Hello Dr Ayala Maurer-Prager, please introduce yourself and your role.

“Hello! I’m Dr Ayala Maurer-Prager, and I’m a Director within FTI Cybersecurity’s EMEA team. I lead our Healthcare and Life Sciences work in the region, and also serve as one of the firm’s Diversity Ambassadors. My role is focused around helping clients achieve the strongest possible levels of cyber resilience and regulatory compliance, as well as supporting recovery efforts and complex investigations in the aftermath of a range of cyber incidents.” 

Tell us about the cyber threat landscape for the healthcare industry – what risks is it facing? 

“Due to the huge amount of personal data collected and the significant revenues generated by its biggest players, the healthcare industry has long been an attractive target for threat actors – and even more so against the backdrop of COVID-19. 

“One of the most prominent risks faced by the industry involves IoT-connected medical devices. Although things like wearable sensors provide valuable information to healthcare providers and represent huge progress within the remote patient monitoring space, insecure transmission channels and improperly sourced hardware and software can expose sensitive patient data to unauthorised parties. 

“Insider threat and risks to intellectual property and R&D data are also current concerns, given the importance and value of innovation in the healthcare industry. In this context, it is critical to ensure that data is appropriately classified and adequately protected, both at rest and in transit – and that monitoring is deployed across business’ environments to track how, where and why data moves across and between systems and networks.” 

What is cyber resilience and how can healthcare companies become more cyber resilient? 

“Cyber resilience is the ability to prevent and withstand a breach of cybersecurity – the ability to provide services regardless of adverse cyber events. Becoming more cyber resilient involves:

• Understanding your environment (know your network and data)
• Preparing in advance (basic hygiene controls)
• Withstanding while under attack (segmentation, backups, etc.)
• Practicing for the real thing (testing an incident response plan for quickest possible restoration).”   

How can we address the risks of integrating medical robotics into patient care? 

“Many of the risks associated with medical robotics are linked with the potential for exploitation by individuals or groups with nefarious intent. In order to mitigate this risk, it is important to ensure that remote access to these devices is properly secured, and that the default passwords they are supplied with are changed in line with organisational policy. 

“In addition, it is critical that patches and updates are applied as soon as they become available; keeping the operating systems of these devices current is important in ensuring they remain protected against known vulnerabilities.”

Post COVID-19, how resilient is the healthcare supply chain? Does it pose cyber risks? 

“COVID-19 exacerbated the issues associated with a supply chain that has long been pressured by interdependencies, demand, cost, and competition. The healthcare supply chain has stabilised to an extent, with the technological stockpiling that we saw at the start of the pandemic having somewhat subsided. 

“However, the result of this initial shortage was a scramble for alternative suppliers of device components who may not have been properly assessed for the quality and security of their products. There is significant cyber risk posed by unvetted device parts which may carry inherent vulnerabilities, so a robust and security-focused vendor assessment process is crucial to maintaining a strong and secure supply chain. Plan ahead now to prevent similar critical issues from occurring.”

If a hospital is hit with a cyber attack, what should its incident response strategy look like? 

“Hospitals must ensure that individuals and teams responsible for incident response implementation are fully briefed and well-practiced on established strategies and procedures, to ensure swift, decisive action is taken when required. 

“Highly effective strategies often include threat isolation, investigation and analysis of impacted sensitive data, remediation plans that include air gapped and tested backups, and restoration practices that meet a maximum allowable outage time requirement. Should the worst happen, incident response strategies should include IT and business continuity processes and internal and external communications plans, as well as provisions for initiating contact with external incident response specialists, insurers and – depending on the data impacted – specific regulatory bodies.” 

What does FTI Consulting’s cybersecurity practice offer? What work have you done with healthcare companies? 

“FTI Consulting’s Cybersecurity team works across cyber readiness, incident response, and complex investigations to provide a truly 360-degree service to the healthcare industry. Recent readiness work has seen the team assess the cybersecurity maturity of a large pharmaceutical company, provide penetration testing services to a radiology-focused healthcare provider, carry out cyber due diligence for M&A transactions, and prepare a global dental business for ISO 27001 certification. 

“In addition, we recently handled threat actor negotiations for a hospital in the Middle East following a significant ransomware attack and performed a digital forensic investigation for a veterinary pharmaceutical client. Whilst the services that we provide are many, our core focus is always on the specific risks faced by the client with an emphasis on the most organisationally appropriate and cost-effective ways to mitigate them.”

What’s your outlook for the next 12 months for cybersecurity in the healthcare industry?

“The enormous rise in attacks on healthcare providers throughout COVID-19 has exposed significant vulnerabilities in this industry. With an increasing number of hospital boards recognising the need to be proactive in managing cyber risk, I’m expecting more strategic, targeted investments in organisational cyber resilience. This is especially important due to the ever-evolving sophistication of techniques used by threat actors to exploit networks, devices, and systems; techniques that will likely continue to develop over the next 12 months to target, for example, data stored on, and transmitted by, the IoT devices upon which patients and healthcare providers rely. 

“Whilst it is not always possible to anticipate how and when a threat actor might strike, understanding likely targets – and acting on that risk-based intelligence – provides businesses with the best chance of protecting critical assets.”

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals. 

FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.

FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities. ©2022 FTI Consulting, Inc. All rights reserved. www.fticonsulting.com