Nicola Altavilla, Country Manager Italy & Mediterranean Area of Armis, analyzes the situation relating to cyber attacks on healthcare facilities.
If there had already been a 138% increase in cyber attacks in 2022, 2023 confirmed this worrying trend, with a 40% increase in incursions in the first half of the year alone. In particular, many healthcare companies were victims of attacks throughout Italy, with 14.5% of attacks, a percentage which is second only to non-generalized campaigns (Multiple Targets) which account for 20% of total incursions.
Bad actors’ tactics will continue to become more sophisticated and cyberattacks will become more frequent, further complicating the threat landscape surrounding healthcare providers.
Cybersecurity and healthcare facilities: ransomware attacks
Ransomware attacks no longer just use a random tactic through phishing, but continue to inject environments with targeted footholds and more complex attacks. While the Ransomware as a Service (RaaS) and more “simple” ransomware attacks will continue to hit the industry, we will see an increase in much more complex ransomware and other cyberattacks targeting major healthcare providers in particular. In general, the trend is an increase in the “Severity” of attacks, i.e. the severity of the consequences that victims face, such as huge economic losses, large quantities of stolen data or blocking of operations.
Generative AI
Generative AI is also a focus of healthcare delivery organizations (HDO) security and IT professionals, and several entities are establishing committees to review the capabilities of AI for offensive purposes. defensive and clinical assistance. As the healthcare industry incorporates and innovates generative AI solutions, so too will adversaries.
The tools available to security and IT professionals are also available to malicious actors: just think of ransomware as a prime example of what can happen when a security feature – in this case encryption – is turned upside down and used in a offensive. The same technology that keeps the bad guys out is being used to keep the good guys from accessing their files. AI will help advance patient care, but we will also begin to see the technology increasingly being leveraged to conduct more sophisticated attacks more frequently. In the new year, it will be critical for security and AI professionals to accelerate the use of this technology, its governance and security to better protect their organizations in light of this evolving threat.
An increased focus on medical device safety will continue to spread across regulations globally.
We have seen the US Food and Drug Administration (FDA) issue these mandates, such as the more recent Refusal of Acceptance (RTA) policy, the UK National Health Service (NHS) with its Data Security and Protection legislation Toolkit (DSPT) and other countries in Europe develop similar guidelines, such as the National Cybersecurity Agency (ACN) commitment. I believe we will also see a renewed focus on the software bill of materials (SBOM), to provide a clear understanding of the software components used to create various assets. We will continue to see further developments and specifics regarding medical device security as regulations more focused on cybersecurity and critical infrastructure are developed.
Cybersecurity and healthcare facilities
While there is still work to be done and execution remains to be seen and tweaked, these policies are a big step forward in requiring cybersecurity measures to be built into products and that organizations regularly evaluate their security posture and devices. As with all new regulations, here too there are emerging, but necessary, issues. After all, a plan is only as good as its execution. In this case, a critical plan that moves the industry forward.
Healthcare providers will continue to modernize their security strategies, prioritizing segmentation and accurate defense in 2024.
Segmentation will remain one of the primary methods for increasing healthcare cybersecurity. For this reason, cybersecurity and IT professionals from HDO (Healthcare Delivery Organizations) will look to modernize their strategy to begin segmenting the network in 2024, if they have not already done so. This is a massive and difficult project that can last many years. However, it is the project that will maximize risk reduction in a healthcare environment and will be a pillar of a proactive risk reduction strategy.
The key to these projects is proper planning and understanding that a segmentation project can be similar to a journey with multiple phases: discovey/inventory, mapping of behaviors and communications, creation of policies, definition of prioritization, test/pilot, deployment and automation. A growing trend is a risk-based prioritization approach: instead of a traditional method of segment lists created by manufacturer or type, healthcare organizations can achieve much faster ROI by identifying and prioritizing segmentation of critical vulnerable devices, especially patient-facing ones, to achieve maximum risk reduction upfront.
Additionally, functionality will begin to emerge for newer medical devices defense-in-depth. More clearly delineated security documentation and posture, built-in security features, support for security software and solutions, and retiring legacy systems in favor of new, more secure devices.
Medical device manufacturers will develop additional partnerships and security offerings.
There’s no word yet on how effective this initiative will be, but whether it’s professional services, technical capabilities, or new devices, we see medical device manufacturers starting to focus on cybersecurity initiatives for their new devices. device. In the coming year, I believe medical device management service providers will focus more on medical device security alert remediation services. Healthcare organizations will also make greater use of MSSPs and partner or vendor services to help scale their internal operations. This approach can help you offload tasks, reduce risk more quickly, and share information and best practices for maximum effectiveness.
The cybersecurity skills shortage will increase.
AI is increasingly being incorporated into technology stacks, particularly as cybersecurity vendors seek to harness its innovative power. AI will help streamline tasks, but organizations, particularly smaller and less resourced healthcare organizations, will continue to suffer from a shortage of cybersecurity skills and experience. A key recommendation is to leverage security frameworks to help build a systematic approach to improving your security posture with prioritized security efforts. It is critical to anchor the program in a framework-based approach such as the NIST Cyber Security Framework (CSF), with periodic reviews and gap analyzes to inform priorities and efforts for the coming year.