When healthcare organizations and professionals think about cybersecurity, they likely think first about protecting sensitive patient data against data breaches and ransomware attacks. And there’s a good reason for this. Over the last four years, US healthcare organizations reported a 93% increase in large breaches, with a 278% increase in large breaches involving ransomware. IBM quantified the financial impact of these attacks in its 2023 Cost of a Data Breach Report, noting the total average cost of a breach in healthcare was an astounding $10.93 million USD.
Given the high value of patient information, it’s reasonable to assume attackers will continue to target health systems. It’s also reasonable to expect that healthcare organizations will continue to fortify their defenses, doing whatever they can to secure their operations and maintain the privacy and safety of the patient and employee data they hold. According to the 2024 Health System Digital & IT Investment Trends report from Guidehouse, more than 85% of health systems are increasing their 2024 digital and IT budgets. Over half (55%) of survey respondents are prioritizing investments in cybersecurity (55%), while additional priorities include electronic health record modernization (46%), digital care (32%), and advanced analytics, AI, and machine learning (31%).
It’s welcome news that 2024 healthcare budgets are prioritizing cybersecurity, but organizations will still need to make difficult decisions about where to invest to gain the most value and make the biggest impact. When determining what systems are most crucial to protect and what security technologies to invest in, the best practice is for organizations to first take stock of their attack surface. This requires taking a comprehensive look across all systems to uncover any potential attack pathways or vulnerabilities. The sum of these makes up the organization’s attack surface.
Once the attack surface is better understood, it becomes possible to implement remediations, which could be any combination of technology, people, or processes, to close down or better fortify any open paths and vulnerabilities – thereby shrinking the potential attack surface.
Unfortunately, the attack surface of most organizations is growing rather than becoming smaller. According to The Randori State of Attack Surface Management 2022, the attack surface of 67% of organizations across industries grew in size over the previous years. This is likely why Gartner identified attack surface expansion as the top trend in its 2022 Top Security and Risk Management Trends report.
When it comes to healthcare organizations specifically, much of the growth in attack surface can be attributed to the exploding number of internet-connected devices in healthcare environments. These include not just information technology (IT), internet of things (IoT), and internet of medical things (IoMT) but also operational technology (OT).
IoT and IoMT are emerging security fields very much worth the attention of healthcare organizations. Fortune Business Insights predicts the IoMT market alone will reach $187.60 billion by 2028, more than four times its 2020 worth of $41.17 billion. But the rapid growth of IoMT, plus the ongoing need to protect IT systems and networks, should not lead organizations to overlook the security of their OT systems.
Unlike other technologies, OT infrastructure is generally designed to be ‘set and forget.’ OT systems largely work in the background, monitoring and controlling industrial (physical) equipment and assets within the organization. These processes may lack the excitement factor of the latest IoMT device, but they are undeniably crucial to the smooth operations of every hospital and healthcare system.
Another reason that OT security may not receive the attention it deserves is that OT systems were traditionally designed for long deployments (sometimes even decades long) on dedicated networks, using dedicated, proprietary protocols that had no connection to the internet or even other internal networks. This isolation, or air-gapping, created a (relatively) secure boundary protecting OT systems from external attacks. However, OT today is far less isolated than it once was – not just in healthcare but across many industries.
The boundaries between IT and OT have blurred, and OT systems are increasingly connected to the internet in order to support remote access and to take advantage of new capabilities like real-time monitoring. OT is also moving to use more IT-standard networking protocols that make interoperability easier and more effective. As a result, OT systems and devices now make up a substantial part of the attack surface for healthcare organizations.
Indeed, OT represents a new path into the network that attackers can use to gain access to vital systems and sensitive patient information. And this path is often easier to take than it should be, thanks to the fact that many OT systems have little or no security built into their design. For example, they typically don’t employ any data encryption, password management, or multi-factor authentication. According to the 2020 Global IoT/ICS Risk Report, 71% of industrial networks use outdated operating systems that are no longer receiving security updates, 64% use insecure passwords, and 66% are not updated with the latest antivirus updates.
Despite being aware and even concerned about OT security risk, hospital systems, medical centers, and delivery networks are investing very little to protect their critical OT systems. A Nuvolo survey conducted by the Healthcare Information and Management Systems Society (HIMSS) found that more than 3 out of 4 (77%) healthcare systems do not include OT security in their IT budgets at all. If nothing else, this certainly takes some of the optimism out of the previously cited Guidehouse statistic on increased 2024 IT budgets.
Given the potential of cyberattacks on OT systems to cause physical harm in addition to financial devastation, healthcare organizations simply must start incorporating OT more holistically into their cybersecurity strategies. Industry watchers like McKinsey predict that attackers will increasingly turn their attention to OT in the coming years. The extremely dynamic nature of today’s healthcare networks and the lack of protection for OT systems could create a very serious security threat.
Organizations therefore need to start identifying and assessing the risks posed by ALL systems and devices – IT, IoT/IoMT, and OT – in order to uncover and then address potential vulnerabilities. After mapping out the complete attack surface, informed decisions can be made about what tools and technologies to implement to reduce risk and improve cyber resiliency.