Cyber hygiene is as important as medical hygiene. Neglecting it possesses potentially dangerous outcomes for the mass patients in a way that is hard to predict.

After decades that the healthcare system suffering from cyber-pandemic’s unpredictable outcomes, there is light at the end of the tunnel; Healthcare officials expect that in the coming years, governmental modern legislation, that takes into consideration the healthcare system as a strategic asset, shall dictate strict cybersecurity strategy plans and better auditing mechanisms to standardize the cybersecurity landscape across the industry.

Meanwhile, as imminent cyber breaches are inevitable, healthcare facilities must act solo. To contain threat actors, prevent ransomware from spreading throughout their systems, and prepare for the worst, an action plan is required:

Awareness, Technologies, and a Combination of the Two

Cyber education programs should be deployed in addition to cyber prevention tools.

Cybersecurity policies and guidelines need to be spelled out and become accessible to all employees and patients alike. IT teams should regularly stress the potential threat vectors to the facility’s workers. Staff at all levels with access to the hospital’s network should acknowledge the importance of looking into suspicious eyes on emails and avoid clicking on suspicious links and attachments.

As cyber awareness and training are an integral part of the staff’s work plan, it must have a dedicated budget clause as well as scheduled and surprise external penetration testing drills. Such drills should test the readiness of the entire staff, tech, and non-tech-savvy.

Zero Excuses – One (or more) Business Continuity Plan

Much of the challenge isn’t on technology but rather on good business continuity planning. When budgeting constraints avert hospitals from replacing out-of-date or unsupported systems, A future budgeting plan is expected for the least. Such a plan should include a list of existing out-of-date technologies and a scheduled plan for renewal and replacement of such.

Tighter communication should exist inside a healthcare facility as well as with other healthcare systems.

Hospitals should be encouraged to report staff, patients, and the public domain as soon as they experience a cyber event. Transparency, integrity, and open communication are key to concluding and healing the system. Such interaction should consist of knowledge sharing and best practices for prevention and mitigation. Moreover, a facility that experienced a cyber incident should disclose in a transparent way of their findings, path of exposure, and outcomes. Such information has the potential of saving other facilities and better prepare them from experiencing the same faith.

Had a Diagnostic Test Lately?

Like new medicine, treatments, or equipment, APIs should be thoroughly tested before they are integrated with the healthcare’s production network. Taking the time to thoughtfully stress-testing APIs for vulnerabilities before going live can save a lot of time, effort, and funds in the future.

We would recommend that the diagnostic tests would include an overall check if you have imposed a stronger password structure and enforce MFA (multi-factor authentication) across all systems within the organization. Invest in PAM (privileged access management tools) to mitigate the risk and elevate the level of privileged access. This will limit the ability of threat actors of gaining access to credentials and other sensitive information. To complete the circle, set tougher policies for devices external to the organization’s network.

The Man in the CT

Medical equipment manufacturers should reduce vulnerabilities by analyzing and fixing any security loopholes, hosting internal pen-test to scale up their security against future threats, and applying digital signatures (or watermarks, also called “DW”) on scan test results. By doing so, hospitals gain a security force multiplier; hackers struggle to get in between the equipment and the end device. The end devices can sign each scan with a secure and hidden signal to ensure the authenticity and integrity of the scanned imaging.

In addition to medical equipment, security technologies must be applied in all other IT administrative systems such as email. Extra attention must be provided to files that can include embedded malware. Introducing CDR or Deep-File Analysis technology for files arriving via multiple channels such as Microsoft 365 Exchange Online, Teams, OneDrive, SharePoint, or other sources is an effective best practice to ensure all files are malware-free.

Code Red

When worst comes to worst, healthcare facilities must have a well-trained, and receptive response trauma team for cyber incidents. Like an earthquake, a hospital should implement protocols for cyber breaches. It should include downtime procedures to proactively take systems offline, and address key items:

  • Lists of critical assets.
  • Downtime limitation plan. backups for sensitive patient data and core systems.
  • up-to-date contact information with all relevant vendors and service providers who would be affected by the breach.
  • How to get in touch with staff and as many as tens of thousands of patients in the event of a cyber-incident. Such a plan should go all the way to thinking of a scenario when the phone systems are unavailable.

Such a “playbook” should be available both digitally and in hard copy and include all relevant contact people in the facility and external with their responsibilities.

Crypto is Thicker Than Blood

Typically, hackers demand a ransom payment in the form of cryptocurrency. This is a risk-free, anonymous method to receive untraceable funds without anyhow having a way of tracking and identifying the destination account. Keeping threat-actors safe from the authorities.

Testimonials for underprioritizing cybersecurity budget can be found in countless annual reports demonstrating how year after year the industry investment is insufficient compared to the rising level of threats.

Cybersecurity attacks carry enormous financial expenses to hospitals, which they surely don’t have. In most cases, Hospitals’ post-cyber-breach unforeseen expenses include incident response & forensics teams, disaster recovery plans, and yes, in some cases also the ransom payment. It is ten times pricier than allocating budgetary foundations for prevention and detection tools, tech-savvy personnel, and cyber awareness programs.

The cost of cyber-breach in the healthcare industry keeps breaking records. For the 12th year in a row, the healthcare sector had the highest average data breach cost of any industry, which embodies a 42% increase in cost since 2020. According to an IBM report, in 2022 the average total cost of a breach in the healthcare industry rose to $10.1 million. With the rest of the business sectors “settled” with an average of $4.35 million of cyber breaches, it is no wonder the healthcare sector, as the most expensive industry, is the golden goose of hackers and cybercriminals from around the years to come.

Until an Exploit Do us Part

With the welcoming of 2023, it seems like states are finally taking responsibility for their healthcare systems. But the transition won’t happen overnight.

Governmental and municipal agencies should bolster their interface with healthcare facilities; Establish dedicated “red lines” for concurrent cyber-attacks, improve hospital preparation by conducting mutual war exercises, and allocate funds to provide a basic level of cyber readiness for smaller facilities that lack resources.

Hospital higher management should embrace the fact that investing budgets in skilled IT staff, cyber awareness programs, and state-of-the-art anti-malware tools are much cheaper than overcoming a successful cyber incident.

The threats of the next CyDemic must be voiced by patients, the IT communities, and officials at all times. Can we still prevent the next cyber-pandemic? Like with global warming, we might slow it down or reduce its destruction radius, but unless we all step up, it will be here sooner than later.

Read Part I |
Read Part II |
Read Part III