Next-Level Protection: How UPGRADE May Shape the Future of Healthcare IT Security

Hospitals and medical facilities face a unique cybersecurity challenge. While other industries are dealing with their own issues, in the healthcare space the attacks mount while the budget and skillset is sparse.

A primary hurdle is the lack of funding. Budget constraints frequently result in outdated hardware and software, as financial resources are often allocated to direct patient care rather than IT investments. This prioritization, while essential for immediate patient outcomes, leaves IT infrastructure vulnerable and inadequately supported. Adding to the complexity, is that many large pieces of hardware in hospitals have been built for longevity and not upgradability. Your standard MRI machine is generally replaced every 10+ years and often runs proprietary software built by the manufacturer.

Budget constraints frequently result in outdated hardware and software, as financial resources are often allocated to direct patient care rather than IT investments. This prioritization, while essential for immediate patient outcomes, leaves IT infrastructure vulnerable and inadequately supported.        

Another significant challenge is the shortage of skilled IT staff within the healthcare sector. 61% of U.S. healthcare institutions cite a lack of cybersecurity staff as a major obstacle (Statisica 2022). The demand for talented IT professionals is high across all industries, and healthcare often struggles to attract and retain these individuals. High turnover rates exacerbate the problem, leading to gaps in knowledge and continuity that are critical for maintaining secure and efficient IT operations. The reason for this shortage is, again, likely the prioritization of patient care over IT resources and funding.

Many healthcare professionals have limited awareness and understanding of the risks posed by cybersecurity threats. Many healthcare workers simply want to spend their time on patients and not navigating technology leading to a “just make it work” mentality. This lack of awareness can lead to insufficient prioritization of IT security measures, leaving the extremely complex systems more susceptible to attacks.

Many healthcare workers simply want to spend their time on patients and not navigating technology leading to a “just make it work” mentality        

Healthcare IT infrastructure is shaped by stringent regulations designed to protect patient data, primarily enforced through the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). These regulations mandate strict protocols for handling and securing patient information to ensure privacy, data integrity, and accessibility. The systems within the healthcare facilities require a robust IT framework that balances regulatory requirements (secure technologies, staff training, data management, etc.) with budget constraints and available expertise. An obvious challenge.

All of these shortfalls and regulations create the perfect conditions for malicious actors to take advantage of a target rich environment with high reward.

Why healthcare continues to be a target

Healthcare organizations remain a prime target for cybercriminals due to the comprehensive and sensitive nature of the medical records they hold. A typical medical record can be a goldmine for bad actors as the encompass everything from identity data and medical histories to detailed clinical documentation. This wealth of data not only helps in managing patient care but, unfortunately, also presents lucrative opportunities for malicious activities. Here’s why healthcare data continues to attract the attention of bad actors:

Patient Information:

• Identity Data: Includes the patient’s name, date of birth, address, and contact details.
• Medical History: Past illnesses, surgeries, allergies, and family medical history.

Clinical Documentation:

• Diagnoses: Recorded diagnoses, both current and provisional.
• Prescribed Medications: Details of medications and treatments.
• Lab and Imaging Results: Test results, X-rays, MRIs, and other diagnostic findings.
• Procedures: Information on procedures performed (e.g., ECG, colonoscopy).
• Immunization Records: Vaccination history.

Billing and Administrative Data:

• Insurance Information: Details related to health insurance coverage.
• Billing Records: Charges, payments, and claims.
• Authorization Forms: Consent forms for treatments and procedures.

The detailed personal and medical information contained in healthcare records offers a lucrative incentive for bad actors looking to commit a range of crimes. From identity theft and insurance fraud to sophisticated phishing schemes and prescription fraud, the misuse of this sensitive data can have far-reaching and devastating consequences. Several ways that cybercriminals exploit stolen medical data to conduct illicit activities are:

Identity Theft and Fraud:

• Bad actors use stolen healthcare data for?identity theft. They can open fraudulent accounts, apply for credit cards, or access sensitive services in the victim’s name.
• Hackers may threaten to publish specific diagnoses or medical conditions unless a ransom is paid.

Insurance Fraud:

• By using your insurance information, attackers can submit?false insurance claims?and then cash the reimbursement checks.

Phishing and Spamming:

• Create targeted phishing emails or spam messages, tricking patients into revealing sensitive information or downloading malware.

Prescription Fraud:

• Medical records can be used to obtain prescription medications or medical equipment, leading to financial losses for patients and healthcare providers.

This drives the demand of complete medical records on the dark web to a highly prized commodity, fetching prices as high as $1,000 per record. The amount of data in a single record is too much for cybercriminals to pass up. In stark contrast to credit card numbers (which can be quickly cancelled) that are sold for around $5, and social security numbers for as little as $1. This significant price disparity underscores the unique value and utility of medical records that provide a long-term asset for cybercriminals.

Three typical attacks on healthcare

While healthcare facilities face the same types of attacks that other industries do, there are ones that are more likely to impact them given the nature of the attack surface and the potential reward.

Firstly, and probably more prominent are ransomware attacks. These attacks encrypt critical data and demand payment for its release. They can severely disrupt hospital operations, compromise patient care, and lead to substantial financial losses. The prevalence of ransomware has surged dramatically in recent years. In 2023, the number of ransomware attack claims worldwide rose by 74% compared to 2022. Specifically, the healthcare sector saw nearly double the number of ransomware victims globally, with 389 claimed incidents in 2023, up from 214 in the previous year. In the United States alone, the number of affected hospitals increased to 46 in 2023 from 25 in 2022 (dni.gov), highlighting the escalating risk and impact of these attacks on the healthcare system.

Phishing attacks are another threat in the healthcare sector. Cybercriminals posing as legitimate entities, often via email, trick recipients into divulging sensitive information. Both healthcare professionals and patients are susceptible to these deceptive tactics. As pointed out previously, these attacks can be made more personal and therefore more potent with the knowledge of specific patient information garnered from a data breach. In 2023, a staggering 88% of healthcare workers reported opening phishing emails. Phishing attacks were responsible for 36% of all data breaches in the United States during the same year. These attacks can lead to unauthorized access to personal and medical information, posing significant risks to patient privacy and data security (getastra.com).

Supply chain attacks target vulnerabilities in third-party components or services utilized by healthcare systems. For instance, Remote Patient Monitoring (RPM) devices, which had 23 million users in 2020, may contain security flaws that threat actors exploit. The number of people using RPM services is expected to more than triple by 2025, reaching over a quarter of the US population. These attacks can compromise the integrity of healthcare data, breach patient privacy, and undermine overall system security. By exploiting weaknesses in the supply chain, cybercriminals can infiltrate healthcare networks indirectly through these connected components in the attack surface (healthcareittoday.com).

While not a complete list, these threats underscore the need for cybersecurity measures in healthcare like vulnerability and patch management (one of cybersecuriti’s table stakes) which helps organizations respond to potential vulnerabilities and weaknesses in their systems. So why is this so difficult in the healthcare space?

Difference between vulnerability management in healthcare

Effective vulnerability management is an ongoing, proactive process designed to protect systems, networks, and the organization’s applications from attacks. This process involves identifying, assessing, reporting on, managing, and remediating vulnerabilities across various endpoints, workloads, and systems. The key steps in vulnerability management include:

• Discover: Organize assets and uncover all devices within the network to maintain a comprehensive inventory.
• Assess: Conduct accurate and effective scans for vulnerabilities to understand the security posture.
• Report: Generate reports detailing findings for remediation efforts and compliance purposes.
• Remediate: Monitor vulnerabilities, assign tickets, and manage exceptions to address security gaps promptly.
• Verify: Confirm the success of remediation efforts to ensure vulnerabilities have been effectively mitigated.

Healthcare organizations face challenges when trying to patch their systems. One source of friction is dealing with legacy systems. These older systems often struggle with compatibility issues when interfacing with newer hardware and software, making it difficult to apply necessary patches without causing integration problems. Or worse, prolonged downtime. Many legacy systems also rely on proprietary software that may no longer receive updates or patches from the original vendors, further complicating efforts.

Healthcare environments typically include a diverse mix of legacy and “snowflake” systems, each requiring specific patches and updates. This means that a patch applied to one system can have unintended consequences on others requiring careful coordination and testing to ensure that updates do not disrupt the overall system functionality.

Healthcare environments typically include a diverse mix of legacy and “snowflake” systems, each requiring specific patches and updates.        

Lastly, and probably most obvious, is that healthcare systems require continuous operation to ensure patient care is not disrupted. As a result, finding suitable maintenance windows for patching can be particularly challenging, especially in 24/7 healthcare environments. Any downtime for patching can potentially disrupt hospital operations and patient services, making it difficult to balance the needs of the system with the needs of the patient. Often, and perhaps rightly so, the patient’s needs win.

How do healthcare facilities patch?

So how do healthcare facilities patch their systems? It’s technically similar to most organizations but different in practice. The difference is in the constraints I outlined previously. Lack of skilled and plentiful staff, aversion to down time, and a complex system to name a few. One of the biggest hurdles in patching healthcare systems is the general absence of an automated method to patch the large number of systems, hardware, and software in the facilities.

Take an MRI machine for example. Aside from the hardware itself, which can be built by numerous different manufacturers, there is abundant software both in and around the MRI machine that support the creation and viewing of the images. Much of this software is proprietary to the maker of the MRI machine and focused on tackling specific tasks related to scanning, and processing scans.

While some of the software that supports this machine may be connected to a network, others are not. Patching such a microsystem in the larger context of the facility is difficult. For example, a simple update to the gradient hardware in the MRI machine for better resolution would likely require IT personnel to physically walk to the machine and plug in a USB while interfacing with the proprietary OS. This requires knowledge of the OS, how to process the update, how to test the success of the update, and then bring the machine back up after the update.

One of the biggest hurdles in patching healthcare systems is the general absence of an automated method to patch the large number of systems, hardware, and software in the facilities.        

Multiply this by the number of similar microsystems in the hospital: CT Scanners, x-ray and ultrasound machines, ECG and blood pressure sensors, smart beds, mobile nurse stations, QR scanners, surgical support machines, code carts, etc. This also includes the systems and applications that support the hospital such as the billing, prescription, scheduling, and medical records. While the network connected devices, OSs, and applications can have patches delivered to them remotely, the non-connected devices will require physical access to patch. And more importantly, time.

Given the unpredictable nature of a hospital, scheduling time to patch systems (whether remotely, or through physical interaction) can be difficult. Scheduled downtime can have an unforeseen impact on patient care. Moreover, if the patch disrupts the system or renders the application or machine unavailable past the patch window, patient care is likely to be hobbled.

This leads to an overall aversion to patching without a guarantee that patient care will not be at risk. So, how do we get there?

Why not just UPGRADE

While a panacea doesn’t exist, for the challenges in patching of healthcare systems, there are efforts underway to help address the issue. The Universal PatchinG and Remediation for Autonomous DEfense (UPGRADE) program is?a $50 million initiative launched by the U.S. Department of Health and Human Services (HHS) to develop autonomous cybersecurity tools for hospital environments (healthcareitnews.com).

UPGRADE is designed as a comprehensive software suite intended to enhance hospital cyber-resilience by proactively assessing, detecting, and mitigating potential vulnerabilities across medical equipment networks. This platform aims to integrate various technical tools and strategies—like high-fidelity digital twins of hospital equipment, automated detection of software vulnerabilities, and automatic deployment of security patches—to ensure a scalable and tailored approach to cybersecurity in healthcare settings. Essentially, UPGRADE will act as a centralized, autonomous solution that streamlines the process of securing hospital IT environments against cyber threats. At least that is the goal.

Some of the key objectives of UPGRADE:

• Create a vulnerability mitigation platform: Develop a software suite for hospital cyber-resilience, enabling proactive evaluation of potential vulnerabilities and automatic procurement or development of remediation.
• Develop high-fidelity digital twins of hospital equipment: Create digital replicas of hospital equipment to simulate and test security updates, ensuring minimal downtime and disruption to hospital operations.
• Rapidly detect software vulnerabilities: Develop methods to rapidly detect software vulnerabilities and confidently develop defenses for each.
• Automate patch deployment: Enable the automatic deployment of patches and updates to hospital devices, reducing the time from vulnerability detection to patch deployment from weeks or months to days.

The benefits of UPGRADE:

• Improved hospital cybersecurity: UPGRADE aims to reduce the risk of cyberattacks and data breaches in hospitals, ensuring the continuity of patient care and protecting sensitive patient information.
• Increased efficiency: The program’s autonomous tools will streamline the patching process, reducing the time and resources required for manual updates and minimizing downtime.
• Enhanced patient care: By ensuring the security and integrity of hospital systems and devices, UPGRADE will help maintain the trust and confidence of patients and healthcare providers.

Partnerships and Collaborations:

• HHS and ARPA-H: The program is spearheaded by the Advanced Research Projects Agency for Health (ARPA-H), a division of HHS.
• Hospital IT staff, equipment manufacturers, and cybersecurity experts: The program will bring together experts from these fields to develop and implement the UPGRADE platform.

Timeline:

The UPGRADE program is currently in the proposal submission phase, with a forthcoming solicitation expected to be released soon. It is seeking performer teams to submit proposals on the development of various technical areas, meaning that the initiative is still in the early stages of development.

You can find out more information about the program here: https://arpa-h.gov/news-and-events/arpa-h-announces-program-automate-cybersecurity-health-care-facilities

While the healthcare sector faces an extensive uphill battle against attackers, including underfunded IT infrastructures and a dire need for cybersecurity expertise, initiatives like HHS UPGRADE program offer a beacon of hope and show that there is attention being placed on the problem. UPGRADE promises to bolster hospital defenses by automating the detection and remediation of cybersecurity threats, effectively reducing the window of vulnerability. However, like most things in cybersecurity, there needs to be a broader approach to securing the healthcare systems. Alongside the UPGRADE program, fundamental security practices such as improved digital hygiene and enhanced awareness among healthcare professionals play a crucial role in safeguarding sensitive medical information. Together, these efforts can create a more secure and resilient healthcare system.