Editor's Note: This article was originally published in 2024 and has been updated to include EU Action Plan information.
Healthcare organizations are extremely vulnerable to cyberattacks, which averaged 1,463 cyberattacks in the week of 2022, up 74% compared to the previous year (I). Additionally, the healthcare industry has been the most highly valued for data breaches for the 12th consecutive year (II). The potential impact of a cyber incident is not just financial. The outcome is fatal (III).
Hospitals and healthcare providers are targeted for several reasons. First, they are vulnerable targets as they attempt to exploit the attackers for the infamous name of claiming they successfully closed such a critical facility. Healthcare data is in high demand even on the dark web, allowing attackers to get a large sum of money.
Another major reason hospitals are targeted is that they have a large-scale operational technology (OT) environment with thousands of entry points. On the medical side, there is a huge range of equipment, from MRI machines to ventilators. The building side contains assets such as fire, life safety systems, HVAC, and access control. The vast amount of assets offers a much larger offensive surface than most other industries. Furthermore, many of these systems operate on legacy frameworks and are susceptible to exploitation.
In 2023, EU countries reported 309 important cybersecurity incidents in the healthcare sector more than any other important sector. These cyberattacks can delay medical procedures and disrupt critical services. In response, the European Commission has announced a new EU action plan focusing on:
1. Enhanced cyber threat prevention with enhanced readiness measurements
2. Better detection and identification of these threats bring close to real-time alerts
3. Minimize the impact of cyberattacks to reduce additional damage
4. Deter cyber threat actors using tools such as the Cyber Diplomacy Toolbox
It also proposes establishing a pan-European cybersecurity support centre to provide customized guidance, tools, services and training to hospitals and healthcare providers. These measures aim to ensure the resilience and security of health care systems across Europe, protect patient care, and maintain the integrity of critical health infrastructure. By implementing these comprehensive strategies, the EU aims to create a robust defense against cyber threats, ensuring that health services are kept uninterrupted and safe.
In response to this growing threat, the U.S. Department of Health and Human Services (HHS) published a concept paper (IV) in 2023, introducing new measures designed to protect the sector from cyberattacks.
These measures include:
1. Establish voluntary cybersecurity performance goals for the health sector to help the healthcare sector prioritize cybersecurity practices.
2. Provide resources to encourage and implement cybersecurity practices, such as establishing prepaid investment programs to support needs providers.
3. Implement the overall HHS strategy to support the potential enforcement and accountability of increased financial penalties for HIPAA violations.
4. The expansion and maturation of one-stop shops within HHS in Healthcare Sector Cybersecurity will improve HHS incident response capabilities.
The aim is to prevent violations by better equipping hospitals with cybersecurity education and resources and strengthening HHS enforcement agencies.
The big security hole in many hospitals is lack of awareness. They may think that the OT system is safe when it is not. For example, the system could be air gapped. This means you are not connected to the internet, but most of them need to be patched or updated periodically. This may mean that the system is connected to the internet first each month to download patches and updates, so it is not actually air gapped.
Even if patches and updates are made via USB, these OT systems may not be safe yet. A 2024 Honeywell USB threat investigation found that 51% of the malware discovered were designed for USB (V). Another risk is that many cyberattacks target third-party OT systems where providers may be entitled to perform maintenance and upgrades. This opens the door to yet another threat.
There is pressure for healthcare organizations to strengthen their systems against cyber threats and implement necessary control and defence measures. Here are the top three steps you should take to get started.
1. Create an incident response plan. This is essential for quick recovery if a hospital is hit by downtime or if critical equipment such as ventilators and HVAC systems are targeted by cyberattacks. Without a plan, hospitals cannot return and run quickly and efficiently, and make sure patients and staff are safe. This should be tested using tabletop exercises
2. Maintain complete asset inventory with vulnerability management and threat detection. In reality, most OT and control systems have IP connectivity such as HVAC, energy management, security, access control, video/closed circuit television, patient surveillance, fire systems, medical devices, and other IoTs. However, in many cases, they do not monitor or manage these cyber threat connections as closely as they monitor or manage their systems. In most cases, they are not aware of all the devices on the OT network. It is essential that hospitals know exactly what they are doing in their environment, both in their enterprise IT and OT networks.
3. I have a trusted partner. Securing operational technology is a complex task at the intersection of engineering and cybersecurity. It requires knowledge of the underlying devices, control systems, and proprietary protocols present in the environment, combined with cybersecurity technology and the skills required to implement the necessary controls that reduce risk. For this reason, healthcare organizations need to build design-safe products, understand the underlying technology, and work with trusted partners and vendors who can help them achieve risk reduction and compliance goals, combined with cybersecurity experiences.
Honeywell is uniquely positioned to help healthcare organizations comply with new regulatory requirements and mitigate cybersecurity risks. Using Honeywell technology, we understand the offensive surface run by healthcare organizations and the attack surface needed to reduce it, using over 50 years of automation experience and millions of facilities around the world. It has delivered over 7,000 cyber projects in over 130 countries around the world, with a broad portfolio of solutions and services, from cyber assessment, incident response, patch management, network monitoring, endpoint security, and more.
Talk to one of today's experts to learn how Honeywell can help improve cybersecurity in your healthcare organization.
(i) Checkpoint, Checkpoint Software will release a 2023 security report on February 8, 2023 (accessed March 1, 2024), highlighting the rise in cyberattacks and destructive malware.
(ii) Upguard, how much does the 2023 data breach cost? , October 25th, 2023 (accessed March 1st, 2024)
(iii) Wired, Untold Stories of Cyber Attacks, Hospitals and the Dying Woman, November 11, 2020 (accessed March 1, 2024)
(iv) US Department of Health and Human Services, Healthcare Sector Cybersecurity, December 2023 (accessed March 1, 2024)
(v) Honeywell Forge, Honeywell Gard USB Threat Report 2024 (accessed February 1, 2024)
