A Guide to Healthcare
Cybersecurity

by Nozomi Networks

Mar 21, 2023
Today, hospitals and other healthcare organizations face cybersecurity
threats that put both patient safety and operations at risk. This guide is
intended to help security professionals, facilities managers and
healthcare practitioners better understand their cybersecurity
challenges and how to overcome them.
Table of Contents:
1.
2.
3.
4.
5.
6.
What Is Healthcare Cybersecurity?
Why Is Securing Healthcare Facilities & Hospitals Important?
High-Profile Hospital Cyberattacks
Challenges Faced by Healthcare Cybersecurity Teams
Recommendations
Healthcare Cybersecurity Resources
Securing Hospitals & Healthcare Facilities
What Is Healthcare Cybersecurity?
Healthcare cybersecurity is the process of applying a variety of prevention, detection
and response strategies to protect hospitals or other healthcare facilities from
cyberattacks to ensure patient safety, business continuity, protection of confidential
data, and compliance with industry regulations.
Why Is Securing Healthcare Facilities
Important?
Because they are classified as critical infrastructure, healthcare facilities and hospitals
are attractive targets for bad actors. Cyberattacks have been identified as the top threat
in many healthcare systems’ annual hazard vulnerability analyses (HVA).
To protect themselves from cyberattacks that could directly impact the health and safety
of patients and the community, hospitals and healthcare facilities should adopt proactive
protection measures for their connected cyber-physical systems.
High-Profile Hospital Cyberattacks
These are a few of the noteworthy cyberattacks on hospitals since 2020:






In March 2020, a malware attack on a Fortune 500 healthcare provider
based out of Pennsylvania resulted in 250 hospitals losing use of their
systems for three weeks.
In November 2020, a university-based healthcare network in Vermont was
targeted by a cyberattack which disrupted 5,000 systems and resulted in
300 staff being furloughed. The attack was estimated to cost $1.5 million
per day.
In August 2021, dozens of hospitals in West Virginia and Ohio shut down
operations for days due to a ransomware attack.
In April 2022, a cyberattack on a large Dallas-based healthcare company
resulted in significant outages that cost the company over $100 million in
lost revenue.
In October 2022, a ransomware attack hit the fourth-largest US-based
healthcare system with 140 affiliate hospitals. The attack led to delays in
surgeries and other patient operations.
In December 2022, a ransomware attack at French hospital resulted in a
data leak and disruption of operations.
Our latest security research reveals that healthcare is one of the most targeted
industries in 2022 due to the sensitive nature of their data and dependence of critical
systems for operations. It was also one of the top 5 most vulnerable sectors.
Most Vulnerable Sectors in the Second Half of 2022
Aside from the broader threats of ransomware and other malware attacks, we expect in
2023 that, apart from using scanners to exploit vulnerabilities, threat actors will access
medical systems used to aggregate device data for broader intelligence collection.
You can access our complete findings in the report below.
What Challenges Do Healthcare
Cybersecurity Teams Face?
Legacy Technologies
Many hospitals rely on legacy technologies which are expensive to replace and
extremely vulnerable to cyberattacks because of a growing list of publicly
disclosed common vulnerabilities and exposures (CVEs). Many of these systems use
outdated operating software, like Windows XP and Windows 7, with limited options for
applying critical patches and updates across widely distributed, heterogenous and
unmanaged deployments.
To mitigate these risks, cybersecurity teams should limit network connectivity to these
devices as much as possible and put strong preventive measures in place, including
identifying and baselining to monitor legacy systems for anomalous activity, and
enabling user-based controls, including MFA.
Connected Facilities & IoMT
At the same time cybersecurity teams are struggling to protect vulnerable legacy
devices, newer, IP-connected devices, including IoMT devices, BAS systems, HVAC,
elevators, CCTV, physical security systems and more, have made their way onto the
scene.
These newer, unmanaged devices also provide a potential entry point to disrupt hospital
operations, disable physical safeguards or pivot through the network to other areas of
the business. To ensure cyber and operational resilience, healthcare security
practitioners and facilities managers need a single source of visibility into this expanding
device landscape. Here’s an example of the types of systems and devices that
contribute to a patient’s experience in a modern hospital.
Connected cyber-physical systems in a hospital.
It’s clear that IoMT and building automation systems (BAS) create a positive and safe
patient experience, which is why it’s so important to protect them with holistic
prevention, detection, and response security controls.
Getting Executive Support for Cybersecurity
Projects
As we see above, healthcare organizations have embraced connected technologies to
improve patient outcomes and facility efficiencies. However, they lag in cybersecurity
investments and expertise compared to other industries. Boards and executives at
healthcare organizations often view cybersecurity as yet another operating cost, when it
should be seen as a risk reduction investment.
If we take the example from above about the cyberattack on the Dallas-based
healthcare system, we can see that in their Q2 earnings report, the company disclosed
the financial impact of the attack, with quarterly earnings down approximately $100
million. When framing cybersecurity investments at the executive level, it’s important to
reference concrete examples of the potential cost of a cyberattack and compare that to
the investment into security talent and technologies.
The Cybersecurity Talent Shortage
The view of cybersecurity as an expense has led to another challenge facing healthcare
systems, the shortage of security talent. Organizations in sectors that prioritize security
spending like technology, financial services and energy are better positioned to win the
battle for talent. They offer more attractive compensation packages with better career
advancement opportunities, including the chance to work with the latest and greatest
cybersecurity tools and technologies. Healthcare organizations tend to not offer these
perks, so aren’t the first choice for talented job seekers.
Complex Compliance Requirements
Data privacy and security regulations are more restrictive in healthcare, and with good
reason. Beyond the financial implications, patient safety can be put at risk if a
healthcare organization experiences a cyberattack, so there is less room for error.
The most well-known regulation in the United States is the Health Insurance Portability
and Accountability Act, or HIPAA. HIPAA is a series of US federal laws signed into
effect in 1996, with the purpose of regulating the disclosure and protection of health
information in the country. One shortcoming of the HIPAA rules is that they focus
heavily on data breaches and don’t consider how the cyber-physical threat landscape
has evolved over time. It wouldn’t be surprising to see HIPAA rules expand in scope in
the future.
In Europe, the NIS2 Directive published in 2022 also designates health as an Essential
Entity. Although enforcement levels and prescriptive controls will vary by country, the
NIS2 Directive sets the baseline for cybersecurity risk management measures and
reporting obligations across Europe for all sectors that are covered by the directive.
Healthcare Cybersecurity
Recommendations
While the scope of mandatory compliance regulations differs by country, a robust
cybersecurity program should cover every connected device and system,
including building automation systems, medical and IoT devices, and energy systems.
We recommend using the NIST Cybersecurity Framework as a high-level best practice
guide, especially for those just beginning to understand what good looks like in cyber,
because of its straightforward language and comprehensive view. Every good
cybersecurity program should include protective measures (Identify and Protect),
detection methods (Detect) and incident response playbooks and plans (Respond and
Recover).
Below, we provide our recommendations based on each of the five Functions of the
NIST CSF specifically for the healthcare sector.
The 5 Functions of the NIST Cybersecurity Framework
Identify
Good security starts with great visibility. As hospitals integrate a growing number of IoT,
BAS and operational technology (OT) devices into their healthcare and facility systems,
implementing an automated asset inventory management tool will make this process
simpler. Look for a tool that allows you to see your entire healthcare ecosystem and its
risks in one place to prioritize risk mitigation efforts that keep patients safe and facilities
running.
Protect
Healthcare cybersecurity teams should invest in strong identity & access management
and network segmentation, as well as security awareness training for their employees.
Creating a culture of cybersecurity is critical to the continued success of your efforts.
Detect
To detect a potential cybersecurity event, you should monitor both network traffic and
device baselines. Choose a detection solution that combines multiple types of threat
detection and supports a wide range of IT, OT and IoT protocols for the broadest level
of coverage. It should also provide detailed threat indicators, such as Yara rules, packet
rules, STIX indicators, threat definitions and vulnerability signatures.
Respond
Develop and implement a plan for responding to cybersecurity incidents, including
procedures for finding and isolating affected devices and systems and communicating
about the incident to relevant parties.
When a potential cybersecurity event is detected, your threat detection solution should
be able to group alerts into incidents, providing security and operations staff with a
consolidated view. It should also offer contextual and actionable information, like IR
playbooks and threat intelligence, to respond quickly.
Recover
Create and practice a recovery plan to restore impacted services and communicate to
employees and the public about what happened and how you are fixing it. Your asset
inventory management solution should support fast forensic analysis to help you restore
impacted operations by providing up-to-date asset profiles along with a time frame of
when devices were impacted so that you can quickly restore them to their known good
state.
It’s important to continually test both your response and recovery plans with penetration
testing and/or purple team exercises to improve defensive training and assess current A
high level overview of the NIST Cybersecurity Framework (CSF)


How the Nozomi Networks solution helps you meet the five core functions
of NIST CSF
The detailed ways the Nozomi Networks solution maps to NIST CSF
requirements
Healthcare Cybersecurity Resources
Securing hospitals and healthcare facilities is a complex challenge. That’s why we
created our resource library which provides guidance and solutions for today’s
cybersecurity challenges. We hope these resources supply helpful information to
support your overall cyber resilience strategy.



What the NIS2 Directive is and how it has changed from the first version of
the directive
How the Nozomi Networks solution helps you meet all seven broad NIS
Directive requirements
Details on the specific security objectives in NIS2 that Nozomi Networks
supports completely or partially