Cybersecurity in healthcare: getting the basics right as bigger threats loom

-

 


Cybersecurity in healthcare: getting the basics right as bigger threats loom

Medical devices and their related systems hold vast amounts of data, and the potential threat surfaces are continuing to expand.



According to the HIPAA Journal, 2024 was the worst ever year in terms of breached healthcare records, with a 9.96% rise on 2023. Image credit: Andrew Angelov via Shutterstock

The healthcare industry is second only to finance in the volume of sensitive data held.

Therefore, the onus is on medical device manufacturers, their associated healthcare systems and related partners to understand the effectiveness of their cyber risk posture and adapt as necessary.

The safeguards third party providers have in place are a further cybersecurity consideration, a matter starkly evidenced following last year’s cyberattack on the UK National Health Service’s third party pathology provider Synnovis.Phishing emails and a failure to use multi-factor authentication also remain frailties ripe for exploitation, as evidenced by last year’s cyberattack on UnitedHealth Group subsidiary Change Healthcare. Although UnitedHealth is the largest health insurer in the US, holding the personal data of around 190 million Americans, it was still breached as a portal in its environment lacked MFA.

According to Deloitte research, 68% of medical devices in 2025 will be connected. Many of these devices like smartwatches and wearable sensors are beneficial for streamlining workflows and improving patient outcomes.

However, the connectedness of these innovations also extrapolates the security risks around patient data due to factors including their reliance on wireless communication and cloud-based data storage platforms.

Add in a slew of incoming cybersecurity regulation globally, and the impending threat of data encryption security protocols being broken by cyberattacks conducted by quantum computers, and cybersecurity in the medical device and broader healthcare space can feel like an unending pursuit, one that demands organisations’ security posture and cybersecurity awareness be frequently monitored and reassessed.

Current cybersecurity rationale for medical devices

According to Mohammad Waqas, chief technology officer for healthcare at the cyber exposure management & security company Armis, the current trend in cybersecurity for medical devices surrounds action prioritisation and actionability.

Medical device companies are beginning to think about the implications of other elements of their attack surface, such as their third-party risk or the risk of the ecosystems they operate within.

“While medical devices are going a little bit more into the actionability remediation phases, the other attack vectors are coming into scope for organisations as well,” explains Waqas.

“Medical device companies are acknowledging the need for a much more holistic approach beyond medical devices.”

A lot of the conversations around medical device security are ‘shifting left’, Waqas says, in that, from a healthcare delivery organisation and provider perspective, there is a growing desire for these entities to want to understand the security of a medical device before they connect them to their network, and even before a device is purchased.

According to Waqas, this shift has been influenced by regulation such as the European Union’s Artificial Intelligence Act, which is intended in part to foster a trustworthy ecosystem for modern medical devices. As a result, such regulation is leading device manufacturers to think about cybersecurity from the outset and to build and design their devices accordingly.

Regulation’s impact on cybersecurity protocols

Global medical device regulations that have appeared in recent years, such as the European Union’s Medical Device Regulation are providing some actionable, hardening recommendations for medical devices, and not only building in support for security controls but the mandate to be able to patch these devices.

Waqas comments: “What I love about the regulations we’re seeing come up, is that they don’t only consider security requirements when the device is entering the market; they also have mandates if there’s a vulnerability that gets released afterwards.

“For example, there appears to be a move now by the regulation to say, if there is an incident, then we need the vendors to step up and be much more involved and have a process on how they’re going to help maintain the security posture of their medical devices.”

On the regulatory front, there is also a wave of digital regulation from the EU to which medtech companies are in scope.

Christopher Jeffery, partner and data protection specialist at law firm Taylor Wessing, notes that one of the key requirements of the Data Act, which is effective from September 2025, is that users must have access to data uploaded to and generated by connected devices, and that manufacturers must get consent to use data uploaded or generated for their own use around areas like product improvement or in training AI models.

However, Jeffery notes that while some companies are aware of the Data Act, it generally seems to be flying below the radar compared to the noise around AI regulation.

Regarding other regulation that factors in cybersecurity for medical devices, the NIS2 Directive is already in force, albeit with somewhat patchy national implementations across the EU.

Jeffery explains: “It imposes general cybersecurity requirements including supply chain resilience and reporting of security incidents for “essential and important sectors” which include medical devices, in vitro diagnostic devices and medical devices which are critical in public emergencies.” 

Threat mitigation for cloud-based data in healthcare

Autolomous, the developer of Autolomate, a cloud-based platform that supports cell and gene therapy workflows, built a range of security resiliencies into its technology from the outset.

Compliant with the ISO27001 standards, the company undertakes regular checkups for all sorts of security threats and has a range of its own procedures for threat mitigation, says Autolomous CEO and co-founder Alexander Seyf.

Key out of these is in the company’s ethos to ideally deploy its platform with single sign-on so clients can manage their own access. Making all its platform environments single tenant, meaning only the organisation would ever have access, adds a further layer of security.

These factors mean that clients can do very ground-rules permissions around who has data access, says Alexa Crăciunescu, head of product management at Autolomous, and make sure that they have a good segregation of duties around the platform data.

In addition to these platform design principles, Autolomous uses distributed ledger technology (DLT), meaning that everything performed within the system is immutable.

“Everything is auditable, from the platform access to any changes on permissions,” says Crăciunescu.

“Every time something is recorded, we trace who was done by at what time, and everything is also forever available in terms of the data.”

Autolomous also conducts disaster recovery exercises every six months, which evidence that the company can restore systems to the point they have been recovered at.

“We do backups ourselves. We have the backups from our suppliers, and clients can choose the frequency at which they want their data to be backed up,” says Crăciunescu.

Is healthcare preparing for the future threat of Q-Day‘?

Quantum computers have computational power far beyond what high-performance classical computers can achieve. And ever more powerful quantum processors continue to emerge. Released in November 2024, IBM’s Quantum Heron, for example, is touted as having a 50-fold speed improvement over its predecessor, which was already more powerful than a classical computer by orders of magnitude.  

It is theorised that quantum computers could one day be used to break the current commonly used RSA algorithm and elliptic curve cryptography encryption methods which protect data.

In preparation for ‘Q-day’, as it is commonly referred to as by those involved in the cybersecurity field, the US National Institute of Standards and Technology (NIST) has created the post-quantum computing (PQC) standards, comprising three quantum-proof encryption algorithms designed to withstand attacks from a quantum computer. The current cryptographic standards will be phased out in ten years time by NIST and replaced with the PQC standards.

Currently the businesses most actively thinking about PQC are those that sell to the US government, but Ben Packman, chief strategy officer at PQShield, which co-authored NIST’s standards over an eight-year period, expects that rules around PQC will soon begin filtering through healthcare industry bodies.

Yet while it may be the case that health systems, and medical device manufacturers are waiting to be told by these regulators before creating their PQC roadmap, PQShield’s view is that since the standards already exist, those in the space needn’t wait to be told.

“Now is the time for medical device manufacturers to plot a roadmap towards implementing the PQC standards,” says Packman, “especially by those who manufacture embedded, connected medical devices designed to have a long shelf life of five to ten years or more.

“Medical data has some of the longest protection timelines in the world which means, as potential custodians of this data, medical device manufacturers should consider updating to quantum-proof cybersecurity a critical priority over the next few years.”

Packman also highlights that adopting PQC encryption is not a ‘like-for-like’ swap. The switchover will take time, and necessitate different memory and power requirements, meaning design teams will need to reassess their hardware to accommodate PQC and that new products currently in the development cycle which are likely to be in the field after 2030 should be designed with PQC in mind.

According to Packman, one of the big issues that health systems will face is reconciling the need to update to PQC with the broader cybersecurity vulnerabilities they are well-known to have.

“Fractured, legacy IT systems mean that healthcare is a frequent target of attacks, and poorly secured medical devices only compound this,” says Packman.

“While medical device manufacturers look to adopt PQC, this is also an opportunity for health systems at large to update legacy systems and patch the broader vulnerabilities that make data vulnerable to attack. Therefore, migrating to PQC now gives a clear competitive advantage over those without a transition plan.”

Repeating the same mistakes in cybersecurity appears to be a recurrent issue in an age where greater technologisation of medical devices is continuing at pace.

James Rawlinson, director of health informatics at the Rotherham NHS Foundation Trust, recently raised security concerns around organisations being unprepared to migrate to Windows 11 when the free support for Windows 10 ends in October 2025 due to a large provision of outdated hardware.

ThreatAware CEO Jon Abbott notes that once free support ends, devices running Windows 10 will no longer receive automatic security updates, making them more vulnerable to cyber threats.

Armis’s Waqas calls for a “back to basics” approach to cybersecurity in shoring up the basic principles of defence like having MFA in place on all potentially vulnerable systems and applications.

Most organisations are indeed taking proactive steps to mitigate against cyber threats and keeping data secure, by closely observing their threat posture so adjustments can be made as necessary. There also appears to be a move by device manufacturers to bear in mind the broader risks presented by the systems their devices may be a part of.

But at a time where headlines are made over companies being breached by phishing attacks, which have been around since the mid-90s, it seems reasonable to ask: how can the healthcare industry and those that operate within it, defend against more sophisticated cyber threats of the future, when large organisations are evidently still failing to get the basics right?


visit: business-strategy-conferences.scifat.com 

Nomination link: business-strategy-conferences.scifat.com/award-nomination/?ecategory=Awards&rcategory=Awardee 

Registration link: business-strategy-conferences.scifat.com/award-registration

 contact:managementstrategy@scifat.com -----------------

 visit : youtube: @bussinessstrategy250

 Twitter: twitter.com/awards32874 

blogger: bussinessanagement.blogspot.com

tumblr: https://www.tumblr.com/blog/strategyawards

instragram: https://www.instagram.com/stra.teg614/

Comments

Post a Comment

Popular posts from this blog

Artificial Intelligence Revolutionizes Customer Relationship Management

-
Image
  Summary: CRM systems typify the nexus between companies and their customers. With the advent of artificial intelligence (AI), CRM functionalities have significantly transformed, offering enhanced data analysis and predictive insights. AI integration has led to more significant customer engagement, satisfaction, and operational efficiency, indicating a bright future for AI-infused CRM strategies. In the realm of customer relationship management, the intervention of artificial intelligence (AI) is initiating an unprecedented shift in how companies interact with their customers. AI is not simply a supportive element in CRM systems; it has become the driver of innovative services that cater to the intricate needs of diverse client bases. By deploying AI, customer engagement is entering a new phase characterized by personalized experiences and efficient service delivery. One of the most striking impacts of AI on CRM lies in its ability to sift through and analyze complex datasets with...
Read more

The World’s Best Management Consulting Firms

-
Image
  Subscribe Sign In 2023 The World’s Best Management Consulting Firms AKINDO/GETTY IMAGES EDITED BY  ALAN SCHWARZ AUGUST 16, 2023, 10:00 AM C ompanies across dozens of industries annually spend billions on management consulting firms. Offering a range of services—improving sustainability practices, advancing marketing strategy, or simplifying supply chain— consultants help companies solve their biggest problems. But choosing from literally thousands of them can be daunting. “There is definitely a very strong underlying market for consulting services,” says Fiona Czerniawska, chief executive of Source Global Research, a London-based company that advises consulting and professional services firms. But when it comes to choosing a firm, “there isn’t necessarily a magic formula,” she says. To help executives assess the options, Forbes partnered with the research company Statista to create our second annual World’s Best Management Consulting Firms list. The rankings were created aft...
Read more

Booming Cross-Border E-Commerce Activity in Asia Presents Opportunities for European Merchants VARIOUS Booming Cross-Border E-Commerce Activity in Asia Presents Opportunities for European Merchants by Fintechnews Switzerland September 12, 2023 International e-commerce spending by JCB cardholders based in Asia increased by 52% between 2021 and 2022, presenting a significant opportunity for merchants in Europe as shoppers across the region show increasing willingness to purchase goods online from foreign businesses, a new paper by the Japanese credit card company shows. The report, titled “Click into Place: Unpacking Card Abandonment”, provides insights on online spending from Asia, sharing the latest research and data on e-commerce trends to help businesses boost e-commerce sales and stand out from the crowd. According to the report, cross-border e-commerce activity increased substantially last year, with India leading the region with a staggering five-fold growth, followed by Indonesia and Vietnam, where cross-border e-commerce more than doubled between 2021 and 2023. In Hong Kong and the Philippines, global e-commerce spending grew by around 80%, while China, Taiwan and Thailand saw growth of about 50%. Further growth is expected in the future as the cart abandonment rate in Asia’s e-commerce industry is currently the highest in the world, standing at over 84% as of March 2023 compared with about 70% for customers globally. High cart abandonment in Asia suggests that there is potential for more expansion in the region if merchants are able to solve customers’ friction points and improve experience, the report says. cross border e-commerce image via freepik Addressing cart abandonment Cart abandonment is the act of a shopper adding an item to an online shopping cart but leaving the website without completing the purchase. It represents a significant amount of lost revenue for merchants in the online space. According to JCB, there are several cause of cart abandonment, with the first common one being the payment journey. In Asia, complicated checkouts and unexpected payment processes are cited as a reason for abandoning carts, with 55% of online shoppers in the region identifying long login and sign-up forms as a key source of frustrated. To address this paint point and boost sales, merchants must enhance customer experience by streamlining their checkout process with a well-designed website. They should also leverage advanced technology and design practices to balance security with user experience, using for example pre-fill information and tokenization to speed up the checkout process, as well as technology like 3DS authentication to increase consumer trust. Such improvements not only increase immediate sales and conversion rates but also foster long-term brand loyalty, the report says. The second cause of cart abandonment outlined in the JCB report is unmet customer expectations around how they can pay, and how easy it is to do so. Understanding customer psychology is vital to reduce cart abandonment in e-commerce, the report says. To cater to local preferences, merchants should offer multiple languages and payment currencies, provide a personalized customer journey, and ensure that payment processes are seamless across both mobile and desktop platforms. This is critical become mobile purchases are on the rise, representing 43% of e-commerce sales globally in 2023. In Asia-Pacific (APAC), that share is even higher, with mobile commerce constituting 75.8% of sales in 2022. Finally, the third and final cause of cart abandonment outlined in the report is the failure to react to external factors, such as market trends and changes in consumer behaviour. During the COVID-19 pandemic, e-commerce surged, especially in Asia, due to increased internet and mobile device access, the report says. However, the global economic downturn has somewhat hindered e-commerce growth and altered customer behaviors. This has led many consumers to start using online carts as a modern form of window shopping, adding items for future consideration or price comparisons. This behavior, which may lead to cart abandonment, is likely to rise with economic concerns and decreased impulse buying, it warns. To counter this, merchants should offer competitive pricing and employ strategies like remarketing and non-intrusive exit-intent pop-ups. They should also bolster customer confidence with reviews and security guarantees. e-commerce cart abondon image via Unsplash Cross-border e-commerce on the rise Over the past couple of years, cross-border e-commerce has witnessed significant growth, driven by the proliferation of the Internet and mobile devices, improved logistics, payment innovations and the rise of global e-commerce platforms such as Amazon, Alibaba and eBay. With disposable income rising in developing markets, e-commerce merchants and marketplaces will continue pivoting towards them, pushing cross-border online shopping to new heights. According to Juniper Research, cross-border e-commerce transaction values will reach US$1.6 trillion this year. Through 2028, that number is projected to grow by more than twofold to US$3.4 trillion. In comparison, domestic e-commerce transaction values are set to grow by 48% over the same period, implying that much of the growth in the e-commerce payments market will in the cross-border area. In 2022, around 168 million Chinese customers had engaged in cross-border import e-commerce, growing from 155 million the previous year, data from market research and analytics platform Statista show. The trade value of cross-border import business reached approximately 34 trillion yuan (US$4.6 billion) that year. In Southeast Asia, about a quarter (23%) of consumers said they are shopping more at merchants based in other countries in the region since the start of the pandemic, while a similar number (22%) are shopping more in stores outside of Southeast Asia, a 2021 study by ACI Worldwide and YouGov reveals. Featured image credit: Edited from freepik Get the hottest Fintech Switzerland News once a month in your Inbox email address ASIA CROSS-BORDER E-COMMERCE ABOUT AUTHOR MORE INFO ABOUT AUTHOR Fintechnews Switzerland Fintechnews Switzerland More by Fintechnews Switzerland

-
Image
  International e-commerce spending by JCB cardholders based in Asia increased by 52% between 2021 and 2022, presenting a significant opportunity for merchants in Europe as shoppers across the region show increasing willingness to purchase goods online from foreign businesses, a new paper by the Japanese credit card company shows. The report,  titled  “Click into Place: Unpacking Card Abandonment”, provides insights on online spending from Asia, sharing the latest research and data on e-commerce trends to help businesses boost e-commerce sales and stand out from the crowd. According to the report, cross-border e-commerce activity increased substantially last year, with India leading the region with a staggering five-fold growth, followed by Indonesia and Vietnam, where cross-border e-commerce more than doubled between 2021 and 2023. In Hong Kong and the Philippines, global e-commerce spending grew by around 80%, while China, Taiwan and Thailand saw growth of about 50%. Fu...
Read more