Heart and network
The cyberattack has resulted in Change Healthcare reflecting the risk of a “snowball” effect to which the presence of vulnerabilities within health systems can lead. This breach also confirms that hackers are interested in critical infrastructure and the truly colossal financial damage inherent in a successful attack; whether it is to obtain payment of a ransom or to paralyze an entire information system. If you look closely, the interconnection of the different components of the journey looks a lot like a “core and network” type IT infrastructure. Instead of targeting each element or service provider, hackers attack these hubs (core) which are deployed in hundreds of organizations and cause more havoc and with greater efficiency.
From major insurers to patients, everyone is affected. In some cases, the impact could be fatal for patients who cannot obtain the necessary medications; and in others, financially devastating for health care providers who find themselves deprived of all sources of income.
This cyberattack is a glaring example of the critical nature of support services in the care pathway. It also shows that the risk is not limited to medical devices alone, but goes well beyond.
Unplugged breaches
A recent report from Armis, “Anatomy of cybersecurity: a dissection of the attack landscape of 2023”, already warned in this sense: global cyberattack attempts more than doubled last year, exceeding by +104%. Another lesson is that more than 55,000 physical and virtual devices are connected to information systems on average every day. Yet, surprisingly, 40% of these assets are unmonitored! This risk of cyberattack is compounded when we also know that 12% of the healthcare industry is still using end-of-life (EoL) or end-of-support (EoS) operating systems. What should we understand? Hackers don’t necessarily need a sophisticated plan to break into networks and cause significant disruption. They just need to find one of the many unguarded doors.
The heart of this attack boils down to the fundamental cybersecurity principle of visibility and vulnerability management: robust cyber exposure management is non-negotiable. Healthcare organizations must broaden their scope of visibility across their entire ecosystem of devices and support services, to conduct holistic risk assessments – particularly of the systems that directly enable the operation of healthcare services, whether they are is a hospital, clinic or outpatient service.
A comprehensive strategy will proactively reduce all risks, consolidate vulnerabilities, block threats and protect the entire attack surface. Every asset, from building management systems to connected medical devices, must be seen, protected and managed.
What responses from the authorities?
In France, we know that progress is possible, when we know the number of hospitals victims of cyberattacks in 2023. Organizations can, however, find support in the strategic plan to combat cyberattacks, announced in December 2023 by the State . . A first tranche of financing of more than €230 million is allocated until 2024, for an amount which could reach up to €750 million in 2027, indicate several sources. In the United States, establishments can count on the strategic plan of the Health Sector Coordinating Council, the HIC-SP. He also finds the state of cybersecurity in the health sector worrying. And its goal is to return it to a stable condition by 2029.
Organizations, regardless of country, must consider these strategic plans and defined cybersecurity performance objectives. They not only highlight the imperative of managing vulnerabilities, but also the extent of the network of the care pathway (pharmaceutical products, medical device manufacturers, investors, healthcare providers and policy makers). Suppliers and service providers must, given the high risk they pose to healthcare establishments, consider cybersecurity as an issue for their own survival.