as the endpoints they connect to. Make sure they’re secure, and work from there.

•            Collaborate with other leaders in facilities: Work more closely with facilities managers and other roles managing devices that connect to the organization’s network.

•            Work with device manufacturers: Make sure devices are up-to-date, and there are no default passwords.

•            Deploy more capable defense measures:  Invest in modern cybersecurity tools, as well as mitigate human error by mandating two-factor authentication.

This doesn’t mean starting from scratch. Instead, healthcare leaders can use new investments to improve existing technologies and fill gaps in the strategy. An initial investment might be needed upfront to get the data from these environments, but the improved intelligence will help to amplify the overall value of the existing toolset.

Vulnerabilities will never go away, but with a proactive approach to securing its IoT, healthcare leaders can successfully manage the risk and keep their operations protected. Then, when regulations eventually come, they’ll be ready.

Andrea Carcano is co-founder and CPO at the San Francisco-based Nozomi Networks, a leader in OT & IoT security for critical infrastructure.