Healthcare organizations easily become victims of cyberattacks because of continually using outdated software and not patching vulnerabilities promptly. This problem is evident in the WannaCry ransomware attacks in May 2017. U.S. healthcare providers were lucky to have escaped unlike their counterparts in the U.K. Symantec recently talked about a threat group that has been attacking the healthcare industry for 3 years now and accessing sensitive information. It is because of the continued use of outdated software that it is easy for attackers to move laterally within a network.
Action must be taken to address the problem of attackers exploiting the vulnerabilities due to unpatched , outdated and unsupported operating systems. The cyberattacks will not stop unless the industry players do something. While there are available options to upgrade systems, there are still many healthcare providers that choose legacy software and equipment, do not remediate vulnerabilities and fail to patch systems promptly.
Steps are being taken to resolve medical device security but the progress is slow. The U.S. Food and Drug Administration actually has plans of requiring manufacturers to include a feature that update devices throughout the life cycle of the products. This will certainly help keep new devices updated, but what about the old devices? Healthcare organizations that use old software and outdated equipment are very vulnerable. Unfortunately, there’s very little that can be done. It is possible to update devices and software, but managing the vulnerabilities is costly and challenging.
Before healthcare providers choose to upgrade systems and remediate vulnerabilities, they typically do a cost-benefit analysis. If updating and maintaining devices entail a very high cost and there are no other alternatives, they simply accept the risks associated with the use of the devices. Another negative impact of continually updating old devices is the lost time and resources that could have been used for developing new and advanced devices or treatments.
The U.S. House Energy and Commerce Committee knows about the problem. Hence, the committee is talking to industry stakeholders to help tackle the issue and improve cybersecurity. One cybersecurity professional estimated that an organization may spend $400 to $4,000 just to fix just one vulnerability. What if more than one vulnerability need to be fixed? It’s gonna be a very costly and daunting task.
The House Committee on Energy and Commerce is requesting feedback on this issue from the healthcare industry stakeholders and other people until May 31, 2018.