Are you rolling the dice on patient safety?
September 7, 2021
September 7, 2021
Special thanks to Matthew Modica, Vice President and Chief Information Security Officer, BJC HealthCare, for his collaboration and contribution to this post.
The Internet of Medical Things (IoMT) represents one of the most significant opportunities in healthcare, with global market value expected to hit US$142 billion by 2026. But with opportunity comes risk. According to a Bitglass research study, healthcare breaches increased 55 percent from 2019 to 2020, affecting more than 26 million people in the US alone. This has continued into 2021, with the volume of all-industry cyber intrusion increasing 125% in the first half of 2021 globally, compared with the same period last year. In fact, there are indications that healthcare is the number one target for cybercriminals.
The time is now for healthcare organizations and regulators to focus on IoMT cybersecurity, because these devices provide direct line-of-sight to the patient.
IoMT is used for critical medical tasks such as monitoring patient vital signs, controlling blood flow and distributing pharmaceuticals. Unlike traditional Information Technology (IT) or Operational Technology (OT), which may easily be patched and rebooted, IoMT requires a different remediation process with extra precautions. Taking these devices offline, even for a short period of time, could significantly impact patient safety—and cybercriminals are very aware of the unique role of IoMT devices. That's why they are actively seeking new and creative ways to monetize attacks and disruptions, likely via ransomware.
During the pandemic, there were multiple waves of attacks against healthcare organizations thanks to the increased attack surface created by the push for remote services. According to a Comparitech report, ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, twice as much as the year before. The report also found that 92 individual ransomware attacks occurred at healthcare organizations, affecting 600 clinics, hospitals and other organizations, with 18 million patient records impacted— a 470% increase from 2019.
This can be devasting to companies but ultimately, it's us—the patients—who become the targets.
The root causes of these difficulties are usually a lack of accountability and lack of understanding by management of who is responsible for devices that fall under the purview of biomedical engineering and clinical environments. These departments often have little to no IT governance compared to enterprise-wide IT systems.
Lack of oversight can leave organizations overwhelmed and without an accurate picture of device inventory. This in turn can result in outdated software and exposure to vulnerabilities—a prime opportunity for cybercriminals. Additionally, healthcare organizations can experience skill shortages or minimal IoMT understanding, resulting in insecure network architectures that lack segmentation and security controls.
Security needs to be “baked in.” That is, it should be part of a healthcare organization’s technology ecosystem, positioned to enable business success by fostering technology adoption. This point is driven home by the Palo Alto Networks global threat intelligence team, which reports that 83% of connected medical imaging devices currently run unsupported operating systems, with 51% of potential threats and vulnerabilities involving these devices. Additionally, 72% of healthcare's virtual local area networks (VLANs) mix IoMT with traditional IT assets, facilitating the spread of malware. With such prevalent vulnerabilities in devices critical to patient wellbeing, it is vital that security be implemented at every stage of the system development lifecycle.
For more on IoMT in healthcare, we spoke with Matt Modica, CISO of BJC Healthcare. His thoughts are below.
IoMT device security is a critical component CISOs must consider in their cybersecurity strategy and risk management framework for three main reasons. First, the proliferation of network connected devices and the sheer amount of data these devices collect makes them a critical asset—which means they're a target for bad actors. Second, many medical device manufacturers are just now beginning their journey into secure code development / secure configurations. Until they mature these capabilities, there is potential for a variety of cyber threats being exploited (i.e. unresolved vulnerabilities, unsupported software and unknown baseline behavior). Third, while larger healthcare providers typically have the financial and operational resources to support lifecycle management and rotate to these newer devices with enhanced security capabilities, many providers must support aging network devices that perpetuate cybersecurity risks.
For these reasons, Modica said, medical/IoT device security has the potential to lead to operational disruption and patient safety events.
When we do these things, Modica said, we will protect ourselves, our patients, our caregivers and our critical infrastructure.
Below are a few areas to consider:
Using measures like the above will vastly improve the security and reliability prognosis for healthcare organizations, with the key takeaway that robust IoMT cybersecurity paves the way for improved patient care and a healthier bottom line.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit www.accenture.com/security.
This document is produced by consultants at Accenture as general guidance. It is not intended to provide specific advice on your circumstances. If you require advice or further details on any matters referred to, please contact your Accenture representative.
Copyright © 2021 Accenture. All rights reserved. Accenture, and its logo are trademarks of Accenture.