Death Due to Cyber Attack Has to be a Wake-up Call

A tragic milestone has been crossed this year. While, yes, the tragedies do seem to be manifold – one tragedy in particular stands out in our field. The first death linked directly to a cyber attack.

Earlier this year, in Dusseldorf, Germany – not three hours from my home – a ransomware attack crippled a hospital’s systems, requiring all ambulances to be rerouted to other emergency rooms. One ambulance, however, did show up at the targeted hospital with a patient in critical condition. The patient did not survive the rerouting to an alternative facility.

This is tragic. Threats in the digital world have made the jump to the physical. The threat to people is no longer theoretical or about personal inconvenience. They are no longer about a simple rejection of a fraudulent payment. Unfortunately, the threats seem to be multiplying.

Since the beginning of the COVID-19 pandemic, online crimes have roughly quadrupled.While hospital in Dusseldorf may not have been the the intended target, hospitals are quite vulnerable. In 2019, it was reported that 84% of hospitals didn’t have a full-time cybersecurity employee. The same report noted that, between 2016 and 2018, one-third of hospital executives purchased cybersecurity tools “blindly without much vision or discernment.” Meanwhile, healthcare organizations spend more than all other sectors on data breach recovery.

It is a mixed blessing, then, that internet-connected devices – the internet-of-things (or IoT) – have been a boon to the healthcare industry. Doctors and employees use smartphones, tablets, laptops and digital assistants already. There is growing connectivity among diagnostic and imaging equipment, surgical robots, wearables, intelligent equipment and countless wireless sensors. There are bluetooth enabled weight scales and blood pressure cuffs that track symptoms for cancer patients. There are glucose monitors that improve the quality of life for diabetics. Apple’s ResearchKit simplifies the daily diary process for those who suffer from Parkinson’s Disease – helping both the patient and providing valuable data to assist in research. Even your smart refrigerator could send relevant data back to your doctor about your diet.

All of these innovations have been a net-benefit for the quality of healthcare that we receive. Alan Mihalic, president and founder of the IoT Security Institute, has noted that “with all this data, [doctors] can look at how to improve their service and lower the cost to deliver that service. But moreover, it’s a question of moving from a reactive to a proactive healthcare model.”

With all of these new devices, coming from different manufacturers, installed and run by smart medical professionals who may or may not have IT security experience – it’s no wonder that the hospital’s attack surface has grown immeasurably in the last few years. 92% of the purchasing decisions regarding data security between 2017 and 2019 were made at the C-level and didn’t include the affected department managers nor the users that would be impacted by such decisions. Across the industry, there is almost no reliance on secure authentication – after all, the urgent nature of hospitals require a system that provides relevant information to an emergency room doctor on demand.  Additionally, hospitals are notoriously plagued by budget constraints. Replacing or upgrading legacy software tends to come with a price tag leading to outrageous statistics like: 56% of healthcare providers still use Windows 7! What money there is for IT is usually not earmarked for security. 90% of institutions report that their security budgets have remained level or decreased since 2016.

But what can be done about it? It is vital to be aware of current best practices.

In 2019, the National Institute of Technology Standards (NIST) published a report, NISTIR 8828, detailing “Considerations for Managing Internet of Things Cybersecurity and Privacy Risks”. In it they highlight three high-level methods of mitigation. Simply put, they are:

  1. Protect device security.
  2. Protect data security.
  3. Protect individuals’ privacy.

Those responsible for outfitting and managing a hospitals IT infrastructure need to be thoughtful about the way in which they incorporate connected devices. Mitigating cyber risk is crucial for any industry, but there is no room for error in healthcare. The rapid shift this year to remote work has opened a significant number of vulnerabilities for hackers to exploit. Unfortunately, fixing vulnerabilities is much more difficult than it sounds, especially for an always-on operation like a hospital.

But it is possible to start at the beginning. Authentication – the process by which we gain privileged access to devices and records – that can be secure, frictionless, interoperable with other devices and based on industry tried-and-tested standards can begin to close the gap in these vulnerabilities. Unfortunately, it would require challenging the status quo – a status quo that carries with it significant inertia.

But, with human lives at stake, it is clearer than ever that the status quo is not good enough and needs to be challenged.

As this is cybersecurity awareness month, let us all take a moment to consider our underlying assumptions and where we might be able to improve them. IoT devices in healthcare can provide significant improvements in how patients are treated and how research is done. But it needs to be protected and “good enough” security of the past is simply not good enough anymore. At least, it wasn’t for that patient in Dusseldorf.