Healthcare Cybersecurity: the challenges and how to mitigate the risks
Healthcare Cybersecurity: the challenges and how to mitigate the risks
Introduction
In the last decade or so, the medical and healthcare industry has been one of the highest-risk industries and main targets of cyber attacks. According to the HIPAA journal, between 2009 and 2021, there were about 4.5K reported breaches in the US, where at least 500 data records were exfiltrated [1]. This has a high cost to the industry. According to Statista (Figure 1), between March 2021 and March 2022, the average cost of a data breach in the healthcare sector amounted to over 10 million US dollars, up from 9.23 million between May 2020 and March 2021.
This, is in addition to the human cost. In fact, cyber attacks on hospitals and healthcare organizations are taking a toll on patients. In the last month alone, a French hospital canceled operations because of an attack [23], an attack on a major hospital system might have affected 20 million patients in the US [24], and a top medical institute in India was brought to a near-halt after a massive cyber attack [25]. A recent report from Sophos [26] has shown that 66 percent of healthcare organizations were hit by ransomware in 2021 (almost doubling from the previous year). The same report also shows how healthcare was the most likely sector to pay a ransom. Indeed, healthcare is the most critical of critical infrastructure, which is relied upon in life-or-death situations, and as a consequence, they are even more vulnerable and inclined to pay.
These organizations have been struggling with both the security of their IT environments and security issues and vulnerabilities around IoT and IoMT (Internet of Medical Things). Indeed, outdated IT infrastructures and lax medical devices' cybersecurity practices and defenses, are attracting cybercriminals and putting patients at risk. So far in 2022, CISA has published over 20 ICS medical advisories and alerts, for issues ranging from improper access or memory control to insufficient data protection, and technical alerts mainly about the increasing number of ransomware campaigns targeting this industry [2][3].
There is an urgent need to address this poor security posture and cyber hygiene. According to a recent report from Cynerio and the Ponemon institute [4], 56% of healthcare organizations experienced one or more cyber attacks in the past 2 years, involving IoT/IoMT devices. The report concluded that the perceived risk in IoT/IoMT devices is high, however, only a fifth of organizations self-report a mature stage of proactive security actions. 24% of attacked hospitals even noted a subsequent rise in their mortality rates! It is clearer than ever that cybersecurity must be considered right from the start, at design stages, in order to protect patient's health and personal privacy.
Figure 1. The healthcare industry has the highest average cost per breach (Statista)
Avoidable mistakes
Table 1. presents the top vulnerabilities found in medical devices so far this year (2022), based on CISA medical advisories. Unfortunately, we can see that hard-coding credentials, for instance, is still a common coding practice in these systems. This insecure practice increases the possibility of attackers gaining unauthorized access to possibly a whole product line of a particular brand, without the need for any exploit code! This also applies to the active debug code vulnerabilities where unintended entry points are left to attackers to take advantage of and gain access to the system. Many other bad coding practices are also present which highly increase the chances of exploitation, such as missing encryption, cleartext transmission of data, insufficient protection of secrets, improper input validation, etc.
Table 1. Top vulnerabilities in CISA medical advisories of 2022 (up to December).
Vulnerabilities
# of products
Use of hard-coded credentials
Improper access control
5
Missing authentication for critical function
Uncontrolled resource consumption
Active debug code
Relative path traversal
Cross-site scripting
3
Cleartext transmission of sensitive information
Missing encryption of sensitive data
Improper input validation
Use of a broken or risky cryptographic algorithm
Protection mechanism failure
Insufficiently protected credentials
2
The inability to implement appropriate security practices and processes explains why the healthcare industry is one of the highest risk industries, especially if we include all the issues around IoT and IoMT, which are becoming ubiquitous in hospitals and patients’ care in general. One basic step towards securing the industry is, indeed, to further secure medical devices, which are becoming increasingly connected to the rest of the world, making them the main driver of an increased attack surface throughout the industry. Shifting security left and threat modeling will help avoid these mistakes and show the different stakeholders where to invest more effort and what to prioritize.
Guidelines for the healthcare industry
The most basic requirement to protect any business from cyber attacks is to reduce the surface area that can be attacked! This can be done early on by following a secure-by-design principle where healthcare products and services are designed to be foundationally secure. It is vital that the healthcare ecosystem follows both IT and medical device security best practices to defend against increasingly sophisticated attacks on devices as well as the IT networks and systems they are connected to. Table 2. shows standards and guidelines applicable to the security of medical devices.
Table 2. Example guidelines and their coverage.
Guideline/Standard
Scope
FDA Guidelines [5]
As opposed to voluntary standards, the FDA (Food and Drug Administration) brings the power of the law (in the US) to the cybersecurity of medical devices.
This guidance [5] includes 8 security control categories and associated requirements and covers both SPDF (Secure Product Development Framework) and SBOMs (Software Bill Of Materials), which aim at covering the security and safety during the entire life cycle of medical devices.
Standards that are based on the IEC 62443 series [6]:
IEC 81001-5-1 [7]
IEC 80001-1 [8]
IEC/TR 60601-4-5 (Technical Report) [9]
These standards cover the security in the implementation and use of medical devices, health software, and health IT systems.
IEC 81001-5-1 defines the life cycle requirements for the development and maintenance of health software as per the IEC 62443-4-1, taking into account the specific needs of this domain, while the IEC 80001-1 is concerned with risk management aspects of health IT infrastructure and systems.
On the other hand, based on the seven foundational requirements described in the IEC 62443 series, the IEC 60601-4-5 technical report provides specifications for different medical device security capabilities and guidance for integration within wider IT environments.
UL 2900-1 [10][11]
UL 2900-2-1 [12]
The UL 2900-1 standard applies to any network-connected products that should be evaluated and tested for vulnerabilities, weaknesses, or the presence of malicious activity, while UL 2900-2-1 applies explicitly to the testing of network-connected components of healthcare systems.
ISO 14971 [13]
This standard specifies the fundamentals of risk management of medical devices, including software as a medical device and in vitro diagnostic medical devices.
MDCG 2019-16 [14]
The EU Medical Device Coordination Group (MDCG) publishes in this document the cybersecurity requirements relevant to the EU regulations: MDR (Medical Devices Regulation) and IVDR (In Vitro Diagnostic Medical Devices Regulation). It defines a set of security requirements and good practices, some of which are linked to the NIS Directive Cooperation Group [15].
IMDRF/CYBER WG/N60 [16]
The International Medical Device Regulators Forum (IMDRF), a voluntary international group of medical device regulators, publishes its general principles and best practices for medical device cybersecurity.
The forum recommends proactively addressing cybersecurity threats at the design stage, e.g., via threat modeling.
They define a set of security requirements and architecture design patterns that are suitable for these environments, many of which are derived from other standards and guidelines including the ISO 27000 family, NIST's SSDF, or OWASP.
NIST SP 800-160 [17] & the more practical NIST SP 1800-8 Practice Guide [18]
The NIST SP 800-160 describes a basis for establishing principles, concepts, activities, and tasks for engineering trustworthy secure systems, regardless of the system's purpose or domain area, which would include healthcare and other critical infrastructure sectors.
The NIST SP 1800-8, on the other hand, comes from a more practical series (the NIST 1800 series), and in this instance, it analyzes risk factors in and around the infusion pump ecosystem and develops an example implementation that demonstrates how healthcare delivery organizations can use standards-based, commercially available cybersecurity technologies to better protect it.
Applicability of IT-specific ISO 27001 requirements and 27002 controls [19][20]
ISO/IEC 27001 is an IT cybersecurity standard that's essentially a specification for an effective Information Security Management System (ISMS), with ISO/IEC 27002 providing a reference set of information security controls and implementation guidance.
While they are IT-specific, they are based on a set of best practices that cut across platforms and software packages, and domain areas, which can be relevant to help both manufacturers of medical devices and other healthcare organizations to minimize the risk (whether related to data/privacy or patients’ safety).
OWASP's secure by design principles and secure coding practices [21][22]
The Open Web Application Security Project (OWASP) has become one of the most trusted communities and a reliable source of security recommendations and best practices. Its secure coding best practices, and security design principles, define what fundamentals programmers should adhere to and provide valuable checklists of risky coding patterns and how to avoid them.
How can IriusRisk help?
IriusRisk will help you identify, mitigate, and track security risks and/or requirements as described in a number of cyber security standards, frameworks, and best practices guidelines, including the IEC 62443 standard series (parts 3-3 and 4-2), OWASP checklists, or the MITRE ATT&CK framework. Take a look at our recommendation of making threat modeling a keystone habit in your organization [27]. View the Article here.