Addressing common challenges in healthcare cybersecurity


The medical industry has one of the largest concentrations of valuable information for threat actors. The healthcare sector collects countless bytes of personally identifying data from patients and employees, making medical databases prime targets for cyberattacks.

Despite the priceless nature of healthcare information, there is skepticism and reluctance to adopt new tech. Overcoming these challenges is essential for healthcare cybersecurity as professionals find ways to improve safety for themselves and their patients.

Reducing the Surface Area

Electronic health records (EHRs) exist in countless places. Old hard drives, servers, flash drives, and cloud storage are just a few data silos containing private patient data. So long as health care professionals know where everything is, what does it matter if it’s in a filing cabinet or an employee’s computer?

The Problem

There is a lack of standardization across private and public health care practices, meaning data storage for health information nestles in unprotected digital environments. The more these files spread out, the more surface area hackers have to find vulnerabilities. The sector must reduce this attack surface to more comprehensively oversee secure data.

Superfluous access is an adjacent issue. Patient and employee data, like social security numbers and insurance cards, may be viewable by countless employees, even if it isn’t pertinent to their position. The surface area is an issue internally and externally. Cybersecurity remediation is more complex and time-consuming when there’s a large attack surface because it’s more challenging for analysts to find an attack’s original point of entry.

Additionally, healthcare companies shouldn’t only consider external threats. Staff could also take that information out maliciously — committing identity theft or fraud — or transfer info outside safe places out of ignorance, like through an unencrypted email exchange.

Possible Solutions

HIPAA compliance is the framework attempting to curb these occurrences. However, it isn’t faultless. Other cybersecurity measures must reinforce HIPAA to be effective. Zero trust and least privilege are a few cybersecurity rules that can start this process — in addition to more regular auditing.

Additionally, companies should be consolidating their data silos and creating internal standards for data management until they become more federally regulated. Companies can begin digitizing paper documents and shredding and deleting unnecessary or outdated records, looking to best data minimization practices to bolster security.

Some companies fear consolidation because of a more-is-better mentality in health care — if a company has more information that better informs decision-making, they have a competitive advantage. However, healthcare companies could begin shifting from a profit-focused business model to embrace greater confidentiality. It’s more important than ever to make this mental switch as new technologies like artificial intelligence (AI) in health care causes regulating bodies to scramble to solidify consistent regulations.

Defending Medical Devices

Medical devices are the lifeblood of health care. From radiology equipment to home medical devices, patients depend on these devices to function without interruption or compromise because lives are literally on the line. However, every piece of tech on the planet is at cybersecurity risk. How susceptible are medical devices?

The Problem

Workforces rely on medical devices to diagnose, record and cure patients. Users rely on medical devices to notify of issues and keep them healthy. Overreliance on these devices has become the norm, and they are some of the industry’s weakest entry points for several reasons.

Medical devices are homogenous — MRI machines have similar blueprints, and internal defibrillators are generally the same worldwide apart from branding. These similarities are cost-effective solutions for mass production and accessibility, but because of this and their infrequent updates, there are potentially countless doors for cyberattacks.

With medical devices being in professional use and personal, it’s also difficult to ensure every device of a type receives the same defenses, mainly when individual use varies widely depending on life circumstances and conditions.

In contrast, many medical devices are embracing a more intensive tech stack. That connectivity could bring a similar quantity of cybersecurity concerns, but they would be a different flavor. Analysts would need to prepare for every situation.

Possible Solutions

One way to secure medical device cybersecurity is collaboration. Management teams, accounting departments, and technology-focused parties are the first groups that need to collaborate. Health must invest more resources, financial and otherwise, into cybersecurity. The sector has pushed it aside in budgets for too long, allowing it to fester into the security issue endemic to medical devices it is today.

Hackers know how healthcare enterprises feel about cybersecurity. They take advantage of that dismissive attitude by increasing the threat scope while companies still determine priorities. If health care makes a public promise to take security more seriously, especially with medical devices, threat actors might second-guess performing an attack.

IT teams and cybersecurity analysts can work with regulating bodies to determine the best next steps for standardizing continuous security implementation and updates. Groups can also communicate with medical professionals, like bioengineers, who have unique insights into how these devices should best operate. Though analysts can translate best security practices for computers or cloud services to other tech types, insider operational knowledge will be invaluable for finding the most straightforward protective solutions.

Incorporating the Internet of Medical Things (IoMT)

IoMT is a certainty, and it provides cybersecurity boons and concerns. EHRs can become more accessible and current, and medical devices have the potential to receive more thorough cybersecurity hygiene. But how can IoMT be an issue on its own?

The Problem

Medical facilities rely on antiquated legacy systems, containing technology rife with backdoors and cybersecurity vulnerabilities. One way to strengthen it is using more resilient MedTech, like IoMT. IoMT isn’t bulletproof because it arguably has more opportunities for hackers to sneak in. However, IoMT is easier for analysts and IT teams to work with and keep protected. Older systems aren’t compatible with more advanced security programs, like malware, and it costs more to maintain legacy systems, making companies less inclined to invest in their safety.

Home IoMT-connected devices that provide lifelines for countless people already cause skepticism from patients — doesn’t their reliance on connectivity makes them more fragile for more people? The association with hackers abusing modern tech is widely known. Patients with distrustful relationships with their IoMT may discredit their effectiveness, putting the technology in more compromising situations because of complacency or ignorance.

Lastly, with wearable medical devices becoming the norm, the health analytics they collect must stay secure in databases. The data is incoming faster than humans can perceive, and whether the sector has guarded against this novel flow of information is questionable. It’s especially concerning when companies are in the news regularly for illegally selling collected consumer data or misusing it somehow. Around 69% of HIPAA complaints from 2003-2021 were violations, signifying blindspots with data abuse.

Possible Solutions

It’s time for medical institutions to update their tech, including companies outside hospitals, like wearable tech brands like Fitbit. Simultaneously, they must learn how to protect and utilize IoMT-collected data securely. When these life-saving technologies operate via connected apps, medjacking and stealing credentials could be simpler than ever for hackers. Using more robust protocols will make these products safer for users.

Embracing IoMT-connected devices with assets like AI can leverage automation, improving cybersecurity — but only through an entire supply chain. One doubter could jeopardize the strength of the whole, rendering efforts void.

Despite its newness in the tech world, IoMT is already more advanced than legacy tech regarding security systems. Plus, it can automatically check credentials, verify identities and notify analysts in the event of suspicious activity. These benefits are only possible if medical enterprises embrace IoMT.

Forming More Secure Digital Health Care Environments

These are a few of the most prevalent issues facing the healthcare sector in a world of rampant cybersecurity concerns. Given the value of EHRs and PHI, companies should invest and prioritize protecting their patients and employees. Hackers’ know-how behind the industry is when it comes to solid defenses, and they will take advantage of that if healthcare doesn’t act now.