Figure 1: Breaches reported by HIPAA Covered Entities per U.S. HHS “Wall of Shame”
A study conducted by Cynerio and the Ponemon Institute, which surveyed experts in leadership positions at 517 healthcare systems, found that IoT/IoMT devices in hospitals were involved in 88% of data breaches in the past 2 years. Security researchers analyzed 200,000 infusion pumps from 7 different manufacturers and found that as many as 3 out of 4 pumps had security flaws. While this data only emphasizes what we already know – healthcare cybersecurity is currently not efficient enough, it also tells us that no healthcare organization or medical device manufacturer is immune to cyber-related risks attacks.
What we saw in 2022 and already in 2023
Security incident and breach trends in the healthcare industry do, unfortunately, tell a concerning story. Based on U.S. HHS “Wall of Shame” data we can observe the following:
- Since full-year reporting started in 2010 we have seen 11.2% CAGR of reported breaches.
- Although the number of breaches stayed flat between 2021 (714) and 2022 (712), the number of compromised records rose from 45.7 million (2021) to 52.1 million (2022), a 14% increase.
- Most concerning is the fact that “Hacking/IT Incidents” has been the sole driver of growth since 2015, in 2022 accounting for 79% of reported incidents with the majority of reported breaches being located on Network Servers and in Emails.
- Specifically, “Hacking/IT Incidents” used to be reported at below 20 (less than 7%) of incidents per year, yet within a decade that has shifted over 500 (70%+) in recent years.
Clearly, we are seeing the toll that ransomware attacks are taking on the industry. The impact of these events can be severe, shutting down hospital services, affecting national health systems, and requiring lengthy and costly recovery, sometimes lasting months.
But ransomware has not only led to an increase in cyber attacks, adversaries are also employing strategies to increase pressure on their victims so as to increase the ransom demand, improve the likelihood of getting paid, and get paid quicker. Some novel strategies employed by the cybercrime gangs are:
- Offering live chat support to victims.
- Destruction of backups to make recovery difficult or even impossible.
- Threats to post compromising data about patients if ransom demands are not met.
- Levying additional ransom demands directly on patients, a scheme called double-extortion.
- Increasing pressure by directly threatening family members of decision makers.
Cybersecurity risks are continuing to impact companies and economies, with global losses estimated to reach $24 trillion by 2027. Specifically, ransomware attackers are becoming increasingly capable and aggressive and are looking for ways to increase pressure on victims. Consequently, the future inclusion of medical devices in a targeted ransomware attack would be entirely plausible.
Change is Imminent and Hope is on the Horizon
The unique risk of the healthcare industry, and medical devices specifically, has been recognized and lawmakers and regulators are taking action with the goal to guide the industry to a better security posture. This was most recently demonstrated through the Consolidated Appropriations Act (H.R.2617, Dec. 29, 2022). The implications for cybersecurity in general and specifically for how security for medical devices is regulated and enforced will be significant. Specifically, the Act provides the mandate and authority to the FDA to develop and enforce cybersecurity requirements for medical devices.
Further, in its March 2023 National Cybersecurity Strategy, the White House stated that it will use government enforcement as it is recognized that industries are moving too slow and are not improving fast enough. The approach of giving industries time to fix it alone is viewed as having failed and a more aggressive approach by the government is in the works. Specifically, the protection of critical infrastructure, including healthcare, as well as increasing stakeholder collaboration and partnerships are key elements of the plan.
The strategy is focused on five pillars:
1. Defend critical infrastructure through regulatory frameworks and minimum cybersecurity requirements.
2. Disrupt and dismantle threat actors in cooperation with private sector and international authorities
3. Shape market forces to drive security and resilience by promoting investment in secure infrastructure and by shifting liability for secure software products and services to the producers.
4. Invest in a resilient future through cyber-workforce development and cybersecurity R&D.
5. Forge international partnerships to counter threats and create reliable and trustworthy supply chains.
These activities are in line with many other efforts across the government and private sectors, domestically and internationally. For example:
- A recent proposal by the SEC to introduce rules on cybersecurity risk management, strategy, governance, board responsibility, and disclosures.
- FDA’s announcement that beginning Oct. 1, 2023, and based on section 524B of the FD&C Act, it is expecting premarket submissions to contain cybersecurity information, and that FDA may Refuse to Accept (RTA) submissions that do not.
- The Cybersecurity and Infrastructure Security Agency’s (CISA) announcement of a set of principles that will push responsibility for product security onto the manufacturers of software-based technology.
- A changing regulatory landscape in the EU that raises the bar on cybersecurity for device manufacturers seeking market approval via MDR/IVDR as well as critical infrastructure industries (including healthcare services and supply chain) under NIS2.
Both domestically and internationally, a set of common and consistent themes is emerging:
- Software and software-based products need to meet higher standards for cybersecurity.
- The responsibility for cybersecurity is shifting to earlier in the supply chain, i.e., to the manufacturer rather than the operator (“shift left”).
- Companies need to become more transparent about security risks and incidents and do a better job at communicating, managing, and maintaining their products’ security posture.
- Especially companies in the critical infrastructure sectors, including healthcare, are seeing governments impose new and stricter security requirements, including the need for better security, more transparency, and executive responsibility.
Cybersecurity has now become a business priority; it is no longer something that can be delegated to a group of engineers, no matter how capable, with the hopes that this can be fixed purely on a technical level.
Boards of directors, executives, and business decision-makers need to demonstrate competency, consider cybersecurity risks, and protect the company infrastructure. It is foreseeable that board members and executives will become personally liable for failures in security.
Through legislative action over the past few months it has become clear what we can expect for the remainder of the year. Although some details may yet to be defined, there should be no doubt about a company’s security strategy. The sky is not falling but we need to proceed with a sense of urgency and take action now!