Perspectives

The healthcare industry is under cyber attack and is in need of protecting itself

Israel VC Company Team

Zohar Rozenberg

July 24, 2019

Over the past few years Elron has shifted its main investment focus to cyber security which has resulted in 10 investments in cyber security startups thus far, one of them, cyber Secdo, has already been acquired last year by Pal Alto Networks. Cyber security touches almost every type of technology and every sector so the cyber portfolio at Elron deals with many different industries where cyber security solutions are needed. One of these spaces is securing medical devices and more generally the Healthcare sector. Elron has identified a big opportunity for innovative cyber security solutions for the healthcare industry. Elron has also identified, about 2 years ago that it was the right timing to invest in that space and have made an investment in a startup called Cynerio which has since then progressed phenomenally. We are keeping our eye on this space and the market, and we are continuously monitoring developments.

In a chat with Mr. Lenny Levy, an accomplished Chief Information Security Officer (CISO) in the US healthcare sector, to get his views on US healthcare cybersecurity past, present and future.

How did healthcare systems become so vulnerable?

For years, providers’ investment in cybersecurity lagged other industries resulting in many healthcare systems more vulnerable to cyber-attacks. The historical lack of investment was due to factors including:

·      Other industries (e.g., banking, retail) were seen as a more of a target.

·      Cybersecurity was viewed as a technical vs. strategic issue.

·      Healthcare economics limit the funds available for investment.

·      The impact of digital transformations (e.g., Electronic Health Records) on cybersecurity was not fully considered.

·      Focus on compliance instead of security.

In reality, healthcare providers are an attractive target for a number of reasons:

·      Hold huge volumes of sensitive patient data that can be worth more than payment card data on the dark web.

·      Contain valuable Intellectual property (e.g., clinical trial data).

·      Profitable targets for ransomware and other cyber-attacks due to reliance on technology.

How would you say we’re doing today?

In recent years, healthcare providers have found themselves under almost nonstop cyber-attacks, forcing them to address incidents ranging from data breaches to ransomware. Events like the WannaCry attack, which shutdown portions of the national health services in the UK for hours, have opened the eyes of healthcare leaders to the risk. Now cybersecurity is a board issue and most large healthcare systems are elevating the CISO role and ensuring they have an appropriate plan for addressing cybersecurity risks. However, some of the smaller providers are still lagging behind due to resource availability.

Today only a subset of providers have the right personnel to deal with the issue effectively. It takes significant leadership involvement and a skillful information security team to create and execute an effective cyber-strategy. Gaps in staffing exist since many medical institutions aren’t prepared to pay the high cost of qualified personnel. While this challenge exists in other industries, it is a more pressing issue due to broader healthcare economics.

Factors like revenues going down and industry costs going up are not helping organizations address the challenges faced. Many healthcare providers work with minimal profit margins, leaving them with insufficient resources to invest in cybersecurity. However, the revenue squeeze has resulted in frequent mergers and acquisitions resulting in larger organizations that can better address cybersecurity at scale.

Can you explain more about medical devices in the context of cybersecurity?

Connected medical devices have become much more prevalent as a result of the Internet of Things (IoT) revolution in healthcare. Instead of being constructed as a standalone device, medical devices today are computers with specialized hardware wrapped around them. Like any other computer, they can be misconfigured, contain security vulnerabilities and exposed to cyber-attacks. A large percentage of the medical devices in use today have been in place for years and were built without cybersecurity consideration in mind. In some cases, security features were overlooked when devices are developed since they are not part of the device’s core functionality. In addition, devices were not built to support common security mechanisms like anti-virus, regular patches, and secure configurations.

Many of the medical devices are running old and obsolete operating systems. Vendors are reluctant to update and patch the devices frequently due to the risk of creating problems with clinical functionality and the expensive validation process. Previously, the FDA certification process was used as an excuse to avoid updating known security issues on device. However, post-market guidance issued in 2017 clarified manufacturers should take a more active approach to address cybersecurity risks.

Still cybersecurity is not the main focus of device manufacturers who may be more focused on the clinical operations of their devices. As a result, healthcare providers will need to take an active role to secure the devices in their environments.

What can be done in the meantime to reduce the risk from cyber-attacks on medical devices?

One approach is to limit what can communicate with medical devices over the network through segmentation. However, this is not always possible due to cost, complexity, and requirements for clinical processes.

To address these risks more holistically, health system CISOs and clinical engineering departments are looking for other solutions to gain better visibility into their network and have a better understanding of the potential threats. Providers are increasingly adopting solutions like the one provided by Cynerio, which passively monitors the network, can provide visibility to clinical assets on the network, assess medical device risk, and detect anomalies to reduce the likelihood and impact of a cyber-attack.

Is there any reason to be optimistic?

Of course. While the current state needs improvement, there are opportunities to share knowledge and learn from others. For example, the healthcare sector can learn from more cybersecurity aware industries such as financial services. In addition, recently released industry-led guidance like Health Industry Cybersecurity Practices (HICP) is helping to spread knowledge about the threats to healthcare organizations and practical approaches for addressing them.

Fully mitigating cyber risk in the healthcare sector is not going to happen overnight. It will take time to improve the industry’s resiliency to cyber threats, but at least boards and industry leaders are taking the problem seriously and putting initiatives in-place to drive the improvements required.