Getting Vulnerability Management Right in Healthcare

In this second of a five-part series of posts on why strong vulnerability management is so vital for cybersecurity programs, we look at the need for effective vulnerability management in the healthcare sector.

Like financial services, healthcare is a highly regulated industry and it’s also among the most common targets of cybercriminals. Healthcare institutions have to deal with a multitude of security threats, with hackers and other cybercriminals constantly looking for ways to exploit software vulnerabilities so they can steal critical data such as patient records.

Organizations in the sector have been particularly plagued by ransomware attacks. A September report from research firm Ponemon Institute on ransomware in the healthcare sector, based on a survey of 597 IT and IT security professionals, showed that about two thirds of patient care organizations have now been victims of ransomware attacks, with one third reporting they’ve been hit at least twice by such attacks.

The onset of COVID-19 introduced new risk factors for healthcare providers, including remote work, new systems to support remote work, staffing challenges, and elevated patient care requirements, according to the report.

The Unique Challenges of Vulnerability Management in Healthcare

Healthcare organizations are face a number of key cyber risks. One is the increased use of medical equipment and devices. Monitoring and controlling the security of these devices can be a major challenge for healthcare security teams, in large part because modern medical devices and equipment rely on software that bad actors can exploit.

Research firm Forrester Research has noted that medical device security is a growing concern for healthcare providers worldwide, as attackers focus on exploiting these vulnerable targets. Several cases have been identified where attackers directly compromised a medical device as part of overall campaigns against hospitals, it said.

This is an even bigger challenge with the growing use of the Internet of Things (IoT) in the sector. IoT enables organizations to connect devices to the internet for data gathering, remote care, and other purposes. But it also introduces new security risks including the hacking of these devices and Distributed Denial-of-Service (DDoS) attacks.

Security tools don’t necessarily detect some of the breaches that occur via remote, connected devices. Connected medical devices are typically invisible to traditional endpoint and network security tools, Forrester said.

Like other types of organizations, healthcare providers can also be subject to security risks within the supply chain. For example, providers of medical supplies, equipment, infrastructure systems such as heating and ventilation, etc., could get hit with a security breach that affect their healthcare organization partners.

Aside from protecting against the loss or theft of data, healthcare organizations need to be concerned with regulations related to security and privacy. For instance, the Health Insurance Portability and Accountability Act (HIPAA) has certain requirements for data protection. Software vulnerabilities that result in stolen data can lead to noncompliance and resulting penalties.

Why Vulnerability Management is Essential in Healthcare Environments

Vulnerability management tools and processes that decrease or eliminate software vulnerabilities can go a long way toward addressing the various security threats facing the healthcare industry. In combination with a DevSecOps approach, a robust vulnerability management program helps health organizations ensure that they’re delivering secure applications.