Risk management in healthcare organisations: Tools and strategies
The healthcare sector in India is undoubtedly one of the fastest-growing sectors in the country, estimated to reach a market size of US$ 367 billion by 2023 and US$ 638 billion by 2025. Along with supportive government policies, accelerated technology adoption and leveraging emerging tech innovations, irrespective of the geographies, has been one of the key drivers of growth for the sector. From AI and ML to robotics, IoT, Nanotech, and 3D Printing, Indian health-tech is poised to become the very best in the world. The pandemic played a critical role in accelerating digital adoption across smaller, non-urban health service providers, making it accessible to the masses. Between March 1 and May 31, 2020, during the national lockdown, up to 5 crore Indians turned to the virtual medium for some healthcare needs, recording a 500% increase in online doctor consultations. As many as 80% of the beneficiaries were trying the online consultations for the first time, while 44% people hailed from non-metro cities. These numbers have been ever-increasing since then.
In today’s era of rapid digitization, healthcare organizations are being faced with increased levels of cybersecurity threats. With more than 600 new vulnerabilities emerging every day, the first nine months of 2022 reported more than 18,000 vulnerabilities. Due to its sheer size and potential, the Indian healthcare sector has emerged as one of the primary targets of cybercriminals across the globe. In 2021, the number of cyberattacks on the Indian healthcare industry were second highest globally, with 7.7% of total incidence on the segment being witnessed in the country.
For an organization to patch a vulnerability, an average time of 205 days (about six months) is required. The biggest downside of these scenarios is that cybercriminals can exploit these vulnerabilities as zero day attacks in just three days, which makes it quite clear why healthcare organizations are experiencing an unprecedented increase in the number of breaches. Greater penetration of internet services, combined with digital transformation trends are aiding healthcare providers in delivering better services, but at the same time they have also increased the attack surface by a greater extent. This makes it quite evident that healthcare organizations are in a dire need of more proactivity in terms of risk management. However, the problem isn’t limited to this aspect.
The challenges
The standards of public health entities such as the FDA often require medical device manufacturers to disclose and patch vulnerabilities. However, owing to the arduous review processes, this can often be discouraging for manufacturers. In the event a security patch is released for a medical device, the process is time-consuming and expensive to deploy, and may require the medical organization to pay a vendor for sending an engineer on-site. Also, some organizations may not be as prompt as others in patching for the fears of causing an outage or downtime to critical care devices, despite having subscribed to vendor services for ongoing maintenance and patching.
In March 2022, Access:7, a cybersecurity research report published by Vedere Labs had identified more than a half dozen vulnerabilities related to Axeda, a remote access and management solution for connected devices integrated into more than 150 different medical and IoT devices. Due to Axeda’s widespread use, these vulnerabilities were found to have affected more than 100 medical device manufacturers. The report’s findings also made it clear that supply chain risks can also arise due to integration of vulnerable software from one vendor by another. Since it can be utterly difficult for an organization to gain visibility into such risks, a software bill of materials (SOBM) can be explored as a solution, although it is not the perfect way out.
An unfortunate aspect of the current cybersecurity scenario is the sheer number of vendors not addressing critical vulnerabilities which have been brought into light by reports such as Access:7. While research agencies have constantly engaged in responsible disclosure with government agencies and the affected vendors, it is still difficult to identify the means to accelerate the acknowledgement and response on part of the vendors with respect to vulnerabilities. And while cybersecurity research agencies may get impeded in communicating the critical nature of vulnerabilities to the vendors, the entities in the healthcare space that hire them must hold them accountable.
Prevention and mitigation
Since it is always better to be safe than be sorry, healthcare organizations must own up the risk they face. The rapid digitization of processes has created complex IT/OT environments that transcend IT systems, medical devices and IoT devices, such as security cameras, HVAC, and building automation systems, and hence there may be multiple stakeholders across multiple departments that need to share this responsibility. However, when it comes to risk management, embracing the fundamentals and taking small but impactful steps is what makes a significant difference.
Basic measures such as developing an asset inventory, discovering and remediating misconfigurations and patching vulnerabilities can go a long way in reducing risk. However, there still exist some risks that cannot be remediated, in which case organizations should shift their focus towards mitigation techniques that can help minimize the attack vector. One of the most prudent ways to achieve this in case of healthcare organizations is proper segmentation of medical assets. This can reduce the risk involved to a great extent since it limits the devices’ access to designated segments, making it hard for the threat actors to reach and exploit the existing vulnerabilities.
Healthcare organizations must follow a three-pronged approach in order to prioritize the risk of their medical devices. First and foremost, it is important to assess the asset criticality in terms of its importance to healthcare delivery. Secondly, the dominant risk should be assessed in terms of the highest potential impact to the organization. And last but not the least, auxiliary risk that involves the surrounding exposure of the attack surface must be understood and acknowledged.
Visibility is critical
Visibility is a critical component of managing cybersecurity risks. Just as it is impossible for a doctor to operate on a patient without running a few scans first, in a similar fashion gaining visibility into the existing vulnerabilities in a network is extremely important in order to identify the security loopholes and fix them. Enhanced visibility enables organizations to discover their assets with the context needed to prioritize risk remediation and mitigation actions. This results in more impactful preventive measures which can keep threat actors at bay.
Disclaimer
Views expressed above are the author’s own.