The following is a guest article by Apu Pavithran, Founder and CEO at Hexnode
Cybersecurity and physical security are increasingly linked in modern healthcare. Bad actors know that mobile devices and medical endpoints can serve as entry points into an organization’s ecosystem and allow them to hold the entire network hostage.
We saw this last year when Change Healthcare fell victim to a ransomware attack, resulting in data theft and estimated losses of more than $800 million. Attackers succeeded through basic endpoint security failures – cracking a single password on a remote account without multi-factor authentication – which saw not only financial losses but also the cancellation of urgent surgeries and critical patient services.
In this climate of increasing ransomware and successful breaches – with healthcare attacks up 150% year-over-year – device security must be seen as patient security. It’s therefore not acceptable to treat outdated devices and open backdoors as the sector norm. Poorly managed devices represent healthcare’s most preventable security crisis – let’s look at how leaders can finally close this gap.
Why Mobile Devices are in Hacker Crosshairs
Hackers know that healthcare downtime isn’t only expensive but a literal matter of life and death. Once inside, they demand payout or threaten lockout, knowing full well that healthcare is more motivated than most industries to get their systems back up and running. But the sector isn’t moving fast enough to protect ecosystems from known vulnerabilities and upgrade old devices. A recent report revealed that approximately half of all mobile devices are running outdated operating systems, a big problem since about one-third of ransomware attacks start with a known yet unpatched vulnerability.
It’s a numbers game for hackers and the numbers are increasingly in their favor. They know that, post-pandemic, there are more healthcare endpoints online to exploit, and AI is a productivity boon that enables them to scale attacks with unprecedented efficiency. This only makes ransomware a more frequent problem for which healthcare organizations are increasingly willing to pay. In 2024, 11 percent more organizations paid ransoms compared to the previous year, with an average payout of $4.4 million.
Moreover, healthcare organizations are finding it harder to come back from hacks. Fast recoveries are fewer and further between with only 22% of healthcare organizations recovering from ransomware in less than a week in 2024, a dramatic decline from 54% in 2022. Meanwhile, 37% reported that it took them more than a month to return to “normal”, up from 28% the previous year.
Unfortunately, patients suffer in the meantime. According to Proofpoint, two-thirds of healthcare organizations experienced care disruptions following security incidents, with more than half reporting delayed procedures that led to poor patient outcomes. Even more concerning, half of the affected organizations saw complications during medical procedures increase, while nearly a quarter reported higher patient mortality rates. Clearly, getting security right isn’t only about creating a strong environment for patient data, but also ensuring a reliable foundation for patient care.
The Politics of Medical Devices
This isn’t to say that admins bear all the blame. From patient monitors to infusion pumps and imaging systems, some devices run on hardware that can last years or decades, but software with a much shorter lifespan. Of course, some of these devices were never intended to connect to the internet, but replacing them or updating them isn’t easy. In these situations, we need admins working with healthcare leaders to develop solutions that stop this emerging attack vector while enabling these life-saving machines to continue providing care.
It’s also worth noting that political cost-cutting doesn’t help matters. A recent House hearing on medical device cybersecurity highlighted concerns that FDA staff cuts could undermine federal cybersecurity efforts just when hospitals need more support, not less.
Yet, despite federal uncertainty, there are immediate steps admins can take. As one expert testified, many hospitals don’t even know how many vulnerable devices they have or where they’re located – representing basic inventory management that’s entirely under IT’s purview.
My advice is that admins should move immediately to better protect their current assets. In the face of clear software and device shortcomings that they control, it’s past time to step up and fight back.
How Admins Can Take Back Device Control
Begin by thoroughly understanding what you have. Connect your devices to a central platform to gain a singular view of what’s online and better protect them. Solutions like unified endpoint management not only provide an up-to-date overview of the ecosystem but also allow automatic software patching and password policy enforcement – two avenues that ransomware hackers often exploit. These platforms also enable compliance reporting, emergency access protocols, and remote device wipe capabilities – non-negotiable foundations in protecting always-on devices from always-active hackers.
Also, reconsider the make and model of devices. Android in healthcare is proving more than capable with top marks for customization, compatibility, and secure handling of patient data. Of course, it doesn’t hurt that Android devices are also cheaper than competitors like Apple. Android devices, particularly when entire fleets are unified by a central platform, excel at meeting healthcare’s unique demands for durability, specialized workflows, and cost-efficiency. Retooling with standardized devices that follow automated policies is a proven way to address many of the problems we’ve discussed before they become critical vulnerabilities.
Additionally, protect the wider network from legacy devices with segmentation. When older medical equipment can’t be immediately updated, keeping it on a separate network limits the potential damage from any compromise.
Considering the seriousness of the ransomware threat and the relative ease with which many of the device backdoors can be closed, it’s just not good enough for outdated software and poor cyberhygiene to be the status quo. Device security is inextricably linked with patient outcomes – it’s up to all of us to lift our game and redouble our device defenses.
About Apu Pavithran
Apu Pavithran is the Founder and CEO at Hexnode, the award-winning Unified Endpoint Management (UEM) platform developed by Mitsogo Inc. Hexnode helps businesses manage mobile, desktop, and workplace devices from a single place.
No comments:
Post a Comment