The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Healthcare Cybersecurity Year in Review


Twenty Twenty-Four will go down in history as another watershed year in healthcare cybersecurity. With 386 reported healthcare cyberattacks by the beginning of October, this year is on target to surpass even 2023, which was in itself, an especially bad year for healthcare cybersecurity attacks and breaches.

These projections are supported by the 2024 Ponemon Healthcare Cybersecurity Report, which found that 92% of organizations experienced a cyberattack in the past 12 months—up from 88% in 2023, and that the cost of a healthcare data breach topped $4.7 million in 2024, making healthcare the single most expensive industry for ransomware and other cyber-attack clean-up costs.

The FBI via its Internet Crime Complaint Center (IC3) states that healthcare is now the primary industry target for ransomware gangs, while HHS OCR acknowledges that ransomware attacks against the industry are up a staggering 278% since 2020.

Two Landmark Attacks



Twenty Twenty-Four will also go down in history as the year of the single biggest, most disruptive, and most expensive healthcare cyberattack to-date, when in February, United Healthcare Group’s (UHG) Change Healthcare was attacked and breached by Russian-speaking ransomware group ALPHV/BlackCat, impacting nearly every American and exposing the PHI of at least 150 million individuals.

While the Change Healthcare attack becomes the new record holder, it effectively doubled breach numbers from the prior holder of the title - Anthem Health which in 2014 exposed the PHI of 78.8 million individuals in a landmark case.

Despite paying the criminals a staggering $22 million ransom, UHG was unable to retrieve its data and was then hit with a second extortion demand not to publish stollen PHI the perpetrators had exfiltrated. This was according to UHG CEO Andrew Witty when on May 1st this year he was hauled in front of Congress to explain the breach that had paralyzed much of US healthcare and what UHG was doing about the mess. At the hearings, lawmakers described the UHG Change Healthcare attack was ‘the most significant and consequential cyberattack on the U.S. health care system in American history’.


The Change Healthcare attack severely disrupted healthcare billing and payment operations for months, creating a huge backlog of unpaid claims, including problems with insurance approvals and Medicare reimbursements. It caused unprecedented financial and operational chaos for hundreds of medical facilities, physicians, and pharmacies as well as patients unable to gain approval for scheduled procedures or to pick-up their medications. It has placed hundreds of small and rural providers of healthcare at risk of closure, potentially depriving entire communities of tertiary health services.



Another highly disruptive cyberattack took place in the United Kingdom when in July this year Synnovis, a joint venture pathology partnership between SYNLAB, Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, was hit by a cyber-attack. The ransomware attack impacted most NHS providers across South London and caused 800 life-saving operations to be cancelled, along with over a thousand other appointments to be forcibly rescheduled. It also led to hospitals being placed on divert and emergency ambulances redirected to the other side of London or to the home counties.

The cyberattack has been attributed to Qilin, a Russian ransomware-as-a-service (RaaS) crime gang, this time with dual motivations so it seems. Qilin demanded $50 million in extortion, which was not paid in accordance with UK government policy, which prohibits making extortion payments to terrorists. The attack paralyzed services at London hospitals for many weeks. According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

In the first half of 2024, ransomware victims have paid an astonishing $459.8 million to cybercriminals, setting the stage for a potentially record-breaking year. These extortion payments are also fueling the growth of the ransomware industry, so attacks are only likely to get worse in future years so long as ransoms are paid.

Alarmingly, much of this illicit money ends up in Russia via a global money laundering network involving the Chinese triads and other organized crime groups. It thus acts as very useful form of hard currency for the country which is under massive trade and financial sanctions as a result of its war with Ukraine. It's no wonder then, that the Kremlin provides safe harbor and tacit protection for transnational crime groups operating out of the Russian motherland. 

A Common Thread


Both Change Healthcare and Synnovis cyberattacks are indicative of a broader trend in healthcare, in that attacks are targeting third parties or business associates (BAs) to healthcare providers. According to John Riggi of the American Hospital Association (AHA), Fifty-eight percent of the 77.3 million individuals affected by data breaches in 2023 were due to an attack on a health care business associate - a 287% increase compared to 2022. Based upon the sheer size and impact of both Change Healthcare and Synnovis, it is highly likely that once the data is in for the year, 2024 will further drive this percentage. In other words, it’s no longer just healthcare payers and providers being attacked but their business associates which are now being actively targeted.

Hospitals and other providers have done a great job over recent years of improving their security posture with better risk analysis, risk remediation and implementation of security controls, yet overall healthcare attacks continue to increase. This is largely because cyber criminals and pariah nation states are focusing on the weakest link, in this case, the huge number of third parties now involved in modern healthcare delivery.

According to Riggi, "simply put, the 'bad guys' - foreign ransomware groups, primarily Russian speaking - have mapped the health care sector and identified key strategic nodes to attack that would provide the most disruptive impact and access across the health care sector. These "strategic nodes" translate to ubiquitous third-party technology and service providers. The more widespread and critical the impact, the higher the ransom payment demand and the higher the likelihood that the victim will succumb to making the payment". Why hack or attack 1,000 hospitals when they can target the one common business associate and get all the data or disrupt all the hospitals that depend on that single mission-critical third-party provider?

In fact, healthcare cyber attacks are all about maximizing disruption, not only to maximize payment pressure for the perpetrators, but also to cause damage and mayhem to critical national infrastructure in countries opposed to Russia’s expansive foreign policy stance, or to gain political advantage in the case of China or Iran. Together, these three adversaries of western liberal democracy are behind, or support and protect, the criminal actors involved in the majority of healthcare cyberattacks worldwide.

So how is it that third parties are now the weak link in healthcare security? The fact is that modern healthcare relies upon literally thousands of different vendors, suppliers, service providers and IT and business processing outsourcers. Everything from core EMR / EPR systems like Epic and Cerner-Oracle, to hundreds of different medical device manufactures and third-party management companies that now adorn our modern digital care centers. From insurance, billing, and collections to lengthy supply chains for medical equipment and supplies, vendors who often have remote access to hospital networks. The list is almost endless, and many providers don’t even have a good understanding or an accurate inventory of who or what, has access to their medical networks, let alone the risks each group, device or system may introduce. IoT is a particular problem, and many unpatched and insecure medical devices are easily compromised by criminals.

The Change Healthcare attack was the result of the vendor, Optum (part of UHG) failing to use multi-factor authentication (MFA) or privileged access management (PAM) on a legacy jump server used to administer the Change environment by systems administrators. It is thought that Optum did not own software licensing for the jump server running an out-of-date operating system it inherited as part of the Change Healthcare acquisition. And since the whole Change Healthcare environment was in the process of being replaced with new applications built to Optum standards, the short-term risks were considered acceptable rather than to spend the time and money building a new temporary jump server accessible only to a small number of trusted internal staff. However, one of the authorized users of this system had reused a password on another account which had previously been compromised. With a little research, hackers were able to put two and two together and gain access to the complete Change Healthcare environment.

Conversely, the Synnovis attack appears to have leveraged credentials from one of two prior attacks by a different Russian group, Black Basta, against its parent company, Synlab. Credentials, including VPN and MFA passwords that evidentially were not reset, nor was the Synlab environment really secure against common malware and other attacks. What was more alarming was that Synlab-Synnovis had very poor business continuity, disaster recovery and security incident response plans (BCP/DR/SIR) resulting in weeks lost restoring systems. This is something totally unacceptable to an ‘operations-critical’ industry like healthcare, where even short outages can lead to dramatic increases in patient morbidity and mortality.

Lessons Learned and Tougher Regulations


Plainly the lessons here are that providers of healthcare services – in the US, HIPAA ‘covered entities’ [CEs], need to mandate that every one of the hundreds of its third parties adhere to the same security standards, capabilities, and controls as hospitals themselves are required to meet. That means more regular and thorough security audits of all third parties. This is especially important, where the vendor is not big enough to provide evidence of ISO 27001 certification, or a SOC2 attestation that it meets key control objectives of the CE in question. [The Cylera platform, used by many providers across the world is ISO 27001 security certified as an example.]

In Europe that means compliance to NIS2 standards, which in the UK translates to adoption of the National Cyber Security Centre’s Cyber Assessment Framework (CAF) supported by regular Data Security and Protection Toolkit (DSPT) reporting. [CAF and DSPT reporting are built into the Cylera platform, which secures many UK NHS Trusts.] 

The Digital Operational Resilience Act (DORA) which goes into effect on 17 January 2025 does not currently apply to healthcare providers, though it may have some impact on insurers. DORA is designed to “consolidate and upgrade ICT [information and communications technology] risk requirements” for the financial services industry and interestingly, has a major focus on third-parties and the impact of third-party risk. Whether some of its provisions are incorporated into NIS2, CAF and HISAA remain to be seen, but its impact on building resiliency and incident reporting and threat sharing is already having an impact across Europe. 

2025 will likely see new US healthcare regulations with the Health Infrastructure Security and Accountability Act (HISAA). This aims to transform healthcare cybersecurity by setting minimum standards and throwing much-needed financial support to healthcare providers. HISSA is still in the drafting stage at present, but will likely impose stricter cybersecurity standards, require audits, and stress tests, implement serious consequences for non-compliance while providing financial support to healthcare organizations that need help to enhance and improve their cybersecurity capabilities.

HISSA will no doubt help to continue to move the needle, just as NIS2 and CAF are already beginning to do, but the threats from criminal and pariah state actors are unlikely to be reduced, at least in the immediate term. With an ever-expanding attack surface as new healthcare technologies including AI, mHealth, consumer medical wearables, and more and more medical devices are adopted and deployed, securing healthcare has become of game of cat-and-mouse or whack-a-mole. A seemingly never-ending cycle of identify, protect, detect, respond, and recover as new risks and vulnerabilities are discovered and addressed through remediation, or the implementation of compensating security controls. 

While compliance helps focus senior management attention and much needed resources for security, the principal security driver will always be risk and the need for improved visibility. But if you can't see 'what' and 'who' connects to your medical network how can you be expected to risk-assess an operations-critical, rapidly expanding healthcare threat surface to keep your patients and key health systems protected?






This blog was first posted at the following location

Experts address AI, global security threats, & solutions to cybercrimes


The annual cost of cybercrime is expected to reach $10 trillion dollars next year. To put that figure into context, in terms of GDP it would be the third biggest economy in the world after the US and China.

From deep-fakes and disinformation to hacks and attacks on infrastructure, healthcare and security networks, cybercrime is becoming the number one challenge for law enforcement and intelligence agencies. And artificial intelligence is already changing the rules of the game.

Our increasingly connected digital world makes us all more vulnerable to criminal gangs and state-sponsored hackers who can access our data and devices. Imagine handing over control of your bank account, your electric vehicle, even your pacemaker.

So how is the international community responding? To gain insights into the scale and nature of the problem, Al Arabiya News’ Riz Khan met leading experts at the Global Cybersecurity Forum in the Saudi capital Riyadh.






UK Ambulance Service


The UK Ambulance Service is the latest target of Russian hackers according to a recent report.

Like much of the NHS and other critical infrastructure service providers across the country, Russian FSB, SVR, and GRU spies along with criminal proxies have been engaged in a coordinated campaign to infiltrate and reconnoiter large parts of the UK’s critical infrastructure services. This includes the Civil Service, the Ministry of Defence, and many of their contractors.

One of the objects of these cyber-attacks has been key suppliers to the UK Ambulance Service. Here individuals working on the Ambulance Radio Program have been targeted from multiple directions by hackers in a credentials-harvesting campaign to potentially crash the entire communications system. This would leave ambulance command centres unable to communicate with drivers and the police or fire services or prevent them from receiving vital location information.

The incident is believed to form part of a new Russian cyber warfare campaign dubbed by UK intelligence sources “Cyber Wagner”, in reference to the hardline Russian mercenary group run by the late Yevgeny Prigozhin.

“This is the new front in Russia’s aggression against the West,” a western intelligence source monitoring the activity reported “We need to prepare Western states for more aggression and hybrid warfare from Moscow.”

This week, MI5 director Ken McCallum announced that Russia is on a “sustained mission” to create “mayhem” across Britain and Europe. The UK's "leading role" in supporting Ukraine means "we loom large in the fevered imagination of Putin's regime" and further acts of aggression on UK soil should be expected, he warned.

This would not be the first time that critical UK systems have been besieged by cyber adversaries. Russian GRU agents have carried out "arson, sabotage and more dangerous actions conducted with increasing recklessness" since the UK backed Ukraine in its war with Russia, he added.

The revelations come just months after hackers behind a catastrophic NHS cyber-attack in the summer were identified to be part of a wider cyber army working under the Kremlin’s protection trying to destabilise the UK.

In June, healthcare services were disrupted across London after a major cyber-attack targeted Synnovis, a pathology testing organisation, severely affecting services. This led to the cancellation of 8,349 acute outpatient appointments and 1,608 elective procedures across much of South London at King’s College Hospital, and Guy’s and St Thomas’ NHS Foundation Trusts and their associated hospitals and clinics.

Qilin, which was held responsible for the assault, is merely one arm of the wider web of hacking affiliates, using servers based in Russia to carry out attacks on UK critical infrastructure. The hackers said the incident was in response to “unspecified wars”. The attack on the NHS was a “major escalation” of the Kremlin’s use of cyber warfare through use of criminal proxies.

As tensions continue to escalate, these attacks become less about opportunity for criminal profits and more about the desire to inflict damage to the critical infrastructure of another country. The fact that the Kremlin appears to be enlisting the support of criminal groups is not exactly a surprising development for many. It is widely acknowledged, that for many years, the Russian State has been providing safe harbour to Russian organised crime syndicate members accused of crimes in other countries by refusing arrest or extradition requests. So long as perpetrators direct their criminal business to organisations outside of the Russian Federation, they are allowed to operate with near impunity.

Although no definitive connection has been proven between the Russian State, criminal gangs, or the Russian Mafia, a close working arrangement has been evident for quite some time according to cybersecurity experts. Despite this, certain state and non-state actors within Russia appear to be intent, if not on the cusp of, launching a cyberwar with the UK, Europe and North America.

The Pulse of Security

“Healthcare is increasingly reliant upon technology, whether interconnected systems or online platforms to deliver vital services, but with that reliance comes growing cyber threats. In fact, recent research from Check Point Software shows that the Healthcare Sector experienced an average of around 2,000 cyber-attacks per week in the second quarter of this year, increasing by 15 percent compared to last year. That puts healthcare in third place just behind education and military as one of the most targeted sectors.

“Hackers target hospitals not just because they are gold mine of data but because many facilities are easy targets operating on outdated systems and devices. Needless to say, this is a very serious issue. Cyber-attacks are not just about accessing health insurance information and medical records, but they can force hospitals to shut down critical systems, putting patient care and even lives at risk.

“So how do we navigate this, how can we protect our systems while still embracing innovation in healthcare?

Lara Habib, Senior Presenter, Alarabiya News Channel


Listen to Richard Staynings, Junaid Nabi, and Mike Fell as they explore the challenges facing healthcare and suggest ways in which the industry can better protect itself from a growing wave of cyber-attacks in this 30-minute panel discussion at the Global Cybersecurity Forum 2024 in Riyadh, Saudi Arabia today.


Rural Healthcare and the Catch22 of Cybersecurity



Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be properly cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or even to cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report. 2024 could be even worse, given the financial brinkmanship caused by the UHG Change Healthcare cyberattack

Just last month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let alone obtain the budget or expertise to implement security leading practices or the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.


Rural Healthcare Needs Help   

MSPs and MSSPs will manage a large number of hospitals at the same time, and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.


A version of this blog was initially published here




Isn't it about time we secured BGP?



Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.


The Growing Rural Healthcare Cybersecurity Crisis


Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital or ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report.

As recently as this month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let along obtain the budget or expertise to implement the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

MSPs and MSSPs will manage a large number of hospitals at the same time and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.



When is Enough, Enough?


This week marks yet another dark moment for healthcare with yet another Russian cyber-attack against a supplier of critical services for two major London hospital trusts where over 200 life-saving operations and hundreds of other appointments have had to be cancelled, while ambulances have been placed in divert.

Impacted are King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital – along with their associated primary care services. This includes GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs. All have had to revert to paper for blood tests and transfusions thanks to a ransomware attack against Synnovis, a provider of pathology services.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families,” said an NHS spokesperson in statement.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. On Monday it was hit with a cyber extortion attack, evidently the work of a Russian criminal group known as Qilin, which has demanded a $50 million ransom payment to be made within 120 hours. As a result, an emergency was declared, the National Cyber Security Centre notified, and the Cyber Operations Team called in for assistance. All of Synnovis's IT systems are believed to be affected.

The incident follows a separate case at Synlab Italia, which in April involved a different Russian group known as Black Basta forcing the company's services offline. The group has been linked to the Conti ransomware group, an even more infamous Russian organized crime syndicate. Following this attack, it took the provider nearly a month to restore the majority of its systems. It appears Synlab Italia didn't pay whatever ransom was demanded of it as Black Basta claims it has Synlab's data available for download in its blog. Black Basta is also thought to have been responsible for the attack last month against US healthcare provider Ascension Health.

The attack this week against Synnovis however, appears to be the work of yet another Russian crime group known as Qilin. This ‘Ransomware for rent’ group has targeted IT firms, medical organisations, courts, the 'Big Issue', and appears to operate with Vladimir Putin’s blessing. 'Qilin', also known as 'Agenda', has hacked hundreds of victims over the two years it has been operating under its known identities. Qilin’s 112 known victims span 30 different countries, with Russia and the Commonwealth of Independent States – (ex-Soviet satellite countries) - being the notable exceptions. No need to wonder why!

According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered, but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

The Guy’s and St Thomas’ and the King’s College Hospital NHS Foundation Trust attacks are not unique events. In fact it's the third such attack in the past 12 months against NHS trusts. In June of last year, a Russian cybercrime gang called BlackCat hacked the Barts Health NHS Trust. Then earlier this year yet another Russian gang, INC Ransom, attacked NHS Dumfries and Galloway stealing 3 TB of protected health data.

The Russians have certainly cornered the cyber-extortion market, a criminal industry worth $14 billion as of 2022 and one growing rapidly at 73% according to SANS. Indeed, the growth of this industry appears to be directly linked to the number of ransoms being paid by victims, which in the first half of 2023 were estimated to have been more than $590 million. Cyber-extortion is according to the NCA and FBI, a form of cyber-terrorism. So, in effect, those who pay extortion payments could be breaking the law by giving money to wanted terrorists, yet many still do so and few of those who are directly financing this trade have been arrested or prosecuted thus far.


$590 million is also a valuable source of income and hard currency for Russia given all the trade sanctions the country is under following its partial invasion and ongoing war with Ukraine. What’s also apparent, is that no one in a criminal oligarchy like the Russian State is going to make $20 million a pop in ransom payments without sharing at least some of that new-found wealth with others all the way to the Mafia Don at the top, i.e. one Vladimir Vladimirovich Putin, reportedly the richest man in the world today.

But the costs of a ransom attack are far greater than merely the ransom payment (if payment is made), or the costs of forensic investigation, incident response, fines, lawsuits, and punitive damages. The costs when healthcare is attacked is measured in lives. How many patients die as a result of not receiving timely intervention and treatment (mortality), how many will die earlier than expected or are made to suffer for longer periods of time (morbidity), and how many patients are placed at risk thanks to critical IT and IoT systems being down and whose safety maybe compromised as a result.

Attacks against healthcare are not only an attack by a foreign adversary against a critical national infrastructure industry of a nation state, but also an attack that threatens the lives and wellbeing of its citizens. Attackers therefore run the risk that the full power of the state they attack might be used against them, kinetically, when all legal avenues fail to bring them to justice, or to stop their attacks. Russia does not regard cyber-attacks against other countries as a crime, nor does it honour extradition treaties with the rest of the world. Even then, its criminal justice system is irrevocably compromised and corrupted by money, power, and influence.

It is unknown to what extent the Kremlin is behind cyber-attacks against foreign critical national infrastructure, but Russia certainly turns a blind eye to it at the very least, by offering safe harbour to those engaged in this criminal activity. What is for sure, is that the criminal activities of some Russians, is helping to weaken and degrade many of Russia’s foreign adversaries. At the very least, the use of criminal proxies rather than official state assets, provides the Kremlin with some level of plausible deniability, no matter just how implausible that is now becoming, or how insincere Putin’s claims of denial are today.

Until such times as Russia finally fails as a state, and a new Russia adopts a real legal-judicial system - one uncorrupted by others so that criminals can eventually be held to account, the NHS and other providers of healthcare services including third parties, will need to seriously improve cybersecurity and operational resiliency of key systems needed by patients. The UK will also need to critically evaluate any single points of failure in application or underlying infrastructure, just as the US needs to following the recent UHG Change Healthcare attack. Relying on a single vendor or single application for critical parts of medical workflow can no longer be supported. The ability to switch out failed components of a modular architecture is already crucially needed, yet few healthcare providers have reached that level of resiliency today.

Out of all industries, health-care providers were the most targeted by ransomware gangs last year, according to a report by Cisco's Talos threat intelligence division. Cisco attributed the targeting to health-care organizations generally having “underfunded budgets for cybersecurity and low downtime tolerance.”

Given the criticality of IT and IoT in today’s digital health system and continuously rising cyber threats by adversaries, we need to focus a lot more time, effort, and money to build our healthcare services to be able to withstand all but the most destructive of attacks.



















Mitigating Medical Device Vulnerabilities

How can health systems secure smart medical devices if manufacturers don't patch them regularly? Richard Staynings, chief security strategist at Cylera, discusses how organizations can mitigate that risk using their existing tools and technologies at HIMSS24 in Orlando, Florida.

 

Lockbit Take-Down


Many of us in the cybersecurity community woke this morning to very welcome news that the infamous Lockbit Ransomware as a Service (RaaS) crime syndicate was hit with a take-down action of much of its infrastructure. This was apparently led by the UK’s National Crime Agency (NCA), and the FBI, as part of an international law enforcement task force known as ‘Operation Cronos’.

Lockbit was one of the most prolific and destructive Russian Ransomware-as-a-Service (RaaS) groups, claiming over 2,000 victims worldwide and extorting over $120 million in ransom payments. It was, to put it mildly, ruthless, launching secondary and tertiary attacks against victims who refused to negotiate with the extortionists or to pay their extortion demands.

As part of its initial seeding of compromised networks with ransomware, it exfiltrated confidential information and threatened to publish this on its websites if payments were not made by the organization. When demanded ransoms were not received, the group contacted individuals whose information it had stolen, and demanded they pressure the victim organization to pay the ransom, or sometimes offered to exclude their information from a release if a payment was received.
    
Richard Staynings, Cylera
Richard Staynings, Cylera
“Many times, corporate and individual victims paid the gang only to see their information posted publicly anyway” claimed Richard Staynings, Chief Security Strategist with Cheltenham based cybersecurity firm Cylera. “There is after all, no trust in thieves,” he added.

The group was also known to publicly taunt victims on its web site with a countdown clock when the information would be published unless payment was made.

Operation Cronos appears to have finally brought this criminal RaaS business to a halt, or at the very least slowed it down and ruined its reputation. Whether it stops the affiliates who use the RaaS to execute their attacks remains to be seem as it's likely that many of the Lockbit tools are still out there and affiliates are likely to have copies of these. 

It’s also quite likely, that many of the un-indicted perpetrators involved in Lockbit, will simply pick up and move into new crime groups to continue to ply their crafts as part of other cybercrime services. This has happened in the past when law enforcement took down other crime syndicates. It is also possible that a new Lockbit rises from the ashes and starts over again, perhaps even under the same name with some of the same people.

Some of these crime syndicates are thought to be associated with the Russian Mafia and many in the past have worked closely with the Kremlin, FSB and GRU for espionage purposes, or to punish other nations, while Mother Russia can claim plausible deniability.

Many of the cybercriminals who engage in ransomware and other forms of cyber extortion, are of Russian origin and are able to attack victims from within Russia and other former Soviet states with near impunity. This is largely thanks to a lack of extradition treaties between these countries and the rest of the world, combined with a legal system that is easily corrupted by those with power, influence or money.

The FBI has accused Russia of harboring cybercriminals for years, where as long as the perpetrators of cyber crime direct their craft against victims outside of Russia, then the Russian state will conveniently turn a blind eye. This makes it particularly difficult to bring criminals to justice so long as they don't leave the former soviet block of countries.

Of course some wanted criminals used to considering themselves above the law have traveled outside of the former Soviet states and have been arrested or renditioned back to the United States for trial and punishment. One of the more notable of these was Roman Seleznev, the son of a close Putin confident and a member of the Duma lower house of parliament, Valery Seleznev as reported some time ago by this site

Lockbit was the largest RaaS and worked by selling its criminal services, acting as a one-stop shop to customers known as affiliates. These affiliates then identified and attacked victims using the Lockbit framework of tools and services. Based upon volume, the affiliates then received between 60% and 80% of the ransom payments they were able to extort back from Lockbit. The Lockbit network consisted of hundreds of so called ‘bullet proof’ servers located all over the world. These have now been taken over by law enforcement as part of the Europol action. Copies of the Lockbit code, however, remain on PCs and servers in Russia and other countries where international law enforcement was unable to seize assets, since the crime of ransomware is not recognized in many of these countries.

It was perhaps inevitable that the NCA would lead this takedown effort following a January 2023 ransomware attack against part of the UK Royal Mail in which packages could not be mailed overseas for many weeks. The attack was identified as using Lockbit so the group must have been in the sights of the NCA ever since. The Royal Mail is a critical infrastructure industry (CII) of the UK so any attack against a CII would have garnered attention at the highest levels, just as Lockbit attacks against the NHS have done so in the past.

“While not all cyber crimes can be fully investigated, I am sure that Lockbit and its affiliates were prioritized by the NCA and the UK government following the Royal Mail attack,” said Staynings. “Lockbit ransomware attacks against NHS trusts was already sure to get the NCA’s attention, so the Royal Mail attack may have been the nail in the coffin for the group.”

“Gangs would be well advised to stay clear of national infrastructure industries if they want to avoid unnecessary attention. That goes not just for the UK, but for any law-abiding western power,” Staynings added.

While the Lockbit infrastructure was taken offline and decryption advice and keys posted on its servers, law enforcement reportedly obtained access quite some time ago. It's highly likely that they have been digging around and gaining intelligence on affiliates and those involved in building and maintaining the Lockbit service. It is also likely that they were mapping out the entire infrastructure so as to capture as much of it as possible in one go with a single legal seizure action.

This has resulted in the identification, indictment, and arrest of many of the gang’s generals. But it has also shed light on a much greater number of victims than has been reported, many of whom appear to have paid ransoms against the advice of law enforcement and national laws in their respective countries that forbid extortion payments to terrorists. Ransom and extortion are, after all, forms of terrorism.

“The cat is now out of the bag, and we could see legal actions against business leaders and their legal counsel, who made ransom payments against national laws and hid a cyberattack from shareholders, and the SEC, FCA, and others,” claimed Staynings.

Graeme Biggar, NCA
Graeme Biggar, NCA
The NCA’s Graeme Biggar, said it assessed that the group was responsible for 25% of ransomware attacks in the last year including 200 that were known of in the UK - though he added that, there may have been many more. Indeed, total losses and damages from Lockbit and its affiliates could be in the billions of dollars. Whether this surpassed losses from ‘NotPetya’, another Russian cyberattack attributed to the Russian military GRU, remains to be seen.

NotPetya is thought to have caused between $10 and $12 billion in damages to global organizations attacked, including Maersk, Mondelez, Merck, WPP, Reckitt Benckiser, Saint-Gobain and TNT Express. 

Maersk alone lost $250 million and suffered a further $300 million in damages. The 2017 cyberattack currently stands as the single most damaging and costly attack of all time. Its attack code was designed to attack Ukraine, but the malware unintentionally spread right the way across the world, impacting Russian businesses as well.

As part of the seizures, more than 200 cryptocurrency accounts believed to be linked to Lockbit have been frozen, so it seems likely that once the investigation is complete, at least a few victims may receive some of their ransom payments returned, as has been the case in other confiscations.

“It’s great to see the home team win a game finally, but there’s a long way to the finals” claimed Staynings. “The trouble is that with cybercrime it takes many months or years to properly attribute actions. That includes victims, criminal actors, and all those involved in a cyberattack.”

“Undoubtedly, law enforcement needs to do things properly in order for prosecutions to stick and to identify all those involved in a criminal act. This was one of the better days, that’s for sure!” he concluded.

Building AI-based cybersecurity solutions

Richard Staynings, chief security strategist at Cylera, discusses the difficulties involved in being a cybersecurity professional, tackling bad actors and how AI can both improve and hinder strategies to ensure healthcare system security. (7m 14s).


ResonanceFM PassWord - The Security of IoT

Peter Warren host of 'PassW0rd' part of Future Intelligence (Fi). 

Join Richard Staynings and Peter Warren, host of 'PassW0rd' as they discuss the growing problem of the cybersecurity of IoT - the internet of things.

Future Intelligence (Fi) produces PassW0rd, its monthly hour long radio programme from London and Leipzig for broadcast on Resonance FM, London’s oldest independent radio station.


Been Vished Lately?


By Jon Taylor
Director and Principal of Security, Versa Networks

A lot of vendors lately have been talking about how they can help companies be “less hackable” through the implementation of advanced technology, reducing the attack surface, etc. One item you don’t hear security vendors talking much about is how companies can implement some basic security awareness policies that can also drastically reduce the chances of being compromised, or at least make it a bit harder for bad actors to gain access to the network.

One example that we can discuss in detail was an event that happened at the Defcon Social Engineering Village this year. One such opportunity was thoroughly demonstrated, although I honestly couldn’t believe my eyes (and ears!). On Day One they were having a vishing competition, where teams were placed into a sound booth with a phone dialing system, and they cold-called different businesses to probe for sensitive information on how these companies secured their environments. Now, one might say that there’s no way that someone doing this would really gather anything useful, but the results will absolutely surprise you, as they did me.

Vishing meets supply chain

Now, these vishers weren’t trying to call and gather information from the IT departments of major companies, but instead they were calling franchisees of large companies that we know (and love!). The competing teams were tasked with gathering some key pieces of information, and to do so were calling the individual franchises and acting as if they were from corporate parent company posing at the IT department, franchise relations, or even another franchisee. What’s interesting about this information is that it would have given these vishers the ability to backdoor and compromise not just the franchise, but also gain access to the corporate system as well. The information they were gathering ultimately centered around the franchise-accessed resources provided by the parent company, including technologies such as VPN/ZTNA services and secure websites published to the internet as examples. Some of the resources they were probing for were corporate ordering, timecard/revenue entries, other types of inventory control, etc. They would also ask questions about the type of antivirus/anti-malware being used on the machines, especially the point-of-sale terminals.

If the above sounds bad, it was actually worse. During the exercise, at some point they would have the "mark” go to a mocked-up website from a point of sale (POS) terminal that would self-install a piece of malware, which allowed them to gain access to the computer. Now imagine what would happen if this POS terminal became compromised in some way. Just the amount of credit card information alone would be incredibly valuable on the dark web if it was to be sold. Also, if this terminal had any type of access to the parent network, then the payload could allow the malicious actor to enter the parent corporate system and do anything from planting ransomware to exfiltrating sensitive data. During one call, an employee even offered to share her computer screen and show the visher how they logged into each system using a VPN service and offered up usernames and passwords. If this had been a real malicious actor gathering this information, then this would have been disastrous for both the parent company as well as the franchise as the incident response, public disclosure, and loss of reputation could cost millions.

Now one might say that this is an example of a small business being targeted so of course there isn’t going to be security awareness training, and as long at the parent company has the right security tools they will not be breeched. Well, the latest example of this is the MGM incident. The exact same thing happened to a major corporate brand where someone was able to perform a vishing exercise and ultimately gained access to the corporate environment.

Make people aware

So, what kind of “low-hanging fruit” items should any organization be doing? First off, there should be policies in place for any employee within the company to be able to accurately identify any other employees from the company. There should also be mandatory security awareness trainings for all employees including IT, and it should be renewed within one year of the initial training. In the case of a franchise model and because of the supply chain risk, the franchise parent company should implement these mandatory security awareness trainings as part of their franchise agreement.


What is the Cost of Loss?


Join Richard Staynings on The Segment: A Zero Trust Leadership Podcast as he explores the questions of 'Why is Resiliency so important?' 'What is Zero Trust?' and 'What is the Cost of Loss?' following a breach.

Tune in to this 45 minute podcast as Richard Staynings and host Raghu Nandakumara discuss very topical cybersecurity issues and concerns for healthcare and other industries.





The Maturity Paradox

Figure 1 The Maturity Paradox. Credit: Shaun Van Niekkerk

The Healthcare industry has undergone a dramatic technological transformation over the past decade. From our frustrating interaction with a provider’s voice menu systems before we can speak with a human, to script-reading near-useless overseas calls center staff that attempt to sort out medical billing problems, we have finally entered the digital era. Gone are the days of calling a provider, simply jump on the online provider web portal or open the mHealth app on your smartphone and get what you need – well almost!

Long gone are the days of fat manila files full of medical records that no one ever looks at (unless there is a problem) and welcome-in the days of the electronic medical record (EMR) with seamless interoperability across primary, secondary, and tertiary health providers. The EMR that prevents 10 different nurses asking you the very same question on each visit (yeh right!)

Gone are the days of the suited elderly stoic medical doctor with his leather doctor’s bag and personalized stethoscope, and in are the days of the guy or girl dressed in sneakers and scrubs who looks barely old enough to have graduated high school let alone medical school.

Today’s doctor’s office is now a showcase in medical technology. Absent are the bookshelves full of leather-bound medical journals and in their place are a gadgets, gizmos, and computers that all report dutifully to the almighty EMR. The average hospital bed has between 8 and 12 medical devices. The average ER or ICU bed can have upward of 30 connected medical devices per bed.

But the hospital room of today is not just stuffed with medical devices but the room itself is connected and smart. It turns off the lights when the room is empty, it knows when to tell the HVAC that it needs negative air pressure for (infectious patients) or positive air pressure for immune-compromised patients. It also contains CCTV cameras that display at the nearby nurse station to identify when a patient is in need of attention and a whole heap of patient telemetry systems that report all kinds of vitals to those whose job it is to know. Healthcare of the 2020s is now highly technology dependent and full of advanced equipment, and the pace of change is evolving at an almost exponential rate.

Medical technology has transformed our ability to quickly diagnose medical conditions, to treat ailments, often by non-invasive means, and to quickly restore a patient back to a fully functioning member of society. Genomics-based personalized medicine may one day prevent the onset of disease and the breakdown or wearing out of the body’s components, and this may render all of us perfectly fit and mentally healthy well into our nineties and for some, even beyond.

Digital interoperability between discrete medical, public health, insurance, and population health systems is now driving the meaningful exchange of public health information (PHI). So, when you need to see a doctor while on vacation hundreds of miles or kilometers away from your home, that doctor will have access (with your permission) to your complete medical records and be able to prescribe the best possible course of treatment for you.

In Europe a German tourist can visit a Portuguese doctor while on vacation and be able to access their complete medical history. In the United States, we are not quite there yet, but other OECD countries have deployed a fully functional national medical record. In Australia, ‘My Health Record’, even allows the patient, to upload their fitness and other consumer medical data to their electronic patient record (EPR) from consumer devices like an Apple Watch or an iPhone. The technological enablement of healthcare has helped to contain costs and to drive provider efficiency by removing the need for duplicate tests and providing information at each physician’s fingertips. AI-based diagnostics is leading to targeted rather than broad treatments, this in turn leads to improved patient outcomes and reduced morbidity and mortality. However, digital transformation has come at a cost.

The fortress citadel of healthcare payers, providers and life sciences organizations is no longer able to secure healthcare data as it once did. That data is now extensively shared with patients, used for research to help drive better pharmaceuticals, healthcare tools and applications. This has greatly expanded the threat surface and healthcare data now spreads far beyond the walled confines of a doctor’s office or a hospital. Web portals where patients can check their insurance coverage, make appointments with providers, review test results, or chat with a physician are now widespread. So too are mobile health applications and a ubiquitous rise in the use of medical wearable sensors such as a Fitbit or an Apple Watch. These monitor patient activity, pulse and heart rate, and no doubt many other things in versions yet to be released. The medical data on all of us is steadily increasing. So too is the aggregate largely de-identified medical dataset used for training of artificial intelligence (AI).

Indeed, rising use of AI based machine learning (ML) is helping to drive clinical decision support and evidence-based medicine. AI has facilitated much safer low-dose radiological imaging and is driving the development of personalized medicine. But AI requires vast amounts of data for model development and training and so presents risks if not properly secured alongside its obvious benefits.

Healthcare IoT (HIoT) and the rise of the Internet of Medical Things (IoMT)

The same is true for medical devices and other healthcare IoT which are growing each year at a staggering 16% compound growth rate. These are connected to medical networks, communicate directly with critical healthcare IT systems such as the EMR and create, store, or transmit large amounts of PHI.

Without even considering their alarmingly rapid growth, these systems all present a huge cybersecurity risk. This is because most were never designed with security in mind. Nor have most been able to be patched when security vulnerabilities are discovered in their underlying operating code. What’s more, many have an amortized life span measured in decades rather than years as an inexpensive Windows PC might be, so these IoT systems will be with us for many years to come.

HIoT includes an array of typically large diagnosis machines – CT, X-Ray, PET, MRI, ultrasound; treatment systems such as ventilators, infusion pumps, defibrillators, radiotherapy, and chemotherapy devices; and a multitude of systems for patient monitoring and management. They also include a rising use of pharmacy and surgical robotic systems, as well as hospital building management systems for managing HVAC which provides hospitals with negative airflow to contain pandemic disease and clean rooms for surgery. These systems include a wide array of laboratories, CCTV, elevators, door locks, and other building systems critical to hospital workflow and safety.

The trouble is that most HIoT devices were built with very narrow design parameters, so they lack the hardware to run newer operating systems, or the storage to support a patched application if that increases the size of the application footprint. Many manufacturers refuse to spend money on developing or testing patches or security fixes because that cost was never built into their business model. Instead, they tell their customers to purchase a newer more secure device, even though there may be many years left on the amortization schedule of the existing system - a device which probably works perfectly, other than to present security risks to the medical network and safety risks to patients. Hospitals and their clinical engineering and cybersecurity teams are faced with the prospect in such cases of retiring early, perhaps millions of dollars in capital assets, patching these devices outside of vendor warranties, or implementing compensating security controls that will pass audit and allow the continued use of these devices till they can be fully written off. None of these options were until recently easy or appealing to healthcare leaders.

Medical devices are connected to the medical network on one side, and often a patient on the other side. They present one of the greatest patient safety and cybersecurity risks of all innovative new healthcare technology. They also present an open back door to hackers with the skills to compromise these simple devices.

Cybersecurity Risk

As healthcare data continues to become ever more valuable, its theft and sale on the dark web can command high prices. So too is the rising value of cyber-extortion where hospitals and other healthcare providers are held to ransom by mafia-like criminals. A closed hospital is one unable to treat patients in-need, and this has major implications for patient morbidity and mortality as well as to the community served by a ransomed hospital. Consequently, and because of lack of preparedness and under-funding in cybersecurity resiliency, healthcare providers tend to pay ransoms at a rate far higher than other industries and this is fueling the growth of an extortion industry that targets healthcare.

All of these factors - digital transformation, growth of AI, rapid expansion of HIoT / IoMT, and shortsightedness by healthcare executives and their government overseers responsible for fueling ransomware are all leading to declining security as the rapid pace of adoption for new healthcare technology far outpaces the cybersecurity needed to keep patients safe and hospitals secure.

Cybersecurity can be a very effective enabler of new riskier opportunities for patients and their care teams to engage together via technologies. But without a corresponding improvement in cybersecurity, new technologies just add risk to an already highly risky industry.

As we continue to introduce new technology to hospitals, so the digital maturity of health IT is outpacing the cybersecurity maturity of healthcare providers, and this leads to a technical debt, gaps which adversaries are easily willing and able to exploit and monetize. This is the Maturity Paradox.



"Health care has traditionally underinvested in information technology," claims Dr. John Halamka, chief information officer of Beth Israel Deaconess Medical Center in Boston. Halamka, who has been a CIO since the 1990s, says just a decade ago, pretty much all health records were paper. Then, in a period of a few years, hospitals switched to electronic records. But the security of digital health data has not kept up with its growth. Other industries, like financial services and the federal government, have devoted more than 12 percent of their IT budgets to cybersecurity. Health care averages just half that.