June 15, 2023
Our nation’s critical infrastructure is facing an escalating threat of cyber attacks.1 Although the government is taking steps to address the issue by implementing new cybersecurity measures and regulations, staying a step ahead of malicious actors intent on doing harm remains a challenge. The issue is especially acute in healthcare, where sensitive patient data and other assets have made the industry’s critical infrastructure a prime target for ransomware attacks.2
In March, the Biden administration released its new National Cybersecurity Strategy (“the Strategy”), which aims to better protect critical infrastructures by strengthening cybersecurity and technology governance and risk management.3 The Strategy consists of five pillars and implicitly applies to the healthcare sector in two ways: It highlights improving the security of Internet of Things (“IoT”) devices, and it proposes shifting some responsibilities away from end users and toward software vendors and device manufacturers.4
“We must rebalance the responsibility to defend cybersecurity by shifting the burden for cybersecurity from individuals, small businesses, and local governments, and onto the organizations that are most capable and best positioned to reduce risks for all of us,” the White House said in a press release.5
More than two-thirds (70%) of respondents in FTI Consulting’s Healthcare & Life Sciences survey stated they have experienced a cybersecurity incident in the last 12 months.6
Within the healthcare setting, IoT devices, also known as connected medical devices (“CMDs”), communicate directly with the facility’s network. Going forward, IoT makers and software vendors will be expected to assume more liability for the cybersecurity of their products after the fact.7
Although the Strategy is still in the proposal stage, its priorities should serve as a reminder for hospital compliance officers, CISOs, IT managers, legal counsels and communications leads of the increased risk to their organizations and the imperative to bolster defenses if they are not already doing so.
Heightened Risks That Come with Digital Transition
For many healthcare officials, elements of the Strategy will be familiar from previous government directives, including the 2018 National Cyber Strategy.8 As healthcare organizations have continued to transition toward new digital ecosystems, they are racing to beef up their cybersecurity to better safeguard patient data and prevent potentially devastating patient care impacts stemming from the operational disruption of ransomware events.
The urgency to act is critical. More than two-thirds (70%) of respondents in FTI Consulting’s Healthcare & Life Sciences survey stated they have experienced a cybersecurity incident in the last 12 months. Among their top concerns were data access/exposure (60%), financial costs (52%) and patient care (44%).9
Others within the wider healthcare landscape have reasons for concern as well, including pharmaceutical companies and medical device manufacturers. Regulators understand the urgency. On December 29, 2022, Congress signed into law a federal omnibus spending bill that provides more funding to the U.S. Food and Drug Administration for approval and oversight of “cyber devices.”10
What This Means for Hospitals on a Practical Level
Hospital officials and others should take advantage of the tactical guidelines and tools in the Biden administration’s proposal. Here are three areas from the Strategy that apply:
- Enhanced public-private collaboration: The government wants to ensure that federal grant programs promote investment in a secure and resilient infrastructure. It also seeks to harmonize regulations to reduce the burden of compliance and improve threat intelligence capabilities and cyber incident reporting. All of this should benefit hospitals, which are already under significant pressure when it comes to reporting obligations.
- Privacy and security of personal data: The emphasis on data protection suggests that hospitals prioritize their cybersecurity programs to focus on long-term improvement in the areas of zero-trust architecture (more on this below), connected medical devices, and personal and health data.
- Third-party management: With the focus on mitigating the exposure that comes from third-party vendors, the Strategy offers guidance on how an organization can partner with product vendors to rebalance the burden of cybersecurity.
How Hospitals Should Protect Themselves Now
As the healthcare industry continues with digital transition, the imperative to reduce risk only grows. According to one study, “smart” hospitals will deploy 7.4 million CMDs around the world by 2026, representing an average of more than 3,850 devices per hospital. That is a total growth of 131% over 2021.11
Given this expanse, hospitals and health systems should identify their organizational “crown jewels” that they consider most at risk from a cyber attack. For many facilities, CMDs are the primary threat risk and should be evaluated to determine security control gaps. After completing a gap analysis exercise, the information should be incorporated into a comprehensive strategic cybersecurity roadmap. The goal is to identify and mitigate potential financial, legal, reputational and patient care impacts from ransomware and other cyber attacks.
Like with other industries, organizational cyber hygiene, cybersecurity investments, crisis communications plans and other ongoing IT preparedness are inherent in helping healthcare facilities protect themselves. Hospitals and healthcare facilities should have a plan in place for when a cyber incident happens. This type of situation often requires a response across the organization. Employees should practice these plans and know who is leading the decision-making process, what the backup plans are and how these decisions are being communicated to all. These efforts are also at the heart of creating a culture of IT security accountability across our nation’s full economy, which is a pillar of the Strategy.
Getting Ahead of the Pack
While the stakes are high for protecting critical infrastructure, no organization can eliminate all cybersecurity risks. Still, healthcare organizations in particular can more effectively protect themselves against common cyber threats by implementing and maintaining zero-trust architecture (“ZTA”). Based on zero-trust principles, the ZTA framework represents a departure from a traditional “castle and moat,” perimeter-based cybersecurity strategy. It applies to all those devices, both corporate and personal, used to access internal networks. As an end-to-end solution, ZTA encompasses identity, credentials, access management, operations, endpoints, hosting environments and the interconnecting infrastructure.
Converting to a ZTA framework can be complex, and its outcome often reflects how strongly an organization views addressing cyber risk as part of its overall business mission. Though ZTA is not mentioned in the Strategy per se, from the current administration’s perspective, there is no question that all industries should do their part in helping keep our critical infrastructure secure.
Kelly Miller, Managing Director, Crisis Communications, and Sara Sendek, Managing Director, Crisis Communications, also contributed to this article.
1: “Report: America’s Critical Infrastructure is Highly Vulnerable.” Yahoo! Finance (May 23, 2023). https://finance.yahoo.com/news/report-americas-critical-infrastructure-highly-193700098.html.
2: Jacqueline Neber. “Cybersecurity Attacks Cost Healthcare Systems More Than Any Other Sector, New Report Finds.” Crain’s New York Business (August 9, 2022). https://www.modernhealthcare.com/cybersecurity/ibm-report-finds-cybersecurity-attacks-impact-healthcare-more-any-other-sector.
3: “Fact Sheet: Biden-Harris Administration Announces National Cybersecurity Strategy.” The White House (March 2, 2023). https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/.
6: “FTI Consulting Survey: US Healthcare & Life Sciences Industry Outlook 2023.” FTI Consulting (March 23, 2023). https://www.fticonsulting.com/insights/reports/fti-consulting-survey-us-healthcare-life-sciences-industry-outlook-2023.
7: Brian Boetig. “How Tech Firms Can Get a Head Start on the New National Cybersecurity Strategy.” FTI Consulting (May 15, 2023). https://www.fticonsulting.com/insights/fti-journal/how-tech-firms-can-get-head-start-new-national-cybersecurity-strategy.
8: “National Cyber Strategy of the United States of America.” The White House (September 2018). https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf.
9: “FTI Consulting Survey: US Healthcare & Life Sciences Industry Outlook 2023.”
10: “Cybersecurity in Medical Devices Frequently Asked Questions (FAQs).” U.S. Food and Drug Administration (2020). https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity-medical-devices-frequently-asked-questions-faqs.
11: “Smart Hospitals to Deploy over 7 Million Internet of Medical Things.” Juniper Research (January 4, 2022). https://www.juniperresearch.com/press/smart-hospitals-to-deploy-over-7mn-iomt.