Protecting Patient Safety in the Face of Ransomware Attacks

By Jim Hyman, CEO, Ordr
Twitter: @ordrofthings

Cyberattacks have crossed a critical threshold, and the risks have evolved from merely causing financial loss and damage to physical systems, to affecting people’s health and safety. Not long ago that statement might have been considered hyperbole, but now it is a stark reality. A lawsuit claims that a 2019 ransomware attack resulted in diminished capabilities that kept a hospital from detecting and preventing a situation that led to an injury and, eventually, the death of a baby. That story aligns with the findings of a Ponemon Institute study that found healthcare organizations affected by cyberattacks experienced a subsequent 20% increase in mortality rates.

Patience Wearing Thin

And recently NBC News covered a similar study by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), while telling the stories of patients whose quality of care may have been diminished because of cyberattacks.

  • At a hospital in Iowa, a 3-year-old patient suffered a non-fatal overdose on medication that was five times more potent than needed following tonsil surgery. The computer that normally calculates dosage was not working because of a cyberattack.
  • Following a cyberattack, another patient at a hospital in western Washington State described enduring pain because of months-long delays in scheduling surgery to remove an ovarian cyst.

In both cases the people involved said they “blamed the hackers” and not the hospitals. Yet not everyone is as patient with hospitals and other healthcare providers as attacks against the industry increase. Senator Ron Wyden recently told MIT Technology Review that “there’s a tendency to hype the capabilities of the hackers responsible for major cybersecurity incidents… That conveniently absolves the hacked organizations, their leaders, and government agencies of any responsibility.”

Cyberattacks and Threats on the Rise

Wyden’s frustration is reflected in what seems to be an unabated and increasing cyberassault on the healthcare industry. According to a Critical Insights Report, in 2021 679 hospitals were victimized by cyberattacks, a highwater mark for the industry. And as the tools used by threat actors evolve, and as ransom payments continue to enrich the criminals behind them, the U.S. Department of Health and Human Services says the number of successful attacks is likely to rise.

But what can healthcare organizations do to protect their IT enterprises and, more importantly, their patients?

A big step forward involves taking a complete inventory of the organization’s IT enterprise, including all the Internet of Things (IoT) connected devices operating within a hospital’s digital infrastructure. There are more than 100,000 internet connected devices operating in the average hospital IT infrastructure, including more than 15,000 Internet of Medical Things (IoMT) devices, or 10-15 IoMT devices per bed.

See, Know, and Secure Connected Assets

Each connected device increases an organization’s attack surface, and in healthcare the risks may be much higher than average as 53% of IoMT devices have been found to contain vulnerabilities. That makes it imperative that hospitals find a solution to discover, identify, and secure all the devices they have connected to their networks. With an automated solution, this can be accomplished in three basic steps:

See – Complete device discovery means finding all the IoT, IoMT, and operational technology (OT) devices connected to the network. This includes devices that should be there, and those operating outside the view of IT like digital assistants, exercise equipment, electric vehicles, personal mobile devices, and equipment believed lost.

Know – Once all connected devices have been discovered, an automated solution can identify the vulnerabilities and risks associated with them. Baselining and monitoring device behavior is also important to identify anomalies. Because IoT, IoMT, and OT devices operate within deterministic parameters it’s easy for machine learning algorithms to distinguish normal operations from anomalous behavior and indicators of compromise (IOC).

Secure – When an IOC or attack is detected, the chosen solution should automatically enforce security policies to protect the network by isolating compromised and at-risk devices in keeping with Zero Trust policies. This not only serves to limit an attack’s “blast radius” or prevent an attack altogether, but it maximizes resilience critical to providing a high quality of care. Zero Trust policies maintain operational continuity by keeping medical devices in service but limiting communications to “sanctioned, normal behavior” rather than shutting them down.

Automated Security Solutions Protect Patients

Using a rapid, intelligent, and automated connected device security platform as the basis for a comprehensive IoT, IoMT, and OT security strategy that applies Zero Trust principles to identifying and protecting the entire connected device attack surface is a quantum leap beyond traditional approaches that rely on incomplete and manual processes. Only by knowing what you have connected to your enterprise, recognizing threats, and automating response can you blunt the threats that put your operations–and your patients–at risk.