Five cybersecurity predictions for the Health area in 2023 – Observer

Healthcare continues to face dramatic challenges as we move into 2023. Long-predicted staff shortages, accelerated by COVID-19, are having an impact on healthcare delivery across the world. Furthermore, cyber-attacks continue to rise even though, somewhat ironically, technology is often, and quite generally, hailed as the solution to health care (including staffing) problems.

In this article, I identify 5 key trends that we see emerging as a result of the discussions we have with our customers and partners, understanding their challenges and plans.

The treatment or remote monitoring of patients (RPM), through smart devices, is not exactly new. Virtual Mercy, launched in 2015, was described in a 2016 CNN article as the “$54 million hospital with no beds.” In 2019, it revealed that for nearly 4,200 patients in its vEngagement program, they saw a 50% reduction in visits and hospitalizations in the emergency department!


With the cost of readmissions estimated at $26 billion for Medicare alone, you’d think everyone would have joined years ago… but that would be the wrong guess: reimbursement restrictions meant organizations couldn’t bill patients from a distance and, therefore, could not finance the programs.

As with many things in healthcare, COVID-19 has changed reimbursement rules, with the Centers for Medicare and Medicaid Services (CMS) publishing an interim final rule (IFC) that effectively allowed reimbursement for telemedicine and RPM.

Overnight, virtual visits and telemedicine skyrocketed, as did the number of remote patient monitoring companies. Beckers Hospital Review published a list of the top 50 RPM vendors in July 2022, and in October 2021, Best Buy acquired RPM vendor Current Health, stating that “the future of consumer technology is directly tied to the future of consumer technology.” health care”. RPM uses devices connected in the patient’s home, often a tablet or phone connected to a pulse oximeter, scales and a blood pressure cuff.

Remote care has shown value in helping to keep people out of the hospital, easing some of the burden on care teams and providing positive outcomes for patients. More patients will be enrolled, more devices will be deployed, and the vulnerability footprint within HDOs will continue to grow. Which leads to…

Recent research conducted by Ponemon identified that 12% of attacks were rooted in IoT devices. on one focus group In recent times, the most perceived cybersecurity risks in health care were, in the overwhelming majority of cases, what can be called traditional IT devices. Windows desktops and laptops that store Personal Health Information (PIS).

Given that these devices have the most “mature” security solutions, it’s alarming that emerging attack surfaces aren’t getting the attention they should. Healthcare is a carefully orchestrated system of increasingly connected services, of which clinical access to patient information is just one aspect.

IoT, OT and IoMT devices all play a critical role in the delivery of care. Building management systems control HVAC (Heating, Ventilation and Air Conditioning), elevators and refrigeration systems, which can stop the ability to provide care to patients if they are interrupted. IoT devices control parking barriers, building access and security systems. And there are a number of rapidly growing IoMT clinical devices, including nebulizers, pumps, ingestibles, drug dispensers, etc., which, again, can have a dramatic impact on patient care.

Attackers are well aware of these vulnerable areas. Gartner has predicted that by 2025 cybercriminals will have weaponized operational technology (OT) and will kill or harm humans. In an environment where people are already incredibly vulnerable, are “protection” attacks close at hand? Which leads us to:

As the technologies around IoT, OT, IoT, and IT have evolved, accountability for systems has remained in its traditional ways. OT systems, with Gartner’s grim forecast, remain the responsibility of facilities management. Medical devices fall into the biomedical engineering department, which may report to the CMO.

While these devices are often using a shared service provided by the IT team, when it comes to reviewing the repair and security of the devices, this often falls to individual teams, with IT having very limited visibility into the devices, which may have their security agents installed.

Furthermore, the priority of adding a patch to a sensitive MR machine, manually update the firmware using a USB stick for 10,000 infusion pumps (sometimes hidden) or updating the pneumatic tube system is quite low, in addition to being a logistical nightmare. Availability and uptime take precedence, leaving these known attack vectors exploitable.

The Healthcare sector needs to align all digital systems under a single point of responsibility. CMIO, CNIO and CHIO need to understand the scope of the threats (not necessarily the threats themselves) and that a single infusion pump can ultimately undermine the security of the entire hospital. I believe this needs to be led by a CIO.

However, allocating resources to conduct this supervision, training and security is challenging, leading to:

As I mentioned at the beginning, technology is often hailed as the solution to some of the key challenges facing the Healthcare sector. Technology will solve the rising cost of care by using big data to drive values-based care, increase early diagnosis and quality of care, identify disease risk factors, and improve patient safety through improved predictions of outcomes. This, to name just a few. Remote patient monitoring has proven to lower readmission rates and this is just the surface in terms of the types of conditions this is currently being applied to.

What I rarely see though is exactly how this is going to be funded and staffed. Health is being dramatically affected by staff shortages, but not only from a clinical point of view: also from an IT point of view. Many healthcare organizations have struggled to attract the best and brightest IT talent, particularly those located close to large employers in technology and finance. Unfortunately, the “work from anywhere in the world” of this post-pandemic era that we find ourselves in has only exacerbated the problem.

The organizations high tech with lots of funding they are now able to attract candidates from anywhere and offer higher salaries. Attracting, training and retaining talent is difficult. Experience is highly valuable and a requirement when understanding the complicated world of healthcare information security and vulnerability management.

As more and more information moves to the cloudit becomes less risky for healthcare organizations to contract more services to healthcare providers. cloud and use managed services to handle the provisioning, management, monitoring, and security of those services. They provide consistency, accountability and predictability, which can free up valuable resources to work on some of the innovations we mentioned above. Which leads us to:

In line with the theme of a single point of responsibility for digital security is a single security strategy. Knowing where to start is, however, a challenge. Health has no lack of security and privacy compliance requirements, however, according to the FBI, it is still the industry that suffers by far the highest number of cyber attacks. ransomware🇧🇷 With more standards to be announced in the US, this creates an overwhelming environment.

Zero-trust principles, when applied holistically in an environment, create the framework, concepts and architecture to address data, identity, workload, network and device security. In its simplest form, it provides a model that can be shared across the organization to gain buy-in and awareness of a consolidated property security strategy.

Items such as medical devices and building management systems need to be aligned and incorporated into a single security strategy to reduce the risk of a rogue device resulting in disruption of care across an organization. This has its challenges and complications, but for CISOs trying to bring all assets together under a single policy that will ultimately comply with all the rules and regulations of healthcare organizations worldwide, it’s a solid starting point.

A constant theme in these predictions is the growth of devices that are beyond the capacity of many of the existing cybersecurity tools in healthcare. Many organizations are challenged to deal with these devices that go unnoticed by traditional security tools. Even Zero-trust initiatives fail if they don’t know the device is there. There are platforms that regularly discover the existence of 40% or more devices than previously thought to have on the networks. Without complete visibility across the entire attack surface, there is no way to protect it.

Leave a Comment