The global healthcare cybersecurity market is set to reach $58.4 billion by 2030, according to statistics portal Statista, by virtue of the healthcare industry being under increasing attack. And in KnowBe4’s 2024 International Healthcare Report, the global healthcare sector experienced 1,613 cyberattacks per week in the first three quarters of 2023, nearly four times the global average.
For Kevin Torres, trying to modernize patient care while balancing considerable cybersecurity risks at MemorialCare, the integrated nonprofit health system based in Southern California, is a major challenge. To put what Torres is dealing with in context, MemorialCare has over 14,000 physicians and employees using connected devices, and runs more than 52,000 connected devices and pieces of equipment throughout its network. “We work in a high stakes environment,” he says. “If we experience a cyber attack or ransomware event, this could mean we can’t accept new patients because we can’t guarantee our ability to take care of them.” As such, one of his primary concerns is the business’ ability to recover and keep delivering seamless patient care should an attack happen.
Torres and his team are specifically focusing much of their attention on securing their biomedical device environment, including incubators, cardiac pacemakers, cochlear implants, and defibrillators. “When we looked at this technology, we quickly realized we didn’t have a clear line of sight to all the connected devices,” he says. “We didn’t know what was connected or if everything was patched properly. We didn’t have the same level of rigor and diligence with these biomed devices as we did with the computers that connect to our network. So there was a very real gap in our defenses.”
A holistic view of the environment
To bridge this gap, Torres introduced risk management platform Asimily that delivers greater IoT device visibility so it’s easier to identify exploitable vulnerabilities on medical devices and equipment.
Asimily provides visibility over all connected devices within the MemorialCare ecosystem — whether it’s temperature control systems, biomed equipment, elevators, or power systems — and then stratifies risk based on whether or not this hardware has the necessary up-to-date protection. “What we immediately discovered is a lot of the devices connected were out of compliance,” he says. And where devices were non-compliant, he and his team took the time to get their security up to standard. They also had to retrofit some older solutions to ensure they didn’t expose the business to greater risks. Finally, he put a team in place to establish patching processes for new technologies so security updates are done at regular intervals.
According to Torres, the strategy has proven to be successful. MemorialCare now has holistic visibility into its entire IoT ecosystem, enabling them to document that they’re at 98% coverage compared to the peer average of 56%. And the business’ NIST compliance is at 98%, which is well above industry average. But, he admits, none of their efforts to prevent attacks mean anything if they don’t also prioritize the people side. “Today, you have to be cyber secure from two perspectives,” he adds. “The technical prevention and detection side, and the culture and people side.”
The human factor
One of the biggest risks of this modernization project is the user. “It’s our nurses, clinicians, and physicians who are checking emails, clicking links, and then get compromised,” Torres says, noting that social engineering and phishing campaigns are especially big threats to the organization. He says hackers have gone so far as to call the business’ service desk several times a week trying to trick people into resetting user passwords so they can get in. And since they know everything about the process an external user would have to follow to reset a password, Torres knew he and his team couldn’t just rely on people to keep hackers out because they’ll eventually get tricked.
To further safeguard the business against this kind of threat, MemorialCare implemented zero trust network access (ZTNA) on top of two-factor authentication to add an extra layer of protection to securely provide remote access to all their applications, data, and services. Plus, the nonprofit is also prioritizing cybersecurity awareness with regular training and education campaigns. Torres says they’re transparent about why this is important and describing the potential impact if their systems become compromised. “Working with our HR department, we’ve put together awareness campaigns and even send out fake phishing emails to users,” he says. “We then further educate and inform whoever is fooled by these campaigns.”
But Torres points out that cybersecurity isn’t a technical solution to solve. “It’s not the responsibility of the IT department or something that your technical people must take care of,” he says. “Cybersecurity is an enterprise risk to every organization in the world.” This means cyber is everybody’s responsibility to take seriously.
“We can set up protocols and put tools in place to prevent breaches, but it’s not enough,” he adds. “It’s about creating an awareness culture where your people understand the risks, and are made aware of the strategies that threat actors use to trick them into making a mistake. This is important because if we don’t protect our systems, we can’t protect our patients from the disruptions we might experience because of an attack.”
Read More from This Article: How MemorialCare confronts evolving risks along its modernization journey
Source: News