A cyberattack that shut down critical systems at Brno University Hospital, a large COVID-19 testing facility in the Czech Republic, was one of the earlier and more visible instances of healthcare cyber-crime during the pandemic, but it was far from the last. As has been widely reported, cyberattacks, including attacks on health systems, have risen alarmingly during the pandemic crisis, revealing the proclivity among cyber-criminals to strike when institutions and individuals are at their most vulnerable.
As a result, the pandemic has thrust hospital cybersecurity into the spotlight with heretofore-unseen urgency. Indeed, data show a direct correlation between pandemic milestones and rates of cyber-crime. Computer World reported, for example, that cyberattacks rose 48% on January 30th, the day the U.S. announced its first case of COVID-19.
In a recent blog post on our hospital resilience blog series, we named enhanced cybersecurity as one of the key strengths healthcare providers will need to prepare themselves for future challenges and threats. We noted that health systems tend to focus cybersecurity efforts on IT systems, including patient data and financial information. Although these areas obviously warrant ongoing and serious attention, we encourage health systems to incorporate cybersecurity for their operational technology systems into an overall cybersecurity strategy as well.
A Cybersecurity Strategy that Builds Resilience
A cohesive, holistic approach to cybersecurity that encompasses all aspects of IT and OT, working seamlessly in partnership, is, in our view, the most intelligent way for hospitals to develop the resilience needed to ward off unwanted intrusion by bad actors and protect their institutions, including not only patient protected health information, financial data and medical devices, but also the entirety of their internet protocol-enabled building infrastructure.
IT and OT have traditionally existed in separate silos. This is no longer the case, as building management systems have become smarter and the integration of IT and OT data catalyzes this broader intelligence. This phenomenon, known as IT-OT convergence, also makes building management systems more vulnerable to cyberattack.
According to a recently published monograph by the American Society for Healthcare Engineering, building system components are “potential cyber penetration points that must be considered with care.” Hence, the need for a cybersecurity strategy informed by an understanding of the implications of IT-OT convergence.
The Importance of Vendor-Agnosticism
In our view, this strategy is best achieved with vendor-agnostic solutions that support IT and OT at the system life-cycle level, rather than a jumble of vendor-specific products that can end up increasing exposure rather than mitigating risk. It should also be based on infrastructure that has cybersecurity embedded in it by design and that meets all current standards, including HIPAA.
This vendor-agnosticism is among Schneider Electric’s differentiators as a healthcare cybersecurity partner. Many of our clients simply want a cybersecurity provider that understands how to bring IT and OT together. We use cybersecurity controls that can be found in IT, but implement them in a manner that also understands the priorities of OT and the exceptions required to maintain operational compatibility.
EcoStruxure for Healthcare can help hospitals navigate the complexities of IT-OT convergence and implement a holistic cybersecurity strategy that seamlessly fuses the needs of both realms. To learn more about our cybersecurity consulting services, please visit our website.