Many in the healthcare industry are keenly aware of the growing cybersecurity threats; however, understanding how to secure healthcare information systems effectively is a complex challenge that security leaders in the industry struggle with. This struggle was evident at the HIMSS cybersecurity forum which took place last week in Orlando.
This year’s conference explored how to lead an effective healthcare cybersecurity program, as well as navigating different legal, regulatory, cultural dynamics that are often at play. One common theme was that to effectively prepare a program to address the future of healthcare cybersecurity, you need to recognize the threats driving change.
For instance, we first saw the Conficker bug in 2009; lt was estimated to have infected between 9 and 15 million computers. Then in 2015, a new form of Conficker was found deep in hospital networks targeting specific devices for access to patient records. Medical records were gaining greater value on the black market over things like credit card data. Criminals could steal a patient’s identity to get expensive prescriptions filled. These medical devices were not visible to the hospital IT team and were likely running out-of-date software.
In May 2017, the WannaCry ransomware hit more than 300,000 computers and took down hundreds of businesses, including the U.K. National Health Service. Just one month later, Petya wiper malware, permanently damaged the IT systems of all its victims, including two U.S. health systems. Ransomware continues to hit the healthcare sector, but new threat actors like cryptocurrency mining and cryptojacking are on the rise, with hackers now looking to exploit mobile and IoT devices as much as computer systems.
Today, attack surfaces are growing with further digitization, more data, and infrastructure and increased technology adoption in healthcare, bringing light to new attack vectors. IT systems connected medical devices, digital health applications, electronic patient records – the list goes on. Standards like ISO / IEC 800001 and the NIST Cybersecurity Framework are pushing healthcare IT to make change. As healthcare continues to move into the digital age, effective cybersecurity measures are crucial for operational resiliency. Each new healthcare technology offers immense value to patients but also brings unique cybersecurity risks.
Black hat hackers are constantly innovating and their success drives more innovation and success. Additionally, 80% of cyber-attacks are driven by organized crime rings, in which data, tools, and expertise are widely shared. This makes exploiting security defenses that much easier for the cyber attackers — and for security teams, makes it extremely difficult to defend.
The evolving threat landscape and increasing challenges are giving rise to community-based programs such as crowdsourced cybersecurity, an important evolution that’s fast becoming a foundational element of any organization’s cybersecurity program. Crowdsourced cybersecurity includes services like bug bounty programs, vulnerability disclosure, and next gen pen testing (NGPT). Employing a crowdsourced cybersecurity approach, healthcare security teams can obtain information about vulnerabilities by incentivizing a group of ethical hackers with expertise in diverse areas before a black hat hacker can find and exploit them.
Crowdsourced security helps organizations uncover 7X more critical vulnerabilities than traditional security assessment methods. Bugcrowd’s crowdsourced security programs provide a much-needed solution for healthcare IT. Employing our Crowd of whitehat hackers gives healthcare IT teams more time to focus efforts on big picture compliance and protection strategies while mitigating the risk of the next big attack. Bugcrowd enables healthcare professionals to assess the risk associated with disparate data sources and infrastructure so patients don’t have to worry about data privacy. Additionally, with our comprehensive methodology, coverage analysis, and reporting, Bugcrowd ensures the administrative, physical and technical safeguards are in place to comply with HIPAA.
Healthcare cybersecurity is a serious undertaking. Attacks can compromise not only networks and data, but also threaten those applications and services supporting critical patient care systems. It’s important to consider a defense-in-depth approach to cybersecurity and employ crowdsourced security to level the playing field. In the coming years, it will become standard operating practice for vulnerability assessment–the winners will be those who embrace this new standard today and reap the rewards before the rest of the market catches up.