Healthcare Needs Effective Cyber Risk Management

Healthcare Needs Effective Cyber Risk Management

Richard Staynings
By Richard Staynings, Chief Security Strategist and Cybersecurity Evangelist


How do those in the healthcare industry start protecting themselves from ever-increasing cyber risks?

Richard Staynings and Michael Archuleta address the Rocky Mountain Health IT Summit today.

Today we live in an era of escalating cyber threats from bad actors and nefarious nation states intent on the disruption of our business and personal lives. Regrettably, this also includes life-sustaining healthcare technologies. If this weren't enough, the healthcare industry is also in the process of transforming to near complete reliance upon information technology and Internet of Medical Things (IoMT) technologies.

In fact, Healthcare IoT (HIoT) devices are growing at 20% per annum globally which means the problem is getting bigger and bigger each and every day! This includes a proliferation of medical devices, pharmacy and surgical robots, AI-augmented labs and diagnostic systems, and network connected hospital building management systems like elevators and HVAC systems.

A modern day hospital cannot function for long without any of these systems. This provides hackers with a very large attack surface upon which to exploit a weakness or vulnerability and establish a beachhead for more nefarious purposes. Their goal? Perhaps the theft of medical records and personal identities, or to ransom hospital data or patients.

What Can Be Done To Combat These Risks?

The first step is to have hospital CEOs and their boards obtain an accurate understanding of their risks. This means a full inventory of all of their IT, HIoT and data assets - something most smaller hospitals have little to no idea about.

Then, remediation of identified security risks needs to be prioritized in order to reduce overall enterprise risk and the threat to patient safety. This will require disciplined, established, and documented processes in addition to quality resources be they people or tools, or a combination thereof.

Above all the procedure requires effective cybersecurity governance sponsored at the highest levels of the board and reinforced all the way throughout the organization. Sadly, too many hospital CEOs and their boards have yet to take this step.

Effective cybersecurity has always been about the combination of people, process, and technology. Perpetrators of cyber-crime are hell-bent on exploiting every weakness without consideration for patient safety. As cyber defenders we need to employ the best processes, skilled security resources, and most effective technologies in the defense of our diagnostic and clinical systems. It also means that out-of-date and end-of-life systems should be replaced, and all other systems updated regularly with security patches, especially if your hospital still runs some early version of Windows. According to some sources, up to 56% of Health Providers Still Rely on Legacy Windows 7 Systems and many still run a version of Windows XP on their medical devices. 


The costs of upgrading may appear to be prohibitively expensive, but the reputational and financial costs of a breach or ransom attack could be life threatening - for the business and its patients!


Fortunately however, many small facilities and critical access hospitals have prioritized security and are already reaping the benefits of their early investment in IT and cybersecurity. They are able to offer more profitable and cost-efficient services to patients via secure online portals, telehealth, and telemedicine among other services. Their success proves that security is not advanced rocket science, just the combination of good people, well thought out processes, and cutting edge technology.

How can Cylera Help You Get Started?

To learn how Cylera can help automate the inventory and risk analysis of your HIoT devices, please contact us for a no-obligation introductory call. We are happy to share with you what we have developed regardless of whether you are in a position to buy anything. Knowledge is power and the better informed you are, the better able you are to protect your patients from previously unknown risks.

Read more on The True Cost of Cyber Attacks.


Get Updates

Sign up to receive the
latest news from Cylera.

window.lintrk('track', { conversion_id: 14567298 });