As 2023 comes to a close, it is important to look back on what took place and the trends that are emerging to anticipate what the future may hold.
When it comes to healthcare cyber security, healthcare providers continued to be a prime target of malicious actors in 2023, with significant breaches affecting healthcare organisations worldwide, including incidents involving the NHS, HCA Healthcare, the HSE, and others making headlines over the past year.
As we prepare for the year ahead, healthcare providers will continue to find themselves in the crosshairs of bad actors.
As such, it is critical for security and IT professionals to learn from these past experiences to better position their organisations in light of the ever-evolving threat landscape.
And, while it will continue to prove to be an uphill battle, I believe that healthcare security and IT pros, alongside legislators and cyber security vendor partners, will make great strides in the coming year.
Below are my five healthcare cyber security predictions for what we can anticipate in 2024.
- The tactics of malicious actors will continue to grow more sophisticated and cyber attacks will come at a higher frequency, further complicating the threat landscape surrounding healthcare providers
Ransomware attacks have not entirely ‘shifted’ from a spray-and-pray approach via phishing, but continue to incorporate targeted footholds and more-complex attacks into environments.
While Ransomware as a Service (RaaS) and ‘simpler’ ransomware attacks will continue to target the industry, we will see a rise in much-more-complex ransomware and other cyber attacks that target particularly the largest healthcare providers.
Generative AI is also top of mind for security and IT pros at healthcare delivery organisations (HDOs), and a number of organisations are setting up committees to review AI capabilities – for offensive and defensive and clinical care purposes.
As the healthcare industry incorporates and innovates solution stacks with Generative AI, so will its adversaries.
Whatever is available to security and IT pros is also available to malicious actors – take ransomware as a prime example of what can happen when a security capability – in this case encryption – is flipped on its head and weaponised.
The very technology to keep the bad guys out is being leveraged to instead block the good guys from accessing their files.
AI will help to advance patient care, but we will also start seeing the technology being leveraged increasingly to drive more-frequent, sophisticated attacks.
It will be crucial in the new year that security and AI pros expedite their own use of the technology, its governance, and security in order to better protect their organisations in light of this evolving threat.
The very technology to keep the bad guys out is being leveraged to instead block the good guys from accessing their files
- An increased focus on medical device security will continue to proliferate into regulations globally
We have seen the U.S. Food and Drug Administration (FDA) make these mandates – such as the most-recent refuse-to-accept (RTA) policy – as well as the UK National Health Service (NHS) with its Data Security and Protection Toolkit (DSPT) legislation, and other countries across Europe develop similar guidelines.
I believe we will also see a renewed focus on software bill of materials (SBOMs) to provide clear understanding of the software components used to build various assets.
We will continue to see additional developments and specificity on medical device security as more cyber security and critical infrastructure-centric regulations are drawn up.
While work remains to be done, and the execution to be both seen and tweaked, these regulations are a great step forward to mandate cyber security be baked into products and that organisations have regular assessments of the cyber security posture of devices.
And while there are growing pains as with any new regulations, these are necessary pains.
After all, a plan is only as effective as its execution. In this case – a critical plan driving the industry forward.
We will continue to see additional developments and specificity on medical device security as more cyber security and critical infrastructure-centric regulations are drawn up
- Healthcare providers will continue to modernise their security strategies, prioritising segmentation and defence-in-depth in 2024
Segmentation will remain one of the primary methods for increasing healthcare cyber security.
As such, security and IT pros at HDOs will look to modernise their strategy to begin segmenting their network in 2024, if they have not already.
It is a massive and difficult project that can span many years.
However, it is the project that will accomplish the greatest risk reduction in a healthcare environment and be a pillar in a pro-active risk reduction strategy.
What is key for these projects is the proper planning and understanding that a segmentation project can be akin to a journey with multiple phases – discovery/inventory, behavioural and communication mapping, policy creation, prioritisation, test/pilot, implementation, and automation.
One growing trend is a risk-based prioritisation approach wherein instead of a traditional method of segment lists created by manufacturer or type, healthcare organisations can achieve a much-faster ROI by identifying and prioritising the segmentation of critical vulnerable devices first – particularly patient-facing devices – to achieve maximum risk reduction upfront.
Additionally, defence-in-depth capabilities will start to emerge for newer medical devices.
More-clearly-outlined security documentation and behaviours, embedded security capabilities, support for security software and solutions, and retiring of legacy systems in favour of newer more-secure devices.
As a result, segmentation will start to be augmented by other security capabilities now being supported on newer medical devices such as more-frequent software patching and updates.
One growing trend is a risk-based prioritisation approach wherein instead of a traditional method of segment lists created by manufacturer or type, healthcare organisations can achieve a much-faster ROI by identifying and prioritising the segmentation of critical vulnerable devices first
- Medical device manufacturers will develop additional security partnerships and offerings
How effective this will be is still unknown at this time, but whether through professional services, technical capabilities, or new devices, we Are seeing medical device manufacturers start focusing on cyber security initiatives for their new medical devices.
In the year ahead, I believe medical device management service providers will place additional focus on providing remediation services for medical device security advisories.
Healthcare organisations will also leverage MSSPs and partner or vendor services more in order to help scale their internal operations.
Using this approach can help with offloading tasks, more-rapid risk reduction, as well as sharing of information and best practices for maximum effectiveness.
In the year ahead, I believe medical device management service providers will place additional focus on providing remediation services for medical device security advisories
- The cyber security skills shortage gap will widen
AI is being more incorporated into technology stacks, particularly as cyber security vendors look to harness its innovative power.
It will help streamline tasks, but organiSations – particularly smaller healthcare organisations with less resources – will still suffer greatly from a cyber security skills and experience shortage; not only on specific technical domains, but the ability to implement and systematically mature a healthcare cyber security programme.
It is critical to fill these gaps that HDOs look to the help of external partners to support their security programmes.
A foundational recommendation here is to leverage security frameworks to help build a systematic approach to improving their security posture with prioritised security efforts.
A key here is to anchor the programme in a framework-based approach such as the NIST Cyber Security Framework (CSF) with regular reviews and gap analysis to form a guide on priorities and efforts for the year ahead.