By Dan Gonci
In 2023, the health care industry experienced over 500 reported breaches, impacting more than 100 million people. Fast forward to 2024, Change Healthcare experienced a ransomware attack, resulting in a ransom payment of approximately $22 million. This was merely one instance illustrating some significant threats facing the health care industry. Attackers now recognize the significance lies not in the number of attacks, but rather in the strategic locations they will target. Consequently, every cybersecurity professional in health care now anticipates the inevitable day when their organization will face a cybersecurity attack. Health care organizations in the United States are investing millions of dollars annually on their cybersecurity programs to protect their facilities and data. But what happens when after all that investment, a neighboring partner with inadequate security measures gets compromised? What are the consequences of being cyber-proximate to a breached entity? How can we guarantee the comprehensive security of our network, including our partners, to prevent such incidents?
In grasping the recovery process from a cyber-attack, we will go through a scenario and review steps that healthcare technology managers should follow. Picture this: You receive a notification from a partner about an ongoing attack and immediately start to terminate any network connections and tunnels established between them. During the initial hours and days following the attack, the situation is a little chaotic, and little information is available about the incident affecting your partner. You notice you happen to have VPN (Virtual Private Network) tunnels in place with them and realize you must operate under the assumption that your network could also be compromised. At this point, the security operations go into full swing and actively start to search for signs of compromise. From an HTM perspective, we are initiating our response drills and assessing the implications for our systems. Asking the questions, are administrator access available for supporting systems? What level of patching does the vendor permit on potentially affected systems? What data exchanges are established? Do we transmit data to them within patient workflow? What will the impact be to clinical operations? These are among the areas that we need to look at and present our expert assessments to leadership.
The steps and actions we take when we are near a cyber-attack typically mirror those of an actual attack on our systems. Despite the inconvenience, we must undergo these measures to ensure our security and prevent any potential compromise through lateral movement from affected partners. In a recent simulation exercise, cybersecurity experts collaborated with a vendor to update accounts and passwords under the assumption of their compromise, addressing the possibility of lateral movements. This process involved extensive efforts from various teams, including the vendor, HTM and clinical staff. Assessing the hours spent on these tasks, there was an estimated recurring cost of approximately $15,000 per site for HTM and clinical staff alone, not factoring in the lost productivity of daily operations or the expenses related to IT and security staffing. Had this system had been deployed across all the sites of that organization, the projected cost would exceed $2.5 million for an incident that wasn’t specifically targeted at the organization.
Health care organizations must thoroughly understand all external partnerships to effectively mitigate such events. It’s crucial to comprehend the data exchange, connections, and potential business impact during device loss. Documenting this information at the onset of the connections and validating it annually is essential. HTM staff should convey to vendors the significant impact security incidents can have on business and emphasize the importance of developing and supporting secure systems with robust infrastructure. Vendors should understand that it is no longer an acceptable practice to develop and sell insecure systems and support them with weak infrastructure. The HTM community must prioritize securing medical environments, as simulations can quickly become reality.
