19 January 2023
Do you know where your cyber vulnerabilities are?
In 2022, healthcare organisations have continued to be plagued by cyberattacks.
It was recently revealed by OAIC that health service providers have suffered more data breaches than any other sector in Australia, with 51% more breaches hitting them in the first half of 2022 than the second-placed finance sector. However, data breaches are not the only cyber threat facing the healthcare sector.
Digital transformation trends, including the internet of things (IoT), the internet of medical things (IoMT) and IT/OT convergence (the merging of information technology and operational technology) have enabled healthcare providers to deliver more efficient and effective services and care to their patients.
However, these technologies have also dramatically increased the attack surface in healthcare providers, opening them up to a variety of ransomware, malware and DDoS attacks. As technology continues to transform the healthcare industry, real-world threats will become more pronounced in the cybersecurity space.
Supply chain vulnerabilities are a piece of the vulnerability puzzle
In March 2022, Forescout’s Vedere Labs published Access:7 a cybersecurity research report that identified more than half a dozen vulnerabilities that affected more than 100 device manufacturers. These vulnerabilities were related to Axeda, a remote access and management solution for connected devices, which had been integrated into more than 150 different medical and IoT devices – predominantly impacting healthcare organisations.
Supply chain risks can emerge as a result of one vendor integrating vulnerable software from another vendor. It can be very difficult for an organisation to gain visibility into these risks, but organisations can focus on maintaining visibility in their own environment to play their part, as cybersecurity is still evidently remaining an afterthought for many healthcare organisations.
Creating a defence that is as strong as possible
Ultimately, healthcare organisations need to take responsibility for their own cybersecurity. Digital transformation has created complex IT/OT environments that span IT systems, medical devices and IoT devices, such as security cameras, HVAC, and building automation systems demonstrating that the threats have grown to a point multiple departments need to share this responsibility.
The good news about risk management is that the little things can make a big difference. That means embracing the fundamentals. Developing an asset inventory, discovering and remediating misconfigurations and patching vulnerabilities will go a long way to reducing risk.
Not all cyber risks can be remediated, such as legacy devices that can’t be patched. In these cases, organisations should prioritise mitigation techniques to minimise the attack vector. Proper segmentation of medical assets is one of the single best ways to mitigate and reduce the most amount of risk. Just observing vulnerability management is not enough. For example, if a critical medical asset has a critical vulnerability on it, but the device has been properly segmented and cannot be reached to exploit the vulnerability, then the reality is the risk is low and we should be paying more attention to other assets which can still be exploited.
For healthcare organisations, there are three key factors that can be implemented to prioritise the risk of their medical devices. They are:
- Asset criticality: What is the importance of this device to healthcare delivery? For example, if an infusion pump is tampered with to change the dosage being dispensed or is taken offline, this could have fatal consequences.
- Dominant risk: What is the highest potential impact to your organisation? For example, an outage of all your imaging systems could result in hundreds of thousands of daily dollars of lost revenue.
- Auxiliary risk: What is the surrounding exposure of the attack surface? For example, can an attacker move laterally to and from this asset?
Cyberattacks will not slow down, and for healthcare organisations, the risk is even more prominent and dangerous than in other sectors. As cybersecurity becomes front of mind for healthcare organisations, it is important that all devices and endpoints are properly assessed for vulnerabilities. Risk management provides a strong solution for the healthcare sector to improve in its current state, something much needed as the sector continues its digital transformation.
Dave Patnaik is Asia Pacific & Japan head of Forescout.