The healthcare and pharmaceutical industries are no strangers to cybersecurity threats. In the face of massive global incidents, such as WannaCry and Kaseya, as well as other dangerous, sophisticated attacks, solid security practices are being implemented more effectively. Moreover, executive boards are showing stronger support for security than they have in the past.
A recent cybersecurity report uncovered that 66% of healthcare organizations were hit by ransomware in 2021. And that number’s up 32% since 2020.
Healthcare organizations: Staying with what you know, can increase your cyber risk
Unfortunately, within this already troubled landscape, attackers are exploiting lagging technologies to expose vulnerabilities. Legacy platforms are found in the majority of critical care devices. Check out the numbers: 65% of pharmacology devices run on outdated platforms (as do 53% of oncology devices and 50% of lab devices.
This level of use is concerning given the risks and that patients are directly connected to vulnerable devices. Lives depend on these devices remaining safe and secure.
This discrepancy between cutting-edge connectivity and traditional backend technology not only presents challenges for IT teams, but it opens up a broad – and weakly supported – attack surface for cybercriminals.
Legacy operating systems aren’t the only problem. The software that runs on those systems frequently falls behind as well. Healthcare organizations struggle to keep pace with their rapidly expanding systems and the required cybersecurity vigilance. The industry knows that it must embrace technology to power digital transformation. However, according to recent research, “limited resources and IT staffing gaps hinder the ability of organizations to transition into more secure platforms.”
Hackers, unfortunately, are well aware of these challenges. 2017’s WannaCry cyberattack targeted the UK’s National Health Service by exploiting a vulnerability in Microsoft Windows.
The attack infected computers and diagnostic equipment and caused the NHS to cancel thousands of appointments and surgeries. While the organization stressed no harm was caused to patients, the crisis demonstrated the potential impact of a ransomware attack on a healthcare organization.
Often, targets also include medical device manufacturers. “Symantec found malware on machines that had software installed for the use and control of medical imaging machines, such as x-rays and MRIs, and machines used to assist patients in completing procedure consent forms,” Health IT Security reported.
Cybersecurity considerations with connected medical devices
Cyberattacks specific to medical devices remain rare, but because many devices use common operating systems, they’re often affected by indiscriminate attacks tied to aging architectures.
Pacemakers show vulnerabilities to attack as have defibrillators that enable an attacker to access devices, deplete battery stores, or issue dangerous cardiac pacing commands.
These ramifications, which would be directly harmful to human lives, make medical device cybersecurity such a critical area of study.
How can healthcare organizations combat cyber attacks?
1. The healthcare industry must play a role in securing their devices.
Healthcare organizations should ensure security is “baked-in” from inception and backed by the latest cybersecurity research from the healthcare industry and beyond. Medical device manufacturers must also stay vigilant on current vulnerabilities and release patches as quickly as possible to protect against them. The FDA’s risk-based medical device regulation provides useful guidance.
2. Cyber hygiene: An ounce of prevention is worth a pound of cure.
Prevention, in this case, depends on good cyber hygiene. Staff members and clinicians should be fully trained to use technology in a secure way; even small steps like stronger passwords can make a significant difference.
Consider adding an in-house IT expert team, such as medical technologists or medical device security engineers who combine biomedical, IT, and security training to lead the department in the fight against cybercrime.
Maintaining full visibility into medical devices and their ecosystems also plays a critical role in healthcare cybersecurity. Comprehensive monitoring and analysis create a baseline of what’s “normal” and signal anomalies.
By knowing what you have, you can take proactive steps to mitigate and minimize risk, like network segmentation and removing devices from the network.
3. Healthcare organizations must institute a modern patch management strategy.
This is a critical component of cyber resilience. Remember the WannaCry attack? Microsoft released a patch addressing the vulnerability two months before the incident. While the scale of healthcare systems can make patch management challenging and legacy operating systems complicate maintenance, patching is an integral element of protection against today’s sophisticated cyber attacks. When it comes to protection from cyber threats in the pharmaceutical industry, security tactics aren’t that different. Automated patch management can go a long way to help pharmaceutical companies, too.
Pharmaceutical organizations: Staying with what you know can increase cyber risk
Generally speaking, the pharmaceutical industry hasn’t operated on the cutting edge when it comes to information security practices due to several unique challenges.
As a result, that sector of the healthcare industry is increasingly targeted by bad actors seeking to pilfer sensitive information or cause human or reputational harm.
While most pharmaceutical companies agree that the losses from a cyberattack could be startling, most companies often struggle with cybersecurity.
Intellectual property as bait for cybercriminals
For big pharma, the ongoing pursuit of intellectual property (IP) remains a significant threat to the industry. At certain stages of development, formulas aren’t protected by patents. The way a company manages and protects that IP has taken on increased importance in recent years. Imagine if research on clinical trials that could determine a company’s strategy for the decade falls into the wrong hands.
Research and Development (R&D) produces a significant amount of information that has the potential to determine strategic business decisions around operations, the development of new solutions, investments, etc. Because this information drives decision-making when it comes to which elements to remove for the next round of development, the therapeutic areas to invest in, and more, pharmaceutical companies are increasingly compelled to bolster their cyber defenses.
Nothing is more valuable to a pharmaceutical company than the formula for one of its new drugs. So, ensuring IP is protected is vital in today’s threat landscape.
Mergers and acquisitions attract bad actors
When it comes to mergers and acquisitions, the pharmaceutical industry has always been busier than most. However, these activities often involve strictly confidential data, appealing to hackers as they know they can pilfer money or sell information on the dark web.
According to a recent insight on cybersecurity for pharmaceutical companies, “Companies engaged in merger and acquisition activities have experienced attacks in which insider information was misused to trade stock for profit in advance of a merger being announced publicly.”
Fortunately, as data sharing grows increasingly prevalent, companies are beginning to understand a breach in their network could have massive impacts on their bottom line. If a company’s waiting for signs of trouble before implementing a cybersecurity program, it’s already too late.
How can big pharma combat cyber attacks?
Pharmaceutical companies can improve their security posture in several ways:
1. Ensure a robust endpoint and patching solution is in place.
Unfortunately, many pharma security professionals are slacking when it comes to their patching programs. Not too long ago a majority of pharmaceutical industry SecOps teams admitted they had a data breach due to unpatched vulnerabilities for which a patch was available.
Staying current with patches for software, operating systems, and third-party applications is the only way companies can fully prevent attacks based on known vulnerabilities.
2. Take inventory of vulnerability response capabilities
Ensure you have a dedicated team that is responsible for managing the receipt, verification, and reporting of information about security vulnerabilities. Are they trained on all your technologies and could theyœ quickly respond to a breach? Is everyone up-to-speed on your vulnerability response process and is it effective?
3. Define and optimize end-to-end vulnerability response processes
What is your process when you identify a vulnerability that has not been breached? Or, likewise, if a breach has occurred, do you have the triage process in place to address it?
Understanding your organization’s and team’s motions when urgent, and day-to-day, cyber events occur, is critical to keeping your organization secure as well as your users and patients that depend on the technologies you support.
4. Leverage cloud-native technologies as often as possible
Business now takes place in a cloud-first world – but unfortunately, many IT teams continue to manage devices scattered across a distributed workforce with on-premises hardware and VPNs.
On-prem hardware and VPNs were built for the world of the physical office, and it shows. These legacy solutions are complex, costly, and simply lack the agility to meet the demands of the digital world. Understaffed and frustrated ITOps teams need flexibility and speed – exactly where cloud-native solutions should be embraced.
The healthcare industry has its work cut out
At the end of the day, very few organizations can get cyber security right all the time with digital transformation complexity and the constantly evolving threat landscape. Prioritizing your security program is no longer something that can be overlooked. For the healthcare industry, the true test lies in understanding their cybersecurity challenges and pro-actively addressing them - quickly, efficiently, and without interrupting healthcare providers and the patients they care for.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.