Each year, cybersecurity researchers discover more common vulnerabilities and exposures (CVEs) than there are types of the common cold. For reference, there are about 200 types of the common cold, but in 2024 researchers discovered more than 40,000 CVEs.
Just as viruses mutate to evade the immune system, threat actors are constantly developing new exploits to target vulnerabilities. Unfortunately, these exploits metastasize as ransomware and advanced persistent threats (APTs), or they become packaged as exploit kits and sold in shadowy corners of the dark web.
One year after the Change Healthcare breach, organizations are aware of the impacts these threats can cause. According to a report from Bain & Company and KLAS Research, 70% of providers and payees were affected by the outage, and patient care suffered as a result.
Why Workflow Chaos Is Undermining Care – and What Providers Can Do About It.
Healthcare is drowning in chaos—from scattered data to burnout-inducing tasks. Discover how smarter workflows and real-time insights can rescue care teams and transform patient outcomes.
The challenge is that it is difficult to diagnose the risk of complex healthcare systems. IT and OT networks are connected in ways that their original architects did not intend. Vulnerabilities are frequently discovered in medical devices and software, but many legacy systems are unable to be secured.
Regulatory compliance mandates face similar challenges. Proposed changes to HIPAA, for example, may require organizations to develop asset inventories, analyze risks and scan for vulnerabilities, which are among the most common challenges cybersecurity teams already face.
Organizations need to take a proactive approach to identify, prioritize and mitigate threats in real time. This means gaining visibility and control into all physical and virtual assets. “An ounce of prevention is worth a pound of cure,” as the doctors say.
Healthcare networks are as complex as human nervous systems
Everything You Need to Know About Who Accredits Health Plans for Mental Health Parity Compliance
Who accredits health plans for mental health parity compliance? Learn about the only organization that offers this program to ensure your members get equitable care.
The attack surface of healthcare systems includes enterprise assets, patient care systems and building management systems like HVAC, often across multiple facilities or even hosted in the cloud. A major challenge lies in the diversity of devices and systems.
Medical devices, electronic health records (EHRs) and other critical systems are often developed by different vendors, each with its own security protocols and update cycles. This fragmentation makes it difficult to implement consistent monitoring and protection strategies.
Legacy devices, which lack modern cybersecurity features, are particularly problematic because they lack security considerations, making them difficult to patch and protect. Even when solutions do exist, healthcare providers may be wary of how implementing them could cause downtime and disrupt patient care.
Third-party risks, such as vulnerable software libraries, and a lack of insight into mission-critical assets complicate these challenges.
In simple terms, it can be difficult for organizations to see, protect and manage all of the assets on their network.
Under the microscope: Vulnerabilities in healthcare systems
For example, let’s take a look at how a vulnerability in NextGen Healthcare’s Mirth Connect enables remote code execution. Mirth Connect is a popular data integration platform for EHR systems, medical devices and other applications, so this vulnerability likely affects many healthcare organizations.
These are the sort of systems that accumulate technical debt because end-of-life (EOL) operating systems struggle to receive security updates. In fact, this Mirth Connect vulnerability was discovered after a previous vulnerability was patched incompletely.
It is likely that some medical imaging servers running EOL software remain exposed to these vulnerabilities. Unfortunately, these are also the sort of systems that are difficult to monitor. All of this makes for an attractive target for attackers to distribute exploit kits on the dark web.
Cybersecurity teams should prioritize updating Mirth Connect to minimize the risk of compromise to connected medical devices. They should also be isolating affected systems with network segmentation and continuously monitoring them for suspicious traffic or behavioral anomalies. Fundamentally, though, a more proactive approach is needed to defend and manage the entire attack surface.
A routine for cybersecurity hygiene
Just like washing your hands helps reduce the spread of disease, there are a variety of cybersecurity fundamentals that can reduce the impact of a cyberattack. And just as the challenges of compliance mirror cybersecurity, these fundamentals can help enhance compliance.
Visibility is the first step in adopting a proactive approach. Developing a comprehensive asset inventory requires the ability to discover unknown and unmanaged devices to ensure every asset is monitored. Proposed HIPAA updates may require regulated entities to map the flow of electronic patient health information (ePHI), so this is a great place to start.
Just like routine bloodwork can reveal risk factors for disease, obtaining insights into devices enables security teams to effectively prioritize and remediate vulnerabilities, which may otherwise be overwhelmed by millions of alerts.
Continuous monitoring enables continuous risk scoring and assessment, both for cybersecurity risk and compliance. Historically, these sorts of risk assessments have been static snapshots that quickly grow outdated.
Continuous monitoring can be combined with early warning vulnerability alerts that highlight emerging exploits. For instance, security operations can monitor for specific indicators of compromise, such as how certain APTs rely on certain CVEs.
Organizations like HS-ISAC facilitate information sharing among healthcare organizations. Cybersecurity solutions often leverage cutting-edge techniques like smart honeypots and dark web monitoring, which can identify emerging threats or exploit kits, again with specific indicators of compromise.
The good news is that healthcare providers and payee organizations are increasing their IT spend, meaning organizations are spending more money auditing systems and minimizing single points of vulnerability. This investment in preemptive protection will pay dividends for cybersecurity programs and proactively address updates to HIPAA that require more rigorous cybersecurity requirements.
Photo: anyaberkut, Getty Images
Mohammad Waqas is the Chief Technology Officer (CTO) for Healthcare at Armis. He is an information security professional with over a decade of experience in the healthcare cybersecurity industry. Currently Mohammad helps healthcare organizations across the globe with medical device security and works on aligning the value of the Armis platform to the specific use cases that exist in healthcare.
This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.