The cyber exposure of healthcare’s infrastructure arguably poses one of the most challenging and tangible threats to the ecosystem it supports and the community it serves, explained First Health Advisory CEO Carter Groome during InfoSec World.
Healthcare’s digital transformation has simultaneously created – and is continuing to create – even greater vulnerabilities that could subsequently lead to "the exploitability, or the ability to disrupt, delay, or even to require the transfer of services in the provider of care,” he said.
“In all of this, what we call ‘the borderless environment of care,’ where the surface of threat really has no boundary anymore, if you're not protecting those assets… your duty of care responsibilities are going to fail the organization and the community it serves."
One of the most overwhelming blindspots is connected clinical assets, the operational technology, or medical devices.
Groome estimated that about 30% of connected assets in healthcare are clinical in nature. If an organization has 20,000 assets, about 6,000 of those are “unmanaged” or those using outdated operating systems or those that simply can’t be patched. What’s more, the organization may not even know where they are on the network.
Determining a treatment or control for these vulnerable devices, as they “flow into and touch so many security and enterprise risk initiatives,” is key to the overall security of an organization.
As healthcare continues its digital transformation, it also needs to discover and contextualize risk with those clinical assets through comprehensive risk assessments.
In that way, when the organization combines clinical, OT, and medical device assets with IT and industrial assets, they build capabilities and overall maturity into their program. This process is primarily influenced by how the entity handles those special needs and clinical devices, he explained.
Without it, the overall enterprise risk is impacted by this critical blindspot. The problem in healthcare is that more often than not, the sector focuses on the potential benefits of how care can improve and evolve through digital transformation, without considering the security implications.
The surge in remote work in the last year, where many healthcare entities added twice or three times as many devices, has further added to the challenges of keeping up with assets. And those devices continue to come online and circumvent the normal procurement process.
Even today, Groome is stunned to see just how many organizations say they don’t have any controls into the pre-procurement and procurement processes that would allow security leaders to say “wait a minute, let's make sure that these devices that are coming onto our network are secure.”
“In that asset ecosystem, it continues to proliferate in that borderless continuum of care,” said Groome. “You already have a backlog of vulnerabilities out there... vulnerability debt, and then a ton of critical and high vulnerabilities that you either need to mitigate, accept the risk, or transfer the risk.”
“Everything requires conductivity,” he continued. ”I don't think that's going to be slowing down anytime soon. And as that inherent risk grows, how do you make sure you're addressing the vulnerabilities that have the greatest impact on your business, as those devices require conductivity, and the debt keeps rising? How are you prioritizing?”
Most providers struggle with asset discovery and profiling, and even the most mature programs with progressive tools still face difficulties in getting high fidelity, actionable risk and mitigating information into accountable hands, or the clinical engineer, as quickly as possible.
As stakeholders continue to warn, failure to gain visibility into those clinical devices and other assets and their behaviors is leaving the proverbial mat out for cybercriminals. However, it must be a priority as an entity embarks on the journey of building capability and maturity into a security program.
“It just can't be overlooked any longer,” he added. “And that includes patient safety, operational uptime, balance, sheet risk, and even reputational harm.”
Aligning the IT roadmap with security priorities
It takes time, commitment, financial investment, executive sponsorship at the highest levels, and a great deal of work to operationalize technologies, mature processes, and build programs to address risks, because “there’s no one magical tool that remediates risk.”
Organizations that aim to align their IT roadmap with business processes must also integrate the same high standards into their security priorities. As Groome explained, “this journey in the provision of secure and interoperable care is predicated on patient trust and trust in the community.”
The successful entities use this concept as a driving principle.
But when organizations assess how to accomplish these goals, often they fail to account for the unique needs, strategy, services, data systems, and devices of the business that could truly account for the unique risks of the provider, which creates a lot of deficiencies.
“This is one of the biggest mistakes I see in organizations when assessing the current state and determining [the direction to take] to become more resilient,” he noted. “I can't emphasize enough: take your unique needs into account and leverage that knowledge to inform your priorities.”
Organizations also need to consider the particular needs of the devices, although Groome stressed that is part of the sector’s overall challenges with security -- that and scarce resources. The program itself is a lot of work, but it should be seen as a business imperative.
“Doing nothing right now is not an option,” said Groome. Security teams must work hard to educate the board, and those outside of the security and IoT world, on the ongoing challenges and risks associated with clinical assets.
Outside support is needed to develop and actively manage a connected asset risk program, which Groome stressed is not a project: “it doesn’t have a definitive endpoint.” These are activities that can take multiple years, “but they're woven into all of the transformative digital initiatives that your organization will take on going forward.”
Using Groome’s approach, the asset risk management program will take three years. Security teams should:
- Assess the current state of asset management, while fighting assessment fatigue
- Address the unique risks, challenges, strategy, enterprise mission
- Develop the overall goals
- Use a framework, like NIST or HITRUST
- Map the framework to the tools of the program and assets to develop a roadmap
“There's no tool that's going to do this for you. It's a mixture of tools, processes, and people,” said Groome. “There are great technologies out there that will provide telemetry and information to make more informed decisions… understand behaviors on how those devices operate, and how ultimately to mitigate risk, but you still need to get your nails dirty and get into the program.”
“You just can't automate the responses on the special needs medical devices,” he continued. “As you understand what's going on with those devices, then you can start to understand how it fits into your overall asset risk flows, your risk treatments, your playbooks, and the controls.”
Lastly, it’s paramount that security teams and the asset risk program reach the level of maturity that enables the needed context for assets and allows the security leader to get information to the accountable parties in the most expeditious manner. Groome noted it’s where entities can truly impact performance indicators like dwell time, days to patch, or mitigate risks.
“We can talk about subjective measures all day long. But you really have to show, how are you moving the needle with this program, with this spend?” As one healthcare security leader recently noted, that’s where healthcare needs to improve: making investments in cybersecurity that don’t truly move the needle on patient safety risks.
Groome explained that as providers gather information from active and passive scanning solutions, endpoint tools, and data points, the security team can build a center of excellence to build trust between the entity and the community, while elevating the organization’s risk posture.