Healthcare cybersecurity – show us the money!
• The importance of healthcare cybersecurity is often downplayed or misunderstood.
• To get adequate funding, it’s important to frame healthcare cybersecurity conversations in terms of clinical risk.
• Healthcare organizations have incredibly flat cybersecurity surfaces.
Healthcare services are increasingly vulnerable to cyberattacks. New players, new – or at least newly tweaked – attack vectors, and new focus on always-present vulnerabilities are breaking down any ethical resistance on the part of bad actors to targeting places meant to be refuges and healing hubs for people who are not at their physical best.
If there’s a Hell, naturally, the bad actors who target healthcare facilities with cybersecurity vulnerabilitieswill undoubtedly roast there for eternity. But for organizations that take no comfort in the idea of delayed and metaphysical punishment, it’s important to stop the machinations of these wastes of skin in the here and now.
We re-connected with Deryck Mitchelson, Field CISO at Check Point Research, a cybersecurity specialist organization with many irons in the fire when it comes to stopping such cyberattacks on critical national infrastructure.
We spoke to Deryck specifically because as well as being a cybersecurity expert, he has history working for the UK’s NHS Scotland, and so has both a broad and a particular specialism in the field of healthcare cybersecurity.
We asked him why people were still, in 2023, targeting healthcare organizations.
THQ:
We’ve talked before about why the UK’s NHS is especially vulnerable to cyberattack, but it’s becoming a bigger thing in the US as well now. Where do we think healthcare cybersecurity sits on the urgency and vulnerability scales in terms of, for instance, governmental or organizational investment? In order of authorities’ spending priorities, where does protecting those critical infrastructures from cyberattack come?
Healthcare cybersecurity – a top priority?
DM:
If you ask anybody, they’ll tell you it’s a top three priority. Absolutely. Anyone senior in government, anyone senior in healthcare, they’ll tell you it’s a top three priority.
But it’s a check-box priority, not a real priority. The reason they say it’s a priority is because then it sits on the risk register. That means that they can talk to their boards and say, “Yep, somebody owns this as a priority.” However, if anybody then goes on to say we need a substantial uplift in investment for a multi-year healthcare cybersecurity program in order to do such and such, they don’t find the money.
That means it’s not a priority at all. Obviously, you always find the money for things that are real priorities.
THQ:
That’s more or less how you define real priorities, isn’t it? Things on which we must and do spend actual money?
DM:
Exactly. Healthcare cybersecurity is one of the few things that sits at the top of the risk register as a priority that doesn’t properly get funded.
So yeah – if it’s not getting properly funded, if it’s not getting the level of investment it needs, how can it actually be that level of priority? Because other things that sit around it, such as replacing equipment that’s at the end of its life, that gets investment money.
When they’re looking at filling any staff shortages, or changing the rotas, or doing any capital investment programs, those things get investment.
It’s a difficult one to complain about – I do know that those things provide frontline healthcare. But when I was in my role as a CIO, digital and cybersecurity were a big part of providing frontline care. You couldn’t provide frontline care without the digital and the cyber-services that enabled people to do so. You don’t get one without the other.
And that’s part of the problem – healthcare cybersecurity sits on risk registers, but it no longer gets looked at as having the same importance as frontline healthcare priorities.
Can you have modern healthcare without cybersecurity?
THQ:
You’d think that was obvious, wouldn’t you? You can have the smartest healthcare facility, but if your cybersecurity systems are vulnerable, you’re not able to provide proper, reliable care. It kind of takes you down the line almost to field hospital levels of treatment. Healthcare facilities have to be safe environments for both patients and their data – which is vital, day in, day out, to the business of providing healthcare.
DM:
Correct. Absolutely. Do you really want to climb into an MRI scanner if you don’t know it’s safe and patched? You’re climbing into a device that’s shooting you with low levels of radiation. If you’re really paranoid, and you start to think about it, and you know these devices aren’t getting the patches and the protection they need, then you’re going to be wary about getting into the machine.
You don’t see people debating these things very often, but I think they should do.
THQ:
We spoke to a company a little while ago that made exactly that point – things like MRI scanners and other medical devices act as fundamental weak points in the system, because they don’t have the sort of patching regimes that a) you’d think they would, and b) other, easier equipment in the system has.
DM:
Many of those devices are often running old versions of Windows. So most people wouldn’t even know where to start patching them. They’ve been bought, the manufacturers don’t have patching regimes, they don’t think of putting endpoints on them, because who thinks of putting anti-malware software on an MRI scanner? So it doesn’t happen.
They get left alone, but they’re on the network, particularly the more modern ones. They create hundreds of gigabytes of data on every single scan, and they’re on the network, they don’t sit siloed within the hospitals.
Everyone who has worked in a hospital or healthcare facility knows that the networks don’t have the greatest levels of segmentation and separation between IT systems, OT systems, medical systems. A lot of the networks are very flat.
The public – healthcare cybersecurity threat #1?
And then of course, 80% of hospitals are open to the public. The public walks anywhere in a hospital – what’s to stop them just sitting down where they can find the nearest ethernet port and plugging something in. Most hospitals aren’t running any kind of software that will actually find that device quickly and quarantine it. That is a flat network.
Hospitals provide healthcare. The basis of providing a point of care is that it’s all done on trust. Nobody has to show ID to get treatment (at least not in the UK). You don’t need your passport and driving license – being ill or needing help is your passport to care. Perhaps there’s a need to change to a slightly more secure and restricted model.
THQ:
Let’s take a step back. You say it’s a top three priority that never gets the funding it needs. Why does it never get the funding it needs? What makes it different in that respect? Why doesn’t anybody want to actually show us the money?!
DM:
There are a few reasons.
I don’t think the professionals whose job it is to demand the money do a great job of articulating the clinical risk that they’re managing. And boards and executives understand clinical risk. As far as healthcare goes, if they try and articulate this as a cyber-risk – “This is what it means if we get hit with ransomware or get a piece of malware in our system, or get some data that’s been exfiltrated out of the system…” the board struggles to understand what that actually means as far as impact is concerned.
Nobody understands healthcare cybersecurity cases.
I would always start with a clinical risk scenario. “If this happens, it probably means that some of the most critical systems are vulnerable, and you might have to take them offline to protect them. So things like lab systems, if they’re doing analysis of bloods, for example. You take those offline and that’s a lot of bloodwork not done, a lot of blood quietly coagulating into uselessness, a lot of people you then have to call and re-book, and create chains of delay to clinical outcomes.
That’s what that means.”
We need to do a much better job of articulating within healthcare and clinical risk what the cyber-risk actually means, and not talk about cybersecurity, because boards don’t understand it. It’s got to be talked about in business terms. People are not particularly good at talking in business terms when they’re dealing with healthcare and health outcomes.
THQ:
So how do we get better? How do we make that case in a way that makes boards and governments and the public wake up and go “Oh! That’s what that is!”
DM:
When I was in NHS Scotland, I made myself some strong allies, and the first one was the Chief Medical Officer. The Chief Medical Officer, although they tend not to hold the main budget, does hold huge sway over the prioritization of spend.
I spent a lot of time with CMOs to learn what their priorities were, so that I could best articulate what my priorities were, and make sure they understood how my priorities impacted upon their priorities and vice versa. We became quite a strong team that would go forward and make very strong cases for investment on digital security programs.
And I would often look for the CMO to actually be the executive sponsor, and what these programs did for me was to take my priorities away from seeming like a typical security and digital conversation, and make it sound like a business conversation, with the backing of the CMO.
In Part 2 of this article, we’ll look at the importance of going beyond headlines to improve healthcare cybersecurity, and how to win the necessary battles to keep healthcare a data-safe environment.