The Hidden Crisis Within Today’s Healthcare Crisis

The Healthcare Crisis of today – or, perhaps more accurately, over the past two years — has been never-ending waves of COVID-19 variants.  With “Alpha” starting in 2019 to the current “Omicron” & “BA.2” mutations, our hospital systems have been stretched to the breaking point.  This crisis has forced administrators to deal with huge patient volumes, staffing and resource shortages, implementation of new vaccine protocols, and the like. 

Unfortunately, this is not the only crisis that Healthcare systems face.  The new year brought news that “more than half of the connected medical devices in hospitals reportedly pose security threats due to critical vulnerabilities that could potentially compromise patient care.”  This “Hidden Crisis” associated with hospital cybersecurity started well before COVID-19 and, unlike COVID-19 whose threats appear to be diminishing, the healthcare cybersecurity crisis seems to be gaining in both scope and severity.

Like COVID-19, cybersecurity attacks are invisible. Yet, unlike COVID-19, cybersecurity attacks can be latent for months or even years before hackers launch a zero-day onslaught to healthcare systems.  IT Administrators, the guardians against hospital cyber-attacks, often don’t know what they don’t know.  Administrators typically become aware of their vulnerabilities only after a breach has been detected and then they focus on solving the problems they see — not the latent ones brewing in the background.  It would likely be a revelation to them – or at least an unwelcome reminder – that last month’s security report revealed 73 percent of infusion (IV) pumps have some type of vulnerability and represent almost 40 percent of a hospital’s IoT devices.

IV pumps are only one of several types of “legacy” medical devices, including MRIs and ventilators, that are responsible for most hospital cybersecurity attacks. This equipment was not built with security in mind and has typically been connected to networks with minimal protections built in.  Their collective threat surface is a huge welcome mat for hackers who can compromise patient safety and launch zero-day attacks against hospital operations.

Legacy medical devices running on vulnerable networks can sometimes be protected by installing intermediate ethernet gateways, a shield of sorts, to maximize usable life of the device while still protecting it from network injected malware. Newer connected medical devices – and especially those that can be controlled by smartphones — have their own set of challenges. Rather than depending on vulnerable mobile operating system security, all system communications for these devices must be protected at the application layer. Each system element must be trusted using authentication. And the connectivity channels between smartphone apps, IoT devices and the cloud must be secured and always available. While this may sound complicated, it can easily be accomplished using a modular, multi-layered approach that adds only a few cents per unit in incremental cost.

As this month’s report highlighted, healthcare is a top target for cyberattacks. The risks have escalated and range from ransomware attacks that interrupt a hospital’s COVID-19 case rate reporting to cybercriminals who compromise the normal operation of IV pumps or want to take over a smartphone-controlled Continuous Glucose Monitor (CGM) or insulin pump. Thirdwayv offers easy-to-implement solutions across the full range of attack scenarios, protecting healthcare organizations and their patients against existing threats while enabling them to stay ahead of new ones.