3 Ways Healthcare Organizations Can Prepare for New Cybersecurity Requirements

Strategies to combat rising cyber threats in the healthcare industry

Editor’s Note: This article was originally published in 2024 and has been updated to include the EU Action Plan information.

Healthcare organizations are highly vulnerable to cyberattacks, averaging 1,463 cyberattacks per week in 2022, up 74% compared to the previous year ^[i]. The healthcare industry has also ranked highest in data breach costs for 12 years in a row ^[ii]. The potential impact of a cyber incident is not just financial–the consequences can be fatal ^[iii].

Hospitals and healthcare providers are targeted for several reasons. First, they are vulnerable targets as attackers seek to exploit them for the notoriety of claiming they successfully shut down such critical facilities. Healthcare data is also in high demand on the dark web and can fetch a hefty sum for attackers.

Another major reason hospitals are targeted is that they have large operational technology (OT) environments with thousands of entry points. On the medical side, this includes a vast array of equipment, from MRI machines to ventilators. On the building side, it includes assets like fire and life safety systems, HVAC and access control. The sheer volume of assets provides an attack surface far larger than almost any other industry. Moreover, many of these systems operate on legacy frameworks, making them more susceptible to exploitation.

EU Action Plan on the Cybersecurity of Hospitals and Healthcare Providers

In 2023, EU countries reported 309 significant cybersecurity incidents in the healthcare sector, more than any other critical sector. These cyberattacks can delay medical procedures and disrupt vital services. In response, the European Commission unveiled a new EU Action Plan that focuses on:

1.      Enhancing prevention of cyber threats with enhanced preparedness measures

2.      Better detection and identification of these threats with near real-time alerts

3.      Minimizing the impact of cyberattacks to mitigate additional damage

4.      Deterring cyber threat actors with the use of tools such as the Cyber Diplomacy Toolbox

It also proposes establishing a pan-European Cybersecurity Support Centre to provide hospitals and healthcare providers with tailored guidance, tools, services, and training. These measures aim to ensure the resilience and security of healthcare systems across Europe, safeguarding patient care and maintaining the integrity of critical healthcare infrastructure. By implementing these comprehensive strategies, the EU aims to create a robust defense against cyber threats, ensuring that healthcare services remain uninterrupted and secure.

U.S. Department of Health and Human Services considers new requirements

In response to this increasing threat, the United States Department of Health and Human Services (HHS) published a concept paper ^[iv] in 2023 introducing new measures designed to help protect the sector from cyberattacks.

These measures include:

1. Establishing voluntary cybersecurity performance goals for the healthcare sector to help healthcare organizations prioritize cybersecurity practices.

2. Providing resources to incentivize and implement cybersecurity practices, such as the establishment of an upfront investments program to help high-need providers.

3. Implementing an HHS-wide strategy to support greater enforcement and accountability, which includes potential increased financial penalties for HIPAA violations.

4. Expanding and maturing the one-stop shop within HHS for healthcare sector cybersecurity, thereby increasing HHS’ incident-response capabilities.

The intent is to better equip hospitals with cybersecurity education and resources, as well as discourage noncompliance by strengthening HHS’ enforcement authority.

Healthcare organizations don’t know what they don’t know

A big security hole at many hospitals is lack of awareness. They may think their OT systems are secure when they’re not. For instance, the systems may be air-gapped, which means they’re not connected to the internet, but most of them must be patched or updated regularly. This might mean that, on the first of every month, the systems are connected to the internet to download the patches or updates and thus they are not truly air-gapped.

Even if the patching and updating are done via USB, those OT systems may still not be safe. A 2024 Honeywell USB Threat study found that 51% of the malware discovered was designed for USBs  ^[v] . Another risk is that many cyberattacks target third-party OT systems whose providers may have access rights to perform maintenance and upgrades. This opens the door to yet another threat.

Three steps healthcare organizations should take now

The pressure is on for healthcare organizations to fortify their systems against cyberthreats and put necessary controls and defense measures in place. Here are the top three steps they should take to get started:

1. Create an incident response plan. This is essential for hospitals to swiftly recover if they’re hit with downtime or if critical equipment, such as ventilators or HVAC systems, are targeted in a cyberattack. Without a plan in place, a hospital can’t get back up and running quickly and efficiently, and make sure its patients and staff are safe. This should be tested using tabletop exercises

2. Maintain a full asset inventory with vulnerability management and threat detection. The reality is that most OT and control systems have an IP connection, e.g., HVAC, energy management, security, access control, video/closed-circuit television, patient monitoring, fire systems, medical devices and other IoT. However, IT often doesn’t monitor or manage these connections for cyberthreats as closely as it monitors or manages its own systems. In most cases they’re not aware of all the devices on the OT network. It’s essential that hospitals know exactly what they have running in their environment on both the enterprise IT network and their OT network

3. Have a trusted partner.  Securing operational technology is a complex task that lies in the intersection between engineering and cybersecurity. It requires knowledge of the underlying devices, control systems and proprietary protocols that exist in the environment, combined with cybersecurity technology and the skills required to implement the necessary controls that reduce risk. For this reason, healthcare organizations must work with trusted partners and vendors who build products that are secure-by-design, understand the underlying technology and combine it with cybersecurity experience to help them realize their risk reduction and compliance goals.

Honeywell is in a unique position to help healthcare organizations comply with new regulatory requirements and reduce their cybersecurity risk. With 50+ years of building automation experience and millions of facilities worldwide using Honeywell technology, we understand the attack surface that healthcare organizations operate with and what controls are required to reduce it. We’ve delivered 7,000+ cyber projects in 130+ countries worldwide, with a broad portfolio of solutions and services from cyber assessments, incident response, patch management, network monitoring, endpoint security and more.

Talk to one of our experts today to learn how Honeywell can help you improve your healthcare organization’s cybersecurity.
 

^[i] Check Point, Check Point Software Releases its 2023 Security Report Highlighting Rise in Cyberattacks and Disruptive Malware, February 8, 2023 [Accessed March 1, 2024]

^[ii] UpGuard, What is the Cost of a Data Breach in 2023?, October 25, 2023 [Accessed March 1, 2024]

^[iii] WIRED, The untold story of a cyberattack, a hospital and a dying woman, November 11, 2020 [Accessed March 1, 2024]

^[iv] United States Department of Health and Human Services, Healthcare Sector Cybersecurity, December 2023 [Accessed March 1, 2024]

^[v] Honeywell Forge, Honeywell Gard USB Threat Report 2024 [Accessed February 1, 2024]