Cybersecurity in healthcare: connectivity of medical devices

clinician feeling safe with cybersecurity support

Many organizations face cybersecurity challenges amid digital transformation, including cyberattacks, malware, and ransomware. Cyberattacks continued to rise in 2022, with a 42 percent increase in weekly cyberattacks globally in the first six months of the year.[1]

Healthcare is one of the most targeted industries for cyberattacks, with hospitals representing the victims of 30% of large data breaches.[2] Healthcare organizations acquire and maintain a vast amount of data, and attackers may hold these organizations ransom by disabling or encrypting critical data or systems. The industry has experienced a surge in attacks due to their willingness to pay the ransom and the value of patient records.[3]  Healthcare data breaches increased 84.1% over a period of 3 years, from 386 in 2019 to 711 in 2021.[4]

Understanding the cost of cyberattacks in healthcare

The cost of cyberattacks in the healthcare industry average $10.1 million dollars with each breach, according to IBM’s Cost of a Data Breach 2022 report. [5] This is a 10 percent increase from 2021 and a 42 percent increase from 2020.4

Because the healthcare sector is typically slower to react than other industries, it requires building data security into its infrastructure. Furthermore, personal health information is worth at least ten times more than financial information on the black market.5

According to a survey of IT professionals, more than one-third of healthcare organizations reported being impacted by ransomware in 2020.6 The use of ransomware against healthcare providers continues to rise, with a 45 percent increase in a two-month span.[6]

Ransomware infects systems and files, making them inaccessible until a ransom is paid. These attacks negatively impact patient care and hospital operations, with interruptions in services. If hospitals are forced to revert to manual systems, clinicians have little to no visibility of a patient’s history and information as they’re being treated.

Securing connected medical devices in a healthcare network

Healthcare infrastructure relies heavily on the digital connectivity of medical devices, such as medical imaging systems. Newer imaging systems are typically designed with security measures built in. However, often, medical devices stay in operation despite outdated serviceability, which could create exploitable weaknesses for attackers. Securing medical devices is critical to protecting hospital and health networks’ security, as well as patient privacy, health information, and potentially even patient safety.

Connected medical devices in the healthcare delivery system represent a significant potential entry point for cyberattacks, yet these devices are not always included in a hospital’s information technology structure and security planning. Today, they represent important clinical assets to be secured, as these and other connected medical devices in hospitals work within a single network and can be an access point for a breach. Even as automation, interoperability, and data analytics improve these devices, their vulnerability to malicious cyberattacks increases.

“Maintaining cybersecurity in healthcare is a growing problem, and our customers across the globe are challenged,” said Sher Baig, Senior Director of Global Cyber Product Commercialization for GE HealthCare. “Healthcare continues to be targeted, and hospitals are challenged from a resourcing perspective and in securing the growing number of connected medical devices on their networks. We are connecting a lot of data and opening a world of opportunities in terms of how we use that data for precise and efficient care. But there is increasing stress on the healthcare infrastructure that requires constant attention to prevent cyberattacks.”

Reducing vulnerabilities in connected medical devices within a health system

One of the first ways to address cybersecurity in healthcare and radiology is to be proactive. Improving risk posture means ensuring that each connected medical device works in tandem with a healthcare organization’s overarching security plan. A comprehensive plan should have security controls embedded at technical, operational, and management levels to protect the device, the data, and the network. The end goal is to minimize the vulnerabilities in medical imaging device connectivity with a system of security controls and risk management tools at each point in the life of the device, from operational use and support through the end of product life.

It can be challenging for hospitals and health systems to find and retain cybersecurity experts on staff, especially since The Great Resignation began in 2021, according to the Information Systems Audit and Control Association (ISACA).[7] Many companies are competing for a limited number of qualified professionals, and cybersecurity experts are in high demand. This has created a perfect storm for healthcare organizations, as they are already struggling to keep up with increasing cybersecurity threats while also trying to meet other demands on staff resources. In an ISACA survey, 20 percent of respondents said it takes more than six months to find qualified cybersecurity candidates for open positions.8 Finding cybersecurity experts who also have expertise in securing connected medical devices may take even longer.

“There are varying cybersecurity needs across industries,” explained Baig. “But true cybersecurity experts are a small community. For hospitals, it can be difficult to attract and retain these experts. At GE HealthCare, our goal is to take this challenge off our customers’ plates. We continue to invest in our resources and build our expert staff with up-to-date certifications and education. Additionally, we expand our cyber solutions and capabilities to stay ahead of what’s happening in the industry.”

In addition to staffing challenges, factors like budget constraints, healthcare consolidation, or other projects redirect funding that would otherwise be utilized to update or upgrade outdated medical devices still in use. Therefore, facilities must continually assess their risk by maintaining inventory records on all imaging devices and consistently conducting security reporting.

Partnering to improve risk management with cybersecurity

Planning for the security of all connected medical devices is a top priority and monitoring cyber threats is an ongoing challenge. Collaborative work between departments, such as radiology and cybersecurity teams, is needed to educate the broader staff about protecting devices from sophisticated cyber threats. Hospitals need in-house staff with expertise in medical devices and medical device security who can identify vulnerabilities that may exist, or identify and contain a potential breach.

According to the IBM report, it takes about 280 days to identify and contain a breach.4 Due to the many staffing challenges of having an in-house cybersecurity team that can manage and secure the hospital’s infrastructure along with connected medical devices, many health systems are working with an external partner to manage cybersecurity efforts for connected medical devices.

Outsourcing cybersecurity to the right partner is key to minimizing vulnerabilities in a healthcare system. While there is no guaranteed solution that will protect any healthcare system 100 percent, working with a partner that can offer a vendor-neutral solution is crucial. Industry leaders, such as GE HealthCare, are providing comprehensive solutions to analyze the hospital’s network, identify any security gaps and vulnerabilities, and recommend remediations for any networked medical device that is operational or under a service contract. Once a security plan is established, the hospital’s network is monitored continually for threat detection, including guidelines to ensure that each connected medical device works in tandem with the healthcare organization’s overarching plan.   

Healthcare providers can rely on these external cybersecurity experts for continuous security monitoring, gaining added confidence that they will detect breaches quickly and minimize service interruptions. Expert industry partners in cybersecurity, such as GE HealthCare, work with customers to develop a comprehensive cybersecurity plan in alignment with the hospital’s own security plan. This plan would include security controls embedded at the device, operational, and management level to protect the hospital’s connected medical systems, the data, and the network.

Collaborating for sustainable cybersecurity protection

Healthcare continues to rely on important data from connected medical devices to improve health outcomes. Simultaneously, more data also increases potential cybersecurity risks, and healthcare continues to be the target of sophisticated cyberattacks. Without adequate security, connected medical devices can be vulnerable to security breaches. While cyber threats cannot be eliminated, identifying security gaps and continuously monitoring the network are key actions to reduce vulnerabilities. Working with an external partner to provide expert monitoring and cybersecurity management can help to navigate this especially challenging environment. The healthcare environment is complex, and manufacturers, hospitals, and facilities must work together to manage cybersecurity risks.

 

RELATED CONTENT:

View the on-demand presentation: Cybersecurity in healthcare

 

DISCLAIMER

Not all products or features are available in all geographies. Check with your local GE HealthCare representative for availability in your country.

 

REFERENCES

[1] Check Point Research. 2022 Cyberattack trends: Mid-year report. Checkpoint.com. https://pages.checkpoint.com/cyber-attack-2022-trends.html. Accessed January 19, 2023.

[2] https://www.beckershospitalreview.com/cybersecurity/midsize-hospitals-lose-more-than-45k-an-hour-in-cyberattacks-report-finds.html

[3] Dickerson S. Why is healthcare a top target for cybersecurity threats? Securitymagazine.com. Published 2022.  https://www.securitymagazine.com/articles/98324-why-is-healthcare-a-top-target-for-cybersecurity-threats#:~:text=Healthcare%20organizations%20have%20experienced%20a,lives%2C%20which%20bad%20actors%20exploit. Accessed January 19, 2023.

[4] https://www.beckershospitalreview.com/cybersecurity/top-10-healthcare-organization-types-most-likely-to-have-their-data-breached.html

[5] IBM Security. Cost of a data breach report 2022. IBM.com. https://www.ibm.com/downloads/cas/3R8N1DZJ. Accessed January 19, 2023.

6 Sophos. The state of ransomware in healthcare 2021. Sophos.com. https://assets.sophos.com/X24WTUEQ/at/s49k3zrbsj8x9hwbm9nkhzxh/sophos-state-of-ransomware-in-healthcare-2021-wp.pdf. Accessed January 19, 2023.

[6] Davis J. Healthcare accounts for 79% of all reported breaches, attacks rise 45%. HealthITsecurity.com. Published 2021. https://healthitsecurity.com/news/healthcare-accounts-for-79-of-all-reported-breaches-attacks-rise-45. Accessed January 19, 2023.