Health Tech

How Can Hospitals Prepare for 2024’s Cyberthreats?

Many hospitals remain underprepared to protect themselves against cybercriminals’ barrage of increasingly sophisticated attacks, but there are a couple concrete steps they can take to build a stronger defense structure — like virtual patching and thinking twice about moving to the cloud.

Experts say this year has been the worst ever when it comes to healthcare cyberattacks. More than 100 million people have had their health data exposed as a result of cyberattacks in 2023, which is more than double the 44 million individuals affected last year.

Many hospitals remain underprepared to fend off cybercriminals’ barrage of increasingly sophisticated attacks, but there are a couple concrete steps they can take to build a stronger defense structure, according to Oren Koren, co-founder and chief product officer of cybersecurity startup Veriti.

“Cybersecurity started years ago as the secret club of experts who, without knowing, were pioneering the digital world we live in today,” he explained. “Years of advanced persistent threat (APT) groups’ malicious activities and successful campaigns, combined with the espionage of countries, resulted in ‘bad actors’ understanding they could actually make a living from delinquencies — enter the darknet.”

This first began with hacker groups demanding ransom payment from healthcare organizations — and succeeding. Then, something called “cyberattack-as-a-service” emerged, Koren said. 

Cyberattack-as-a-Service (CaaS) refers to a criminal business model in which groups provide on-demand hacking services to individuals or organizations for a fee. In this illicit marketplace, clients can purchase various cyberattack services, such as distributed denial of service (DDoS) attacks, malware deployment or phishing campaigns, without having the technical expertise themselves. This underground economy enables a wider range of threat actors to launch sophisticated cyberattacks, which is why cyberattacks have been growing so much in complexity and scale.

“Like any successful business, the bad actors needed to find the best ways to increase revenues with a high success rate and low churn of users not using their cyberattack infrastructure. These attackers created a robust cyberattack infrastructure, constantly improving their skills — practice makes perfect. They also automated most of their processes, allowing their users to use their sophisticated attack methods with a click of a button,” Koren stated.

Sponsored Post

Physician Targeting Using Real-time Data: How PurpleLab’s Alerts Can Help

By leveraging real-time data that offers unprecedented insights into physician behavior and patient outcomes, companies can gain a competitive advantage with prescribers. PurpleLab®, a healthcare analytics platform with one of the largest medical and pharmaceutical claims databases in the United States, recently announced the launch of Alerts which translates complex information into actionable insights, empowering companies to identify the right physicians to target, determine the most effective marketing strategies and ultimately improve patient care.

In his view, virtual patching is one of the most important actions a hospital should take to protect the organization against cyberattacks. 

To begin doing this, providers must realize that a hospital is always vulnerable and they won’t be able to patch at-risk systems that can be hacked every day, he noted.

“Patching an old MRI device with Windows Vista that got the certificate 16 years ago is virtually impossible due to fear of touching legacy software. Plus, it would require recertification at the point of manufacturing. This can easily be resolved by adopting virtual patching, which enables rapid response to mitigate the vulnerabilities without waiting endlessly for the next maintenance window or patching legacy operating systems,” Koren explained.

This approach likely maximizes the layers of security that the hospital’s cybersecurity team already has, he added.

In addition to virtual patching, hospitals should also think twice about moving to the cloud if they don’t have the required manpower and expertise, Koren said. The idea of the cloud may seem sexy and simple to deploy, but not all hospitals are prepared to make the move, he declared. 

In order to guarantee a successful cloud migration, hospitals need to understand their cloud’s configurations and logic, as well as figure out how to keep the cloud secure, Koren noted. 

This requires having trained cybersecurity experts on staff. Before moving to the cloud, a hospital’s leaders need to see if they have the budget to double their amount of cybersecurity staff, Koren said. They also need to examine the hospital’s various third-party partners, as this means the organization is giving “the keys to the kingdom to an external resource,” he remarked.

Photo: da-kuk, Getty Images