The following is a guest article by Shankar Somasundaram, CEO at Asimily
Healthcare delivery organizations (HDOs) continue to be up against a fast-moving landscape trying to keep up with and mitigate cybersecurity threats to medical technology. But even setting aside the immense challenge of safeguarding Internet of Medical Things (IoMT) devices from increasingly sophisticated and frequent attacks, HDOs must also adapt to shifting cyber insurance practices and compliance mandates. All of these challenges are compounded by the budget and staff constraints facing most HDOs. To stay safe in 2024, understanding the current state of IoMT security and how to prioritize action is critical.
Here’s what HDOs should be prepared for in 2024:
Cyber Insurers will no Longer Absolve HDOs of their Responsibilities to Avoid Data Breaches
The days when holding cyber insurance amounted to a “get-out-of-data-breaches-free” card are dwindling. Cyber insurers are no longer interested in bearing more responsibility for insufficient cybersecurity than the HDOs themselves—and are revising their policies accordingly. In 2024, HDOs must watch for policy changes that include new and more specific security responsibilities under their cyber insurance policies, limits on cyber insurance coverage, and caps on insurance payouts in the aftermath of data breach incidents. While insurers will still share the brunt of breach-related costs, they are increasingly making it clear that HDOs must secure their systems and devices more effectively than most do now, and HDOs will bear more direct financial consequences if that security fails.
Forward-thinking technology and security leaders at HDOs can adapt by shifting their risk reduction investment away from cyber insurance and increasing in-house cybersecurity efforts. Considering that HDOs also face severe reputational damage if they allow a data breach—harm that cyber insurance cannot mitigate—prioritizing more effective cybersecurity can pay additional dividends compared to taking a more insurance-reliant strategy.
Government Regulations will make IoMT Devices more Secure, but HDOs will still Need to Provide their own Careful Protections
IoMT device manufacturers have not been held to any external mandates to deliver secure products. As a result, there are more than six vulnerabilities per IoMT device. Proactive manufacturer-led fixes are lacking: more than 40% of IoMT devices at their end-of-life stage had little to no security patches or upgrades. Quite relatedly, HDOs grappling with those countless vulnerabilities—largely in the absence of manufacturer support—were targeted by an average of 43 cyberattacks in 2023, according to a Ponemon Institute study. Almost half of those HDOs suffered a data breach.
Government requirements enforcing baseline security on medical devices have only recently arrived. The 2023 PATCH Act requires manufacturers to meet criteria for the cybersecurity and transparency of their products and to support them with security patches across their full lifecycles. In 2024, government intervention will continue. For example, the U.S. Cyber Trust Mark program scheduled for implementation at the end of 2024 will establish security standards for consumer-grade devices and may expand to healthcare-grade IoMT products. That said, HDOs must continue to proactively mitigate device vulnerabilities and tend to their own cybersecurity gardens; while legislation should help, it will not be a panacea for IoMT security risk.
HDOs will Shift from Basic Vulnerability Management to Risk-First Strategies
HDOs increasingly recognize that limited cybersecurity budgets can’t keep up with ever-growing cybersecurity risks. IoMT devices have thousands of vulnerabilities, and HDO cybersecurity teams only have the bandwidth to address a fraction of those risks each month. In response, HDOs are exploring strategies to efficiently reduce risk.
In 2024, look for more HDOs to adopt risk-first strategies—optimizing the effectiveness of their cybersecurity efforts by accurately prioritizing scarce team time to focus on vulnerabilities with the highest actual risk of exploitation. The good news for HDOs: only 5-10% of IoMT device vulnerabilities present real exploit risk based on their use case, network configuration, and attacker tendencies. With risk-first strategies, HDOs harness automation and visibility into their IoMT fleets to detect the most at-risk devices and harden those weak points, ensuring maximum bang for their cybersecurity investments.
HDOs will Revise their IoMT Device “Keep or Replace” Strategies
HDOs have a unique relationship with IoMT devices. Whereas cybersecurity teams in other industries can make their own decisions to swap out difficult-to-secure technology, HDO teams must consult clinicians and other stakeholders to ensure that a change won’t negatively impact patient care. As a result, HDO IoMT fleets are more heterogeneous and have many more vulnerable legacy devices than cybersecurity teams would prefer. The worst-case scenario of purchasing a replacement device only to discover that it also features major vulnerabilities is also a dreaded, but very real, possibility.
In 2024, expect HDOs to adopt more deliberate IoMT device “keep or replace” strategies that are backed by comprehensive and accurate risk assessments. Executed correctly, these strategies will reveal vulnerable devices that nevertheless pose no practical risk and should remain active, as well as those devices with risks too great to ignore. Improved assessment capabilities will also ensure that replacement devices are secure and can continue to deliver the usability, data quality, and real-time data delivery that HDOs require for operations and patient care.
Cybersecurity Staffing Shortages will Contribute to Risks
A 2023 study by ISC2 found that while the cybersecurity workforce has grown 10% in the last 12 months, the United States still faces a severe shortage of 4 million cybersecurity professionals. In 2024, that shortage will become an even greater risk factor for HDOs. Those without skilled cybersecurity personnel to implement and maintain effective protections (including AI-based security tools to prioritize risk) across their device fleets will be more vulnerable. HDOs must therefore prioritize cybersecurity staffing, or face the consequences of leaving their teams shorthanded.
Securing the Future
Undoubtedly, HDOs will continue to face significant challenges looking forward, with many hospitals and other facilities grappling with budget crunches and acute business pressures. Where boosting cybersecurity budgets to combat increased risks simply isn’t an option, look for HDOs to improve their visibility, vulnerability prioritization, and device management strategies to do more with less in 2024.
