July 18, 2022

by Derek Hills manager, CYBER product management 

Healthcare ransomware attacks are a growing threat to clinical operations with the potential to disable critical medical devices and disrupt patient care. Once a ransomware attack is successful, healthcare organizations often have no choice but to meet the attackers’ demands. Prevention continues to be the best strategy for avoiding the irrevocable harms of these cyberattacks. What can health systems do to shore up their internal defenses, and where can they turn for tools to better monitor and remediate vulnerabilities? 

○ ○ ○ 

The digitalization of health care has made preventing healthcare data breaches far more complex. Cybercriminals have taken advantage of the growth of electronic health records and network-connected medical devices to target healthcare organizations more than ever before. Cyberattacks that expose electronically protected health information (ePHI) can put patients’ privacy and safety at risk, and health systems could face substantial fines. Healthcare ransomware attacks, a specific type of cyberattack, have dominated industry discussions and headlines in recent months. Yet ransomware often does not involve even a single piece of ePHI taken from a healthcare organization’s systems. What exactly makes this type of breach so dangerous? 

The fundamental goal of any ransomware attack is to lock an individual or organization out of a vital technology resource. This can mean encrypting files & hard drives or disabling medical devices. Cybercriminals use many methods for gaining access to systems, like posing as a colleague with deceptive emails to trick individuals into sharing sensitive passwords. Once the malware is in place, the hackers can demand steep ransoms in exchange for restoring access to legitimate users. The victims are faced with the difficult choice of paying the ransom or going without the compromised system, possibly indefinitely.  

Healthcare ransomware attacks specifically increased by 123% in 2021. Part of the reason for this dramatic rise is the same reason that ransomware is particularly dangerous for health systems. Any organization that provides patient care does not have the luxury of time when deciding how to handle a ransomware breach. Compromised medical devices, workstations, and IT systems can impede or even completely stop patient care. The FBI discourages making any ransom payment to attackers, but the impossibly high stakes of these breaches have driven many healthcare organizations to comply with hackers’ demands. 

The leverage that cybercriminals have been able to hold over healthcare organizations has had a staggering impact. In 2020, healthcare ransomware attacks nationwide carried a total cost of $21 billion. Even the resources intended to mitigate damage are becoming scarce. Cyber insurance providers are raising prices for healthcare organizations, and some are no longer offering policies in the healthcare sector. 

Even a robust cyber insurance policy and a fast response cannot entirely insulate health systems from damage once attackers gain access. Patients seeking treatment may be turned away depending on the equipment or information systems affected by ransomware. This risk impacts both routine and critical care alike. In addition to threatening providers’ mission to care for patients, the potential legal consequences are still uncertain. A former patient even filed a lawsuit against an Alabama hospital that fell victim to ransomware in 2019. The suit alleges that the compromised technology contributed to the brain injuries and death of her baby by limiting providers’ ability to monitor health throughout the delivery. The legal outcome of the case has yet to be decided, but it attests to the human damage and heavy costs that can result from these breaches. This unfortunate tragedy also demonstrates how medical devices used for treating and monitoring patients are an essential element of the ransomware discussion. 

With pressure mounting on all sides, it is becoming clearer every day that mitigating ransomware damage is not a viable strategy for health systems. Preventing attackers from gaining access in the first place is the only sure way to avoid major harm to patients. How can health systems coordinate their personnel, processes, and technology to fight off ransomware attacks? And what changes and tools must health systems adopt to transform those three crucial resources into a strong defense? 

People are the first line of defense 

Health system personnel are one of the main entry points for attackers to implement healthcare ransomware attacks. Using often cleverly disguised emails, links, or websites, cybercriminals extract sensitive information and credentials that cannot be taken back once shared. Many victims don’t know they’ve even been targeted until it’s too late. 

Diligence is the best advice for anyone who wants to prevent accidentally sharing sensitive information with hackers. However, healthcare workers have been hit from all sides with a perfect storm of stress and burnout over the past two years. The combination of a global pandemic with healthcare staffing shortages has placed a massive burden both on care providers and the clinical engineering teams that maintain medical devices. This widespread strain has been an opportunity for ransomware attacks to infiltrate health systems, as an overburdened workforce is far less likely to heavily scrutinize electronic communications and online activity. 

While some of these challenges are systemic and will take some time to resolve, health systems can help their associates be more vigilant. It is important to standardize training on how to spot a potential cyberattack. Recognizing common tactics like closely imitated email addresses, deceptive hyperlink URLs, formatting in emails or websites that is slightly off, and seemingly urgent text messages all help develop a mental shorthand for judging the legitimacy of any online communication. Teaching associates where to look for suspicious activity can go a long way toward making it easier to stay careful with sensitive data and systems. 

Cybersecurity education is not a one-and-done matter, however. The tools and methods that hackers use to stage healthcare ransomware attacks are constantly evolving. Health systems should make sure their associates stay informed on trends in cyberattacks. Increasing the involvement of IT teams in associate communications is one way to disseminate expert knowledge. To build a truly effective knowledge base throughout an organization, health systems can also partner with a third-party organization with experience in cybersecurity. This can be especially helpful in niche areas such as medical device cybersecurity training for clinical engineering teams. 

Consistent intelligence amplifies the visibility of cybersecurity threats 

When a health system lacks visibility to any technology resource, it faces greater difficulty evaluating security risks and protecting sensitive systems & data. That includes medical devices, which are increasingly becoming network connected. Each network access point represents a new potential opportunity for attackers to exploit. Despite the growing importance of protecting these devices, many healthcare cybersecurity programs lack the maturity to standardize their approach. 

While it may sound intuitive, an accurate accounting of medical device inventories is a key component of this visibility. In our work with health systems, TRIMEDX has found that many organizations cannot locate 3 to 5% percent of their medical devices. Given the rise of network connectivity, even this small percentage represents a significant number of possible entry points for healthcare ransomware attacks going unmonitored. A solution for tracking device location is a strong starting point to combat this threat. However, a health system must also maintain a deeper understanding of each device than just location. Monitoring and documenting utilization, performance, and technical specifications is an essential part of any successful clinical engineering program and for enhancing cybersecurity. 

Reliable intelligence on vulnerabilities is another key element of an effective cybersecurity strategy. Understanding existing and emerging threats provides valuable context for identifying risks in medical device inventories. Yet health systems often depend on decentralized sources for this vital information. Online resources like articles, blogs, and other publications can provide valuable and interesting insights on security topics like ransomware, but they don’t provide a fully representative view of threats and remediation strategies that affect medical devices. Nor are these sources tailored to the unique needs and priorities of a particular health system. In fact, to have a complete, comprehensive view of all open vulnerabilities, a system would have to monitor over 40 separate sites. 

True visibility requires an exhaustive, centralized collection of intelligence from a wide variety of sources. This includes compiling and maintaining more research on threats and vulnerabilities that any individual team member can typically source online. Also necessary is a full documentation of OEM-approved patches for cyber vulnerabilities to establish a stronger understanding of what remediation options are available to health systems. 

Information gaps create uncertainty that cascades throughout a cybersecurity program. Without reliable industry intelligence, health systems cannot have complete confidence when prioritizing security projects and evaluating the effectiveness of their strategy. Healthcare ransomware attacks have become too common to leave anything to chance. Maintaining a comprehensive view of the healthcare security landscape with manual efforts can seem daunting. But selecting the right tools can generate insights into vulnerabilities early enough to act on them. 

Technology increases efficiency and expands remediation options 

Employees who can spot potential healthcare ransomware attacks and standardized processes to assess risks & vulnerabilities are crucial to a layered cybersecurity program. But developing these strategic assets from the ground up and maintaining them can be incredibly time- and resource-intensive for health systems. The right technology partners and solutions can even expand the tools available for preventing breaches. 

Medical device inventories are growing overall in addition to becoming more commonly connected to networks, with an average of 10 to 15 devices per hospital bed. These quantities make decentralized device monitoring unmanageable for any clinical engineering or IT team. This holds especially true in the face of concurrent trends like health system consolidation and the growth of outpatient care sites. One advantage of network connectivity is the possibility of real-time, remote device monitoring. The ability to pull live statuses across an entire device inventory sharply decreases the amount of manual work and time required to discover and evaluate potential vulnerabilities. 

A centralized platform also makes the collection and use of industry knowledge far easier. By automatically aggregating information on vulnerabilities and remediation strategies from reliable sources as it becomes available, a technology platform can present a comprehensive view of the healthcare cybersecurity landscape. Health systems can again cut down on the manual work needed to assess their risk profile and have a more objective framework for establishing their security priorities. By reducing the uncertainty and subjectivity of device and industry data, they can even use scoring metrics to prioritize vulnerabilities and create a clear plan of action for remediation. 

Software patching can present another challenge to health systems that want to strengthen cybersecurity on their own. 60% of medical device vulnerabilities do not have available software patches supported by device manufacturers. This is especially common in devices that are considered end-of-service by a manufacturer. Addressing the vulnerabilities found in these devices is more important than ever as the average age of medical equipment in use has increased to historically high levels. 

The undeniable complexity of modern health care renders the one-size-fits-all approach to cybersecurity remediation inadequate. Health systems can capitalize on partnerships to proactively manage the vulnerabilities revealed by device monitoring and industry intelligence. An independent service organization (ISO) can develop software patches or other compensating controls that support a health system’s individualized needs. The key is technology-driven strategies that build upon both a unique risk profile and a whole-industry view of threats. By leveraging the right ISO relationship, health systems can have confidence both in their cybersecurity visibility and their agency to defend against attackers. 

○ ○ ○ 

One of the most important things to remember about ransomware attacks is that options become limited the second a breach is successful. Prevention is the best protection against damages to clinical operations, reputation, and—most importantly—patient safety. Health systems should consider the role that every aspect of their organization plays in cybersecurity, from personnel to maintenance protocols. While advancing medical device technology comes with new vulnerabilities and threats, it has also driven the development of tools and resources health systems can use to take a more proactive approach to securing their networks and devices than ever before.