A Guide to Healthcare Cybersecurity by Nozomi Networks Mar 21, 2023 Today, hospitals and other healthcare organizations face cybersecurity threats that put both patient safety and operations at risk. This guide is intended to help security professionals, facilities managers and healthcare practitioners better understand their cybersecurity challenges and how to overcome them. Table of Contents: 1. 2. 3. 4. 5. 6. What Is Healthcare Cybersecurity? Why Is Securing Healthcare Facilities & Hospitals Important? High-Profile Hospital Cyberattacks Challenges Faced by Healthcare Cybersecurity Teams Recommendations Healthcare Cybersecurity Resources Securing Hospitals & Healthcare Facilities What Is Healthcare Cybersecurity? Healthcare cybersecurity is the process of applying a variety of prevention, detection and response strategies to protect hospitals or other healthcare facilities from cyberattacks to ensure patient safety, business continuity, protection of confidential data, and compliance with industry regulations. Why Is Securing Healthcare Facilities Important? Because they are classified as critical infrastructure, healthcare facilities and hospitals are attractive targets for bad actors. Cyberattacks have been identified as the top threat in many healthcare systems’ annual hazard vulnerability analyses (HVA). To protect themselves from cyberattacks that could directly impact the health and safety of patients and the community, hospitals and healthcare facilities should adopt proactive protection measures for their connected cyber-physical systems. High-Profile Hospital Cyberattacks These are a few of the noteworthy cyberattacks on hospitals since 2020: In March 2020, a malware attack on a Fortune 500 healthcare provider based out of Pennsylvania resulted in 250 hospitals losing use of their systems for three weeks. In November 2020, a university-based healthcare network in Vermont was targeted by a cyberattack which disrupted 5,000 systems and resulted in 300 staff being furloughed. The attack was estimated to cost $1.5 million per day. In August 2021, dozens of hospitals in West Virginia and Ohio shut down operations for days due to a ransomware attack. In April 2022, a cyberattack on a large Dallas-based healthcare company resulted in significant outages that cost the company over $100 million in lost revenue. In October 2022, a ransomware attack hit the fourth-largest US-based healthcare system with 140 affiliate hospitals. The attack led to delays in surgeries and other patient operations. In December 2022, a ransomware attack at French hospital resulted in a data leak and disruption of operations. Our latest security research reveals that healthcare is one of the most targeted industries in 2022 due to the sensitive nature of their data and dependence of critical systems for operations. It was also one of the top 5 most vulnerable sectors. Most Vulnerable Sectors in the Second Half of 2022 Aside from the broader threats of ransomware and other malware attacks, we expect in 2023 that, apart from using scanners to exploit vulnerabilities, threat actors will access medical systems used to aggregate device data for broader intelligence collection. You can access our complete findings in the report below. What Challenges Do Healthcare Cybersecurity Teams Face? Legacy Technologies Many hospitals rely on legacy technologies which are expensive to replace and extremely vulnerable to cyberattacks because of a growing list of publicly disclosed common vulnerabilities and exposures (CVEs). Many of these systems use outdated operating software, like Windows XP and Windows 7, with limited options for applying critical patches and updates across widely distributed, heterogenous and unmanaged deployments. To mitigate these risks, cybersecurity teams should limit network connectivity to these devices as much as possible and put strong preventive measures in place, including identifying and baselining to monitor legacy systems for anomalous activity, and enabling user-based controls, including MFA. Connected Facilities & IoMT At the same time cybersecurity teams are struggling to protect vulnerable legacy devices, newer, IP-connected devices, including IoMT devices, BAS systems, HVAC, elevators, CCTV, physical security systems and more, have made their way onto the scene. These newer, unmanaged devices also provide a potential entry point to disrupt hospital operations, disable physical safeguards or pivot through the network to other areas of the business. To ensure cyber and operational resilience, healthcare security practitioners and facilities managers need a single source of visibility into this expanding device landscape. Here’s an example of the types of systems and devices that contribute to a patient’s experience in a modern hospital. Connected cyber-physical systems in a hospital. It’s clear that IoMT and building automation systems (BAS) create a positive and safe patient experience, which is why it’s so important to protect them with holistic prevention, detection, and response security controls. Getting Executive Support for Cybersecurity Projects As we see above, healthcare organizations have embraced connected technologies to improve patient outcomes and facility efficiencies. However, they lag in cybersecurity investments and expertise compared to other industries. Boards and executives at healthcare organizations often view cybersecurity as yet another operating cost, when it should be seen as a risk reduction investment. If we take the example from above about the cyberattack on the Dallas-based healthcare system, we can see that in their Q2 earnings report, the company disclosed the financial impact of the attack, with quarterly earnings down approximately $100 million. When framing cybersecurity investments at the executive level, it’s important to reference concrete examples of the potential cost of a cyberattack and compare that to the investment into security talent and technologies. The Cybersecurity Talent Shortage The view of cybersecurity as an expense has led to another challenge facing healthcare systems, the shortage of security talent. Organizations in sectors that prioritize security spending like technology, financial services and energy are better positioned to win the battle for talent. They offer more attractive compensation packages with better career advancement opportunities, including the chance to work with the latest and greatest cybersecurity tools and technologies. Healthcare organizations tend to not offer these perks, so aren’t the first choice for talented job seekers. Complex Compliance Requirements Data privacy and security regulations are more restrictive in healthcare, and with good reason. Beyond the financial implications, patient safety can be put at risk if a healthcare organization experiences a cyberattack, so there is less room for error. The most well-known regulation in the United States is the Health Insurance Portability and Accountability Act, or HIPAA. HIPAA is a series of US federal laws signed into effect in 1996, with the purpose of regulating the disclosure and protection of health information in the country. One shortcoming of the HIPAA rules is that they focus heavily on data breaches and don’t consider how the cyber-physical threat landscape has evolved over time. It wouldn’t be surprising to see HIPAA rules expand in scope in the future. In Europe, the NIS2 Directive published in 2022 also designates health as an Essential Entity. Although enforcement levels and prescriptive controls will vary by country, the NIS2 Directive sets the baseline for cybersecurity risk management measures and reporting obligations across Europe for all sectors that are covered by the directive. Healthcare Cybersecurity Recommendations While the scope of mandatory compliance regulations differs by country, a robust cybersecurity program should cover every connected device and system, including building automation systems, medical and IoT devices, and energy systems. We recommend using the NIST Cybersecurity Framework as a high-level best practice guide, especially for those just beginning to understand what good looks like in cyber, because of its straightforward language and comprehensive view. Every good cybersecurity program should include protective measures (Identify and Protect), detection methods (Detect) and incident response playbooks and plans (Respond and Recover). Below, we provide our recommendations based on each of the five Functions of the NIST CSF specifically for the healthcare sector. The 5 Functions of the NIST Cybersecurity Framework Identify Good security starts with great visibility. As hospitals integrate a growing number of IoT, BAS and operational technology (OT) devices into their healthcare and facility systems, implementing an automated asset inventory management tool will make this process simpler. Look for a tool that allows you to see your entire healthcare ecosystem and its risks in one place to prioritize risk mitigation efforts that keep patients safe and facilities running. Protect Healthcare cybersecurity teams should invest in strong identity & access management and network segmentation, as well as security awareness training for their employees. Creating a culture of cybersecurity is critical to the continued success of your efforts. Detect To detect a potential cybersecurity event, you should monitor both network traffic and device baselines. Choose a detection solution that combines multiple types of threat detection and supports a wide range of IT, OT and IoT protocols for the broadest level of coverage. It should also provide detailed threat indicators, such as Yara rules, packet rules, STIX indicators, threat definitions and vulnerability signatures. Respond Develop and implement a plan for responding to cybersecurity incidents, including procedures for finding and isolating affected devices and systems and communicating about the incident to relevant parties. When a potential cybersecurity event is detected, your threat detection solution should be able to group alerts into incidents, providing security and operations staff with a consolidated view. It should also offer contextual and actionable information, like IR playbooks and threat intelligence, to respond quickly. Recover Create and practice a recovery plan to restore impacted services and communicate to employees and the public about what happened and how you are fixing it. Your asset inventory management solution should support fast forensic analysis to help you restore impacted operations by providing up-to-date asset profiles along with a time frame of when devices were impacted so that you can quickly restore them to their known good state. It’s important to continually test both your response and recovery plans with penetration testing and/or purple team exercises to improve defensive training and assess current A high level overview of the NIST Cybersecurity Framework (CSF) How the Nozomi Networks solution helps you meet the five core functions of NIST CSF The detailed ways the Nozomi Networks solution maps to NIST CSF requirements Healthcare Cybersecurity Resources Securing hospitals and healthcare facilities is a complex challenge. That’s why we created our resource library which provides guidance and solutions for today’s cybersecurity challenges. We hope these resources supply helpful information to support your overall cyber resilience strategy. What the NIS2 Directive is and how it has changed from the first version of the directive How the Nozomi Networks solution helps you meet all seven broad NIS Directive requirements Details on the specific security objectives in NIS2 that Nozomi Networks supports completely or partially