Axel Wirth
Healthcare cybersecurity in a post-pandemic world
June 29, 2020
By Axel Wirth
Unfortunately and tragically, the COVID-19 crisis has demonstrated that our public health and care delivery systems were inadequately prepared for this type of event. Although many front line workers fought, and still are fighting, heroic battles, they often did so lacking proper equipment and resources and without needed support and plans in place. One further area of weakness that has become apparent is the cybersecurity posture of the healthcare industry which, historically, has not been one to lead in this area and now has even been challenged even more.
Traditionally, the focus in healthcare has been on privacy laws and regulations, such as HIPAA, only recently coming to terms with the fact that compliance does not assure protection against sophisticated criminal or nation-state cyber attacks. The ongoing health crisis has made things even more critical as we have deployed new and distributed infrastructure in a hurry, thus offering criminal actors an attractive target. Further, politically motivated entities are seeking to disrupt our public health system or may be looking for valuable intellectual property from organizations participating in clinical studies and research.
While we currently have to prioritize clinical concern and patients’ medical needs, the cybersecurity risk introduced with increased connectivity cannot be ignored. Our industry must begin planning for cybersecurity in a post-pandemic healthcare world, addressing both the need to remediate identified weaknesses in our current ecosystem as well as assure that the security needs of the changed healthcare system evolving from this crisis will be addressed.
It is our thesis that the resulting significant changes in how healthcare operates will require fundamentally rethinking how cybersecurity is implemented.
The general consensus that is forming across healthcare cybersecurity experts is centered around the predicted trends and the leading practices to implement them:
● Steep increase in Telehealth and Telemedicine offering
The adoption of remote health services was already well under way but by some estimates, COVID-19 has accelerated this trend by a decade. Lowered regulatory and reimbursement barriers have increased the number of telehealth “house calls” by multiples. Patient expectations, costs pressures, and technology capability will further move more critical services into the patients’ homes to monitor and diagnose diseases and even to deliver certain therapies. The sensitive, critical and voluminous data generated by this highly distributed infrastructure will need to be protected as it moves across home and public networks. This will require a novel and mature approach to cybersecurity to assure protection of patient privacy, reliability of medical processes, and prevent the correlation between medical data and patient identity or location.
● Consumerization of healthcare
As a related trend, we are witnessing an increase in the use of consumer and personal health devices as they have demonstrated their usefulness in areas like cross-population health trend surveillance, or continual collection and monitoring of vital signs. Novel devices or use cases, as well as new collaborations and corporations, are emerging, offering new ideas on how to use and make medical sense out of the ubiquity of information we can now collect. As new players are entering the healthcare space, they will not only offer new approaches but will also bring with them a more mature approach to security - yet will also raise questions about data usage and privacy. This will alter the playing field, establish a higher bar on security, while also challenging the regulatory status quo.
● Improved surge preparedness
One of the challenges of the COVID-19 pandemic is the need to scale up our healthcare systems’ capacity to address the rapid surge in cases, including staffing, facilities, IT infrastructure, and equipment. We should assume that as a lesson learned will lead to an increased stockpile of critical equipment, including medical devices and IT systems, that can be deployed rapidly in case of future crises. Although not obvious, this will have significant cybersecurity implications.
First, any stockpiled and software-based medical devices will need to maintain their security posture. Since neither maintaining cybersecurity of systems in storage (e.g., via patching) nor updating devices in case of emergency need and rapid deployment is practical and would be reliable, we need to think of a proactive approach to cybersecurity.
Secondly, we need to track and monitor (from a functional and security perspective) devices once they get deployed in the field and put in use.
● Protecting intellectual property
One unique challenge pharmaceutical companies and researchers have been facing is the need to protect their intellectual property as it relates to COVID-19 treatment and vaccines. We have seen evidence of both, the theft of sensitive research data (presumably by nation states to advance their own capabilities) as well as the malicious disruption of critical research and institutions with the goal to hamper or slow down the battle against the virus. Pharma and biotech companies will need to take a risk-based approach to understand where they should be spending their security budgets.
The healthcare industry is uniquely challenged compared to other industries. For example, if an ATM card is exploited, it has different consequences than if an insulin pump is hacked. Yet, other industries are further in their cybersecurity maturity, such as financial services which began developing cyber defense capabilities and processes long ago. However, we also need to recognize that healthcare IT infrastructure is unique in its complexity with a mix of different devices and technology generations, as well as its life-critical nature and specific care delivery needs.
Although the healthcare industry is well advised to learn from other sectors, we do need to recognize idiosyncratic risks that require a unique approach. And, we better do so fast with a combined approach of innovation and regulation.
We stipulated that the ongoing public health crisis will result in fundamental changes to our public health and care delivery landscape, its supporting infrastructure, and the industry’s approach to cybersecurity. The related cyber risks will not be going away anytime soon and only those who take a proactive approach will come out on top. Hoping that solely relying on a reactive approach centered around detection and prevention of cybersecurity incidents is not a strategy that will allow for healthcare delivery to be successful in this post-pandemic ecosystem.
We will need to reexamine what needs protection and how to deliver an approach to cybersecurity that is future ready, rather than reactive. In order to utilize the promise of IT-enhanced care delivery we will need to recognize the new and increasing cyber risks and will need to develop a proactive approach to address them.
About the author: Axel Wirth, chief security strategist for MedCrypt.
Unfortunately and tragically, the COVID-19 crisis has demonstrated that our public health and care delivery systems were inadequately prepared for this type of event. Although many front line workers fought, and still are fighting, heroic battles, they often did so lacking proper equipment and resources and without needed support and plans in place. One further area of weakness that has become apparent is the cybersecurity posture of the healthcare industry which, historically, has not been one to lead in this area and now has even been challenged even more.
Traditionally, the focus in healthcare has been on privacy laws and regulations, such as HIPAA, only recently coming to terms with the fact that compliance does not assure protection against sophisticated criminal or nation-state cyber attacks. The ongoing health crisis has made things even more critical as we have deployed new and distributed infrastructure in a hurry, thus offering criminal actors an attractive target. Further, politically motivated entities are seeking to disrupt our public health system or may be looking for valuable intellectual property from organizations participating in clinical studies and research.
While we currently have to prioritize clinical concern and patients’ medical needs, the cybersecurity risk introduced with increased connectivity cannot be ignored. Our industry must begin planning for cybersecurity in a post-pandemic healthcare world, addressing both the need to remediate identified weaknesses in our current ecosystem as well as assure that the security needs of the changed healthcare system evolving from this crisis will be addressed.
It is our thesis that the resulting significant changes in how healthcare operates will require fundamentally rethinking how cybersecurity is implemented.
The general consensus that is forming across healthcare cybersecurity experts is centered around the predicted trends and the leading practices to implement them:
● Steep increase in Telehealth and Telemedicine offering
The adoption of remote health services was already well under way but by some estimates, COVID-19 has accelerated this trend by a decade. Lowered regulatory and reimbursement barriers have increased the number of telehealth “house calls” by multiples. Patient expectations, costs pressures, and technology capability will further move more critical services into the patients’ homes to monitor and diagnose diseases and even to deliver certain therapies. The sensitive, critical and voluminous data generated by this highly distributed infrastructure will need to be protected as it moves across home and public networks. This will require a novel and mature approach to cybersecurity to assure protection of patient privacy, reliability of medical processes, and prevent the correlation between medical data and patient identity or location.
● Consumerization of healthcare
As a related trend, we are witnessing an increase in the use of consumer and personal health devices as they have demonstrated their usefulness in areas like cross-population health trend surveillance, or continual collection and monitoring of vital signs. Novel devices or use cases, as well as new collaborations and corporations, are emerging, offering new ideas on how to use and make medical sense out of the ubiquity of information we can now collect. As new players are entering the healthcare space, they will not only offer new approaches but will also bring with them a more mature approach to security - yet will also raise questions about data usage and privacy. This will alter the playing field, establish a higher bar on security, while also challenging the regulatory status quo.
● Improved surge preparedness
One of the challenges of the COVID-19 pandemic is the need to scale up our healthcare systems’ capacity to address the rapid surge in cases, including staffing, facilities, IT infrastructure, and equipment. We should assume that as a lesson learned will lead to an increased stockpile of critical equipment, including medical devices and IT systems, that can be deployed rapidly in case of future crises. Although not obvious, this will have significant cybersecurity implications.
First, any stockpiled and software-based medical devices will need to maintain their security posture. Since neither maintaining cybersecurity of systems in storage (e.g., via patching) nor updating devices in case of emergency need and rapid deployment is practical and would be reliable, we need to think of a proactive approach to cybersecurity.
Secondly, we need to track and monitor (from a functional and security perspective) devices once they get deployed in the field and put in use.
● Protecting intellectual property
One unique challenge pharmaceutical companies and researchers have been facing is the need to protect their intellectual property as it relates to COVID-19 treatment and vaccines. We have seen evidence of both, the theft of sensitive research data (presumably by nation states to advance their own capabilities) as well as the malicious disruption of critical research and institutions with the goal to hamper or slow down the battle against the virus. Pharma and biotech companies will need to take a risk-based approach to understand where they should be spending their security budgets.
The healthcare industry is uniquely challenged compared to other industries. For example, if an ATM card is exploited, it has different consequences than if an insulin pump is hacked. Yet, other industries are further in their cybersecurity maturity, such as financial services which began developing cyber defense capabilities and processes long ago. However, we also need to recognize that healthcare IT infrastructure is unique in its complexity with a mix of different devices and technology generations, as well as its life-critical nature and specific care delivery needs.
Although the healthcare industry is well advised to learn from other sectors, we do need to recognize idiosyncratic risks that require a unique approach. And, we better do so fast with a combined approach of innovation and regulation.
We stipulated that the ongoing public health crisis will result in fundamental changes to our public health and care delivery landscape, its supporting infrastructure, and the industry’s approach to cybersecurity. The related cyber risks will not be going away anytime soon and only those who take a proactive approach will come out on top. Hoping that solely relying on a reactive approach centered around detection and prevention of cybersecurity incidents is not a strategy that will allow for healthcare delivery to be successful in this post-pandemic ecosystem.
We will need to reexamine what needs protection and how to deliver an approach to cybersecurity that is future ready, rather than reactive. In order to utilize the promise of IT-enhanced care delivery we will need to recognize the new and increasing cyber risks and will need to develop a proactive approach to address them.
About the author: Axel Wirth, chief security strategist for MedCrypt.