Features

2021’s Top Healthcare Cybersecurity Threats, What’s Coming in 2022

EY Americas cybersecurity leader Elizabeth Butwin Mann reviews some of this year’s biggest healthcare cybersecurity threats and discusses what to watch for in 2022.

Source: Getty Images

- Healthcare cybersecurity threats continue to cast a dark shadow on the already overburdened US healthcare system, especially as the COVID-19 pandemic persists. Feeding on global chaos, threat actors have orchestrated sophisticated cyberattacks on critical infrastructure, finance, and healthcare entities this year.

DarkSide ransomware group’s attack on Colonial Pipeline in May, which disrupted thousands of miles of the US fuel supply chain, catalyzed a number of federal initiatives aimed at tackling cyber threats. President Biden issued an executive order days later, followed by a national security memorandum, meetings with world leaders, and government-wide cybersecurity initiatives in subsequent months.

The combination of a global pandemic and an increasingly sophisticated network of cybercriminal organizations led to ransomware attacks on hospitals, outpatient facilities, and business associates across the healthcare sector in 2021.

“Cyber has become dinner table conversation,” remarked Elizabeth Butwin Mann, EY Americas Life Sciences and Health Cybersecurity Leader.

“Every executive knows that cybersecurity is an issue. Our parents and grandparents know that cybersecurity is an issue. It's not a hidden back-office topic anymore.”

Mann posited that increasingly sophisticated and successful ransomware attacks, the unpredictability of COVID-19 on the cyber threat landscape, and new medical device security vulnerabilities were some of the biggest healthcare cybersecurity challenges in the past year.

Despite 2021’s daunting cybersecurity challenges, healthcare organizations can still enter 2022 as prepared as possible by understanding and learning from this year’s biggest threats, implementing and practicing incident response plans, and prioritizing cybersecurity investments.

COVID-19’s Impact on the Healthcare Cybersecurity Threat Landscape

“COVID introduced a very unexpected and widespread change in networks,” Mann explained.

“One of the things that cybersecurity professionals rely upon is knowing what normal looks like. And suddenly there was no way to know because what was normal was gone.”

Over 500 healthcare providers fell victim to ransomware attacks in 2020 as the pandemic took hold. Ransomware attacks can result in EHR downtime, ambulance diversions, and appointment cancellations. Ransomware remains one of the biggest threats to the healthcare sector in 2021.

“Unfortunately, criminals don't seem to care that there's a crisis going on,” Mann suggested.

“Ransomware attacks are incredibly powerful, and they work. The more ransoms get paid, the more attackers use those techniques to continue.”

Ransomware is not unique to the pandemic, but cybercriminals are known to take advantage of times of chaos and distraction in order to improve their chances of successfully deploying ransomware before hospital administrators take notice. The pandemic created the perfect storm for cybercriminals to go after healthcare organizations.

The FBI strongly discourages paying a ransom, as it incentivizes bad actors to continue attacking and does not guarantee that data will be safely returned. But healthcare organizations are particularly vulnerable to ransom demands because patient safety is on the line.

“Stealing healthcare data is much more lucrative than stealing credit cards. So, they keep stealing them,” Mann explained.

“And when you're under pressure, especially during a global pandemic and dealing with so much intensity on the care side of things, ransoms get paid.”

The pandemic provided cybercriminals with an opportunity to orchestrate a high volume of attacks while growing their own networks. As a result, Mann suggested, ransomware organizations are behaving like efficient and sophisticated machines.

COVID-19 also expanded the scope and surface area available to cybercriminals.

“People are logging in from home, from vacation homes, from wherever. So that expands the attack surface. Then, when we saw things like the SolarWinds breach take place, we started to become more aware of the fact that the providers who give us devices, software, and hardware are included in our attack surface now” Mann observed.

“With a larger attack surface, the vulnerability goes up because the institution doesn't have control of everything that they're exposed to.”

The COVID-19 pandemic resulted in lucrative and successful ransomware attacks, increasingly savvy cybercriminals, and a larger scope and attack surface in 2021, exposing the healthcare sector to more cyber threats and vulnerabilities.

Medical Device Security Vulnerabilities Pose Risks to Patient Safety

Besides an uptick in ransomware attacks, researchers also discovered significant medical device security risks in 2021 that could potentially impact patient safety.

In August, McAfee researchers discovered troubling vulnerabilities in two types of B. Braun infusion pumps. The vulnerabilities may allow hackers to deliver double doses of medications remotely to unsuspecting patients.

The discovery exposed major gaps in medical device security across the industry.

“Thankfully, we haven't seen significant compromises to patient care yet,” Mann noted.

“But if one of those threat actors decided that they wanted to impact people with embedded cardiac devices, diabetes devices, etc., we all know that significant harm could take place.”

In early October, the US Food and Drug Administration (FDA) issued a Class I recall on all Medtronic MiniMed remote controllers, citing significant cybersecurity concerns. The FDA has not received any reports of patient harm at this time. However, the manufacturer discovered that the remote controller is susceptible to unauthorized use, which could pose risks to patient safety.

Medical devices and the networks that they operate on are increasingly vulnerable to cybersecurity risks. Many devices are portable, or implanted in a patient, making it extremely difficult for a hospital to keep track of all the devices on its network.

“It's not only the device themselves, but also the manufacturing distribution of those devices,” Mann explained. The attack surface encompasses the entire medical device supply chain.

“I think that the medical device manufacturing industry recognizes this. We see a lot of things improving, but we also recognize that a lot of older devices cannot be patched. There’s the cost factor and healthcare implications as well.”

As the healthcare industry continues to advance its technological capabilities and improve medical devices from a patient care perspective, some fail to recognize that innovation and cybersecurity risks are a package deal.

Lessons and Threats to Watch Out For in 2022

Phishing, ransomware, third-party risks, and medical device security vulnerabilities will likely be persisting threats in the healthcare sector for the foreseeable future. But that does not mean that there is nothing organizations can do to mitigate risks and learn from the numerous cybersecurity incidents of 2021.

Mann stressed the importance of prioritizing cybersecurity investments. It is crucial that healthcare organizations prioritize cyber risk mitigation efforts in annual budgets.

“My hope is that as dinner table conversation progresses, this notion of prioritization will improve,” Mann emphasized.

“I think we're seeing a little bit of catch up, and we’re seeing boards of directors asking many more questions. Executive orders are coming out of the White House, and agencies are putting out specific guidelines.”

Despite the risks and extreme costs associated with a healthcare cyberattack, recent research from CyberMDX and Philips found that most hospitals fail to identify cybersecurity as an investment priority.

Annual IT budgets for midsized hospitals averaged $3.5 million, and large hospitals averaged $3.1 million, the report found. Annual IoT and medical device cybersecurity spending averaged $293,000 for midsized hospitals and $329,000 for large hospitals.

In order to prevent and prepare for a cyberattack, healthcare organizations must prioritize cybersecurity investments. However, budgets are already stretched thin for many organizations, making it difficult to invest in preventive measures.

It is equally crucial to create an incident response plan and put that plan into practice.

“Be prepared, practice, pull together a team, understand what you would do if you get hit and devices are down and access is cut off,” Mann suggested.

“Do you know who to call? Do you have someone on retainer? Do you have help that you can access at a moment's notice? Do you have an industry team that you can reach out to? What do you have that would allow you to respond and recover as quickly as possible? If you can't build the defenses, at least build the resiliency so you know what to do.”

In addition to allocating resources to prevent, prepare, and respond to a cyberattack, the healthcare sector should also be wary of new threats that may be on the horizon. Mann suggested that medical research may become a new attack vector for bad actors.

“I think that the research environment is an area that is increasingly vulnerable as we move to virtual clinical trials and increased collaboration,” Mann stated.

“I think there's a tremendous amount of transparency to the public about what's going on in medical research, which is a good thing for care. But it's also an exposure when it comes to attacks.”

As the ongoing cyber threats from 2021 persist, innovation and change will bring about new cyber risks and vulnerabilities that organizations should pay attention to in the coming months and years. While there is no way to eliminate these risks altogether, organizations can be proactive about preparing and responding to cyber threats and practicing incident response plans.

“The thing I’d like to underscore for healthcare institutions in particular is to really challenge themselves to practice,” Mann concluded.

“Do you have people on speed dial so that you can get help if you're an institution that's underfunded from a cybersecurity perspective? This is a real threat that needs to be a priority. Preparation is a big thing and I hope people are doing that. Some are, but many aren't.”