Three Ways Healthcare Organizations Can Prepare for New Cybersecurity Requirements
Healthcare organizations are highly vulnerable to cyberattacks, averaging 1,463 cyberattacks per week in 2022, up 74% compared to the previous year [i]. The healthcare industry has also ranked highest in data breach costs for 12 years in a row [ii]. The potential impact of a cyber incident is not just financial–the consequences can be fatal [iii].
Hospitals are targeted for several reasons. First, they are vulnerable targets as attackers seek to exploit them for the notoriety of claiming they successfully shut down such critical facilities. Healthcare data is also in high demand on the dark web and can fetch a hefty sum for attackers.
Another major reason hospitals are targeted is that they have large operational technology (OT) environments with thousands of entry points. On the medical side, this includes a vast array of equipment, from MRI machines to ventilators. On the building side, it includes assets like fire and life safety systems, HVAC and access control. The sheer volume of assets provides an attack surface far larger than almost any other industry. Moreover, many of these systems operate on legacy frameworks, making them more susceptible to exploitation.
U.S. Department of Health and Human Services considers new requirements
In response to this increasing threat, the United States Department of Health and Human Services (HHS) published a concept paper [iv] introducing new measures designed to help protect the sector from cyberattacks.
These measures include:
1. Establish voluntary cybersecurity performance goals for the healthcare sector to help healthcare organizations prioritize cybersecurity practices.
2. Provide resources to incentivize and implement cybersecurity practices such as the establishment of an upfront investments program to help high-need providers.
3. Implement an HHS-wide strategy to support greater enforcement and accountability. Including potential increased financial penalties for HIPAA violations.
4. Expand and mature the one-stop shop within HHS for healthcare sector cybersecurity, thereby increasing HHS’ incident-response capabilities.
The intent is to better equip hospitals with cybersecurity education and resources, as well as discourage noncompliance by strengthening HHS’ enforcement authority.
Healthcare organizations don’t know what they don’t know
A big security hole at many hospitals is lack of awareness. They may think their OT systems are secure when they’re not. For instance, the systems may be air-gapped, which means they’re not connected to the internet, but most of them must be patched or updated regularly. This might mean that, on the first of every month, the systems are connected to the internet to download the patches or updates and thus they are not truly air-gapped.
Even if the patching and updating are done via USB, those OT systems may still not be safe. A Honeywell study found that OT assets face a significant and escalating risk from malware infiltrating through USB media [v] . Another risk is that many cyberattacks target third-party OT systems whose providers may have access rights to perform maintenance and upgrades. This opens the door to yet another threat.
Three steps healthcare organizations should take now
The pressure is on for hospitals to fortify their systems against cyberthreats and put all necessary defense measures in place. Here are the top three steps they should take to get started:
1. Create an incident response plan. This is essential for hospitals to swiftly recover if they’re hit with downtime or if critical equipment, such as ventilators or HVAC systems, are targeted in a cyberattack. Without a plan in place, a hospital can’t get back up and running quickly and efficiently, and make sure its patients and staff are safe.
2. Be aware of full asset inventory. The reality is that most OT systems have an IP connection However, IT doesn’t monitor these connections for cyberthreats as closely as it monitors its own systems. It’s essential that hospitals know exactly what they have running in their environment in both IT systems and OT systems so they have better visibility into all their systems and all the threats and vulnerabilities they face.
3. Have a trusted partner. Before allowing third-party vendors to access their systems, hospitals need to understand the specifics of what vendors are doing. Do they know what type of computers their vendors are using? Are there proper checks and balances in place to keep their operations safe and secure? Hospitals should establish clear communication channels with their partners for continuous transparency and accountability.
Safety and security are paramount in a healthcare environment. As a trusted partner, Honeywell can help healthcare organizations solve cybersecurity challenges and stay compliant with new regulations as they are introduced.
[i] Check Point, Check Point Software Releases its 2023 Security Report Highlighting Rise in Cyberattacks and Disruptive Malware, February 8, 2023 [Accessed March 1, 2024]
[ii] UpGuard, What is the Cost of a Data Breach in 2023?, October 25, 2023 [Accessed March 1, 2024]
[iii] WIRED, The untold story of a cyberattack, a hospital and a dying woman, November 11, 2020 [Accessed March 1, 2024]
[iv] United States Department of Health and Human Services, Healthcare Sector Cybersecurity, December 2023 [Accessed March 1, 2024]
[v] Honeywell Forge, Industrial Cybersecurity USB Threat Report 2023 [Accessed March 1, 2024]
