Risk management in the age of ransomware

The past few months have been a cyber-turbulent time for healthcare providers. In just the last two months of 2020, Health IT Security reported a 45% spike in attacks and confirmed that the healthcare sector accounts for nearly 80% of all reported data security breaches across industry.  Even worse, there appears to be no relief in sight, as this same trend is expected to continue in 2021. 

For an industry that is hit two to three times greater than any other, the takeaway is clear: healthcare providers must have capable defense systems that are up to the task. Put simply, an integrated approach to asset management and cybersecurity is the right path forward. It’s a proven approach that scales to connected health’s known management complexities as we understand them now, and as we plan for an even more fragmented, distributed future.  

While there are no “silver bullets”, here are several organising steps to consider when putting together a risk management strategy aimed at reducing the chance and/or damaging impact of a successful cyberattack:

1. Accurately Assess Device Risks

Risks need to be assessed in appropriate context. This requires a combination of cybersecurity and clinical expertise. The ability to identify different types of risks paired with an understanding of respective tolerance levels is an essential first step. A healthcare-specific risk framework can help make these nuanced determinations. It can not only identify and score risks so they can be appropriately evaluated and prioritised, but it can also document a health system’s compensating controls, so that health systems know the details of the risks they decide to accept.  

2. Manage Vulnerabilities

Because medical devices are networked and often directly connected to patients, the associated risks must be managed differently than traditional IT. For example, while it’s safe to conduct a vulnerability scan of a PC connected to a printer, it’s not safe to scan an infusion pump connected to a human being. Health systems must be able to distinguish between the assets hosted on their networks, and they need an understanding of their location and status. Otherwise, security patching and other maintenance interventions cannot be performed without risk to care delivery.  

3. Recommend Appropriate Remediations and Mitigations

Shutting down devices or blocking communications between assets can have dire consequences to patients. Rightfully so, clinicians are not interested in security provisions that introduce more latencies and risks than they resolve. Security provisioning must be an enabler of care delivery, not an unwelcomed set of additional constraints. When the interests of security and clinical context are shared and understood, it allows healthcare organisations to enforce policies and risk abatement strategies through network-based control points (e.g., firewalls, NACs, etc.). At a minimum, these strategies can prevent attack propagation without interfering with ongoing operations or the delivery of care.

4. Maintain Good Clinical Cyber Hygiene

To prevent the spread of threats within clinical networks, health systems must have the ability to constantly discover, assess, and manage the cybersecurity risks that medical, clinical and other unmanaged connected devices introduce to the clinical network. In an era where cyberattacks are a 24/7 threat, hospital leadership must invest in the resources required to create an environment where cyber hygiene improvements are a continuous process (i.e. constantly monitored, assessed, with remediations logged and progress measured). 

5. Consistently Protect from the Core to the Edge – Don’t Forget About Clinics

Healthcare delivery continues to fragment. From the acute care inpatient anchor, to outpatient clinics, and all the way to the patient’s in-home bedside, the same level of rigour must be applied. While securing the devices hosted on an outpatient network may be less demanding than securing those hosted on inpatient networks, an interconnected ecosystem is never stronger than its weakest link. Traditional defense perimeters are quickly dissolving. Effective security designs must acknowledge this. 

6. Operationalise Risk Management Programmes

Investments in the infrastructure and tooling required to defend against ransomware should be considered in an ROI-based programmatic context. Getting things right means taking advantage of the right kinds of automation, which at a minimum means eliminating outdated, manual routines and costly process inefficiencies. Whether in the form of enhanced workflows, cross-functional workflows or increased asset utilisation, effective risk management programs deliver operational leverage that can be monetised. The OPEX labor savings are not difficult to measure. The CAPEX utilisation-based savings benefits being uncovered are also very interesting, especially given average asset srates across the industry are currently running below 50%.