Every year, cybersecurity researchers find more common vulnerability and exposure (CVE) than the common cold type. For reference, there are about 200 common colds, but in 2024, researchers discovered more than 40,000 CVEs.
Just as virus mutations to evade the immune system, threat actors are constantly developing new vulnerabilities to locate vulnerabilities. Unfortunately, these exploits are transferred as ransomware and advanced enduring threats (APTS), or they are packaged into exploitation kits and sold in dark corners of the dark web.
One year after the change violation, organizations are aware of the possible impact of these threats. According to a report by Bain & Company and KLAS Research, 70% of providers and payees were affected by the power outage, so patient care was affected.
The challenge is that it is difficult to diagnose the risks of complex healthcare systems. IT and OT networks are connected in ways their original architects did not intend. Vulnerabilities are often found in medical devices and software, but many legacy systems cannot ensure.
Regulatory compliance requirements face similar challenges. For example, proposing changes to HIPAA may require organizations to develop asset lists, analyze risks and scan for vulnerabilities, the most common challenge that cybersecurity teams have already faced.
Organizations need to take a positive approach to identify, prioritize and mitigate threats in real time. This means gaining visibility and controlling into all physical and virtual assets. As the doctor said, “An ounce of prevention is worth a pound of cure.”
Medical networks are as complex as human nervous system
The attack surface of healthcare systems includes enterprise assets, patient care systems, and building management systems (such as HVAC), often across multiple facilities and even hosted in the cloud. A major challenge is the diversity of equipment and systems.
Medical devices, electronic health records (EHRs) and other critical systems are often developed by different suppliers, each with their own security protocols and update cycles. This split makes it difficult to implement consistent surveillance and protection strategies.
Older devices lacking modern cybersecurity capabilities are particularly problematic because they lack security considerations and are difficult to patch and protect. Even if solutions exist, healthcare providers may be alert to how they can lead to downtime and disrupt patient care.
Third-party risks (such as fragile software libraries) and lack of insight into mission-critical assets can complicate these challenges.
In short, it can be difficult for organizations to see, protect and manage all assets on their network.
Under a microscope: Vulnerabilities in the healthcare system
For example, let’s take a look at how vulnerability in NextGen Healthcare’s Mirth connections implements remote code execution. Mirth Connect is a popular data integration platform for EHR systems, medical devices, and other applications, so this vulnerability could affect many healthcare organizations.
These are systems that accumulate technical debt, as the End of Life (EOL) operating system has difficulty receiving security updates. In fact, this joyful connection vulnerability was discovered after the previous vulnerability was not completely patched.
Some medical imaging servers running EOL software may still be exposed to these vulnerabilities. Unfortunately, these are also difficult to monitor systems. All of these are attractive targets for attackers to distribute exploit kits on the dark web.
Cybersecurity teams should prioritize updating Mirth Connect to minimize the risk of compromise with connected medical devices. They should also isolate affected systems through network segmentation and constantly monitor them for suspicious traffic or abnormal behavior. However, fundamentally, a more aggressive approach is needed to defend and manage the entire surface of the attack.
The routine of network security and hygiene
Just as hand washing helps reduce the spread of disease, there are multiple cybersecurity fundamentals that can reduce the impact of cyberattacks. Just like the challenges of compliance cybersecurity, these fundamentals can help enhance compliance.
Visibility is the first step in taking an active approach. Developing a comprehensive asset inventory requires discovering unknown and unmanaged equipment to ensure that each asset is monitored. The proposed HIPAA update may require a regulated entity to map the traffic to electronic patient health information (EPHI), so this is a good starting point.
Just as routine blood surveys can reveal risk factors for the disease, gaining insights into the device enables security teams to effectively identify and remediate vulnerabilities that could otherwise be overwhelmed by millions of alarms.
Continuous monitoring can enable continuous risk scores and assessments of cybersecurity risks and compliance. Historically, such risk assessments have been static snapshots and are rapidly becoming increasingly obsolete.
Continuous monitoring can be used in conjunction with early warning vulnerability alerts that highlight emerging vulnerabilities. For example, security operations can monitor specific compromise metrics, such as how certain APTs rely on certain CVEs.
Organizations like HS-ISAC promote information sharing among medical organizations. Cybersecurity solutions often utilize cutting-edge technologies such as smart honeypots and dark network monitoring that can identify new threats or exploit suites with specific tradeoffs.
The good news is that healthcare providers and payee organizations are increasing their IT spending, which means organizations are spending more money on reviewing systems and minimizing vulnerability points. This investment in pre-emptive protection will bring dividends to cybersecurity programs and proactively address updates to HIPAAs that require stricter cybersecurity requirements.
Photo: Anyaberkut, Getty Images
Mohammad Waqas is the Chief Technology Officer (CTO) of Armis Healthcare. He is an information security professional with more than a decade of experience in the healthcare cybersecurity industry. Currently, Mohammad helps healthcare organizations around the world provide medical device security and is committed to aligning the value of the Armis platform with the specific use cases available in healthcare.
This article passed Mixed Influencer Programs. Anyone can post opinions on MedCity News’ healthcare business and innovation through MedCity Remacence. Click here to learn how.
