It is clear the US healthcare organizations lack organized and deliberate cyber resilience strategies. Budgets for cybersecurity are low and continuously being cut but there also is no formal security program or leader assigned to cybersecurity for healthcare. Resultantly, criminal cyberattacks on healthcare has increased by 125% in the last 5 years. More and more patients receive bills for medical procedures they never went through.
Unfortunately, much of the problem comes from leaders turning a blind eye due to the overwhelming nature of cybersecurity. The growing use of IoT devices significantly increases the potential attack surface are for hackers. They are used for a variety of purposes and are connected to networks and a large number of data sources including EMR and HIS. In general, these devices have weaker security protections and also come with week encryption tools. Distributed denial of service attacks are often made on these devices to eavesdrop on traffic and steal confidential data. Furthermore, the use of mobile devices to deliver healthcare further increases the attack surface. Finally, cloud-based records once again increases surface are of potential attacks and also requires additional different security measures. There are various security frameworks with overlapping goals yet the healthcare industry still uses frameworks and tools that are not risk based.
Legislation in regards to cybersecurity and healthcare are not very helpful as they are often ambiguous in laying down information about expectations and mechanisms. There is also no cybersecurity certification process that is mandated by law in the healthcare sector. Compliance is about as far as most healthcare organizations venture towards. However, it does not guarantee impenetrability and resilience.
