Take a few of these: Cybersecurity lessons for 21st century healthcare professionals

Mark Twain once wrote, “Behold, the fool saith, ‘put not all thine eggs in the one basket’ — which is but a matter of saying, ‘Scatter your money and your attention;’ but the wise man saith, ‘put all your eggs in the one basket and — watch that basket.’"

In 2024, cybersecurity professionals in the healthcare industry may have taken this advice a bit too seriously. The focus of the industry may have become too focused on one aspect of security at the expense of more serious risks.

Historically, confidentiality and privacy of health information were the paramount concerns at the intersection of healthcare and cybersecurity. For good reason, of course, considering that health data is incredibly sensitive to each person, and protected by stringent guidelines like HIPAA in the U.S. and GDPR in the EU. While the technology used in the healthcare industry has modernized over the last two decades, the security threats to the healthcare industry have changed.

With more patient care tied directly to technology through medical devices that can directly regulate your heart rate, and deliver drugs into your bloodstream, health systems have never been more dependent on making sure the technology is working correctly. Whereas privacy and security of data were paramount before, the availability of healthcare technology and patient data has become much more so.

Failure to deliver secure outcomes is far more consequential to your safety and health when devices are connected to networks, which then become vulnerable endpoints and leave patient safety — their actual, physical well being — exposed.

When choosing between an ostensibly helpful computer system that causes you harm, or have your health data be lost or stolen, most people would opt for the latter, said Taylor Lehmann, director, Google Cloud Office of the CISO, in a recent episode of The Defender’s Advantage Podcast.

“If you could pick one of the two, what would you pick as an outcome that you'd prefer to avoid? I think most people would say, ‘I'd rather not be the victim of a cyber attack that results in my death’,” he said.

On the podcast, Lehmann and Bill Reid, a security architect in Google Cloud’s Office of the CISO, discussed the current trends in cybersecurity for healthcare, the types of risks that security professionals should be watching, how to operationalize certain security measures, and what the future of artificial intelligence looks like in the healthcare sector.

Do no harm

In December 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) released a new concept paper for the healthcare industry on combating cybersecurity threats as an addendum to the administration’s 2022 National Cybersecurity Strategy. The guidance cites a 93% increase in large breaches reported to OCR, and a 278% increase in large breaches involving ransomware, from 2018 to 2022.

The increase in attacks underlines risks to the data security and financials of the healthcare industry, and also risks to patient health and safety. The attacks threaten “extended care disruptions, patient diversions to other facilities, and delayed medical procedures,” concludes the report, “all putting patient safety at risk.”

Lehmann and Reid noted all the trends that led to the release of the HHS concept paper such as the rise of ransomware, attacks on healthcare devices, ongoing supply chain attacks, use of AI in offense and defense.

“The old-fashioned boundaries between physical cybersecurity and industrial security, those kinds of hard divisions are going away,” Reid said. “This notion that my manufacturing operations will be well-protected by air gapping is really a bit of a myth with the interdependencies between IT systems connecting with OT. There's interdependency. Even if they don't hit the OT networks, an attack can disrupt one of the other systems and can really affect the ability to manufacture products.”

Both Lehmann and Reid have concerns about how the healthcare industry may have over indexed on confidentiality at the expense of availability of the entire system and network.

“The shift from confidentiality to availability is, perhaps, the more important outcome,” Lehmann said. “That is something we really need to think about in designing systems.”

Reid concurs, in that attacks on network availability within a hospital setting have the potential to be far more disruptive and have more societal impact than just another headline about a data breach or the impact on a company’s finances.

“What we're seeing when we have availability attacks is where they’re taking out the ability to deliver services, or stop ambulatory surgery, or shut down a department that's delivering care,” Reid said. “Now it’s starting to hurt people more quickly, right? That's a situation in which the attackers are actually potentially causing much more direct harm. It's not reputation or financial harm. It's actual physical harm and that's really a disturbing trend. That's a very destabilizing nature of an attack that can be both harmful but also socially disruptive.”

Holistic networks for full coverage

The focus should really be on building holistic and resilient systems that can handle a variety of threats.

“We have to be thinking about counter-measuring a broad set of risks, right?” Reid said. “If we aim and say we're going to do everything to stop ransomware and we overload in one set of controls, we're leaving ourselves a little exposed. The challenge right now in this space is the diversity and variety of threat actors and these tactics, techniques, and procedures that are being applied are really stretching organizations capacity to think carefully and control all the assets. In health care, it's a very large surface area. We have to be thinking and modeling for the diversity of threats across a pretty complicated asset portfolio.”

The basics of security are still very important, perhaps even more so in an environment with so much surface area. Just as good hygiene is the best way to stop infection from spreading in a hospital, good security hygiene is still the best way to protect broad and complicated systems.

“Looking at the fundamentals of how health systems are funded and how they’ve prioritized spending to build resilient systems is one of the most important security priorities that these organizations really need to start thinking about,” Lehmann said. “​​The basic hygiene stuff. I know it's not fun to talk about, but it still represents a huge percentage of how the bad things start, and how the bad things spread. There's a notion of making sure that not only are we covering the basics but we are making sure that the basics are working effectively over time.”

Adopting and adapting to artificial intelligence

When it comes to cybersecurity, industries are adapting to the era of artificial intelligence and generative AI.

“In terms of future trends, the crazy speed at which we are adopting and using artificial intelligence and machine learning,” Lehmann said. “In every aspect and every sector of the health industry, from treating patients to imagining and discovering drugs. There is so much money being spent on these foundation models, AI platforms, hardware, software, to take advantage of this technology.”

In terms of security, data integrity and accuracy is paramount for the future of generative AI as foundational models become more finely tuned and ubiquitous.

“If there's anything that keeps me up at night, it's the security of these foundation models,” Lehmann said. “These are going to be the models that train the next models. And the models after that, the models after that, the models after that.”

As yet, the use of generative AI models for offense or defense is in an ongoing discovery phase. As Lehmann notes, the security of the models and data themselves are extremely important. But can the tools themselves be turned into weapons that can protect or harm an adversary?

“How do we use AI as a security tool?” Reid said. “And how do we build extended foundational models to do security tasks? How do we infuse AI into products and security products to make sense of large volumes of information? I think that's where a lot of attention is going to be over the next year, two years.”

Lehmann and Reid discuss much more in The Defenders Advantage Podcast, including how to evaluate and trust third party providers and the software supply chain, the impacts of the HHS latest guidance, and more about security trends and risks. Listen to the full podcast here.