Healthcare is the most targeted yet least prepared sector in the U.S. when it comes to cyberattacks, according to a report from the Institute for Critical Infrastructure Technology.
"Both providers and payers devote the majority of their resources to fulfilling their mission," the report's authors say. "Sadly, attackers have seen this selfless dedication to human life as sign of weakness."
Government and healthcare organizations manage complex infrastructure that has many layers that leave gaps, which allows hackers access to sensitive data, according to the authors. What's more, many times, manufacturers no longer support their technology, which creates even more vulnerability. One example of how malicious actors took advantage of this is the Office of Personnel Management hack, which put information of about 4 million federal employees at risk.
The Internet of Things also creates a massive attack surface, the report's authors say.
To that end, they advocate for mandated penetration testing before and after a medical device is released. This will not stifle innovation, but will require greater innovation to identify and patch vulnerabilities, they say.
"A cybersecurity-centric culture must demand safer devices from manufacturers, privacy adherence by the healthcare sector as a whole and legislation that expedites the path to a more secure and technologically scalable future by policy makers," the authors write.
The U.S. Food and Drug Administration, which critics have called "a toothless dragon" on medical device security, just issued draft guidance on postmarket cybersecurity of medical devices. In October 2014 it outlined how medical devicemakers should address cybersecurity risks in the pre-market design of their products.
To learn more:
- here's the report (.pdf)