A recent cyberattack forced a healthcare organization to cancel non-emergency surgeries and send some emergency patients to other facilities. In another attack, a hospital took it’s critical systems offline, impacting patient safety, requiring less efficient care methods, which also increased labor demands. It’s still impacted two years later. Cyberattacks on hospital and healthcare facilities increased significantly in 2022:
- Healthcare organizations across the world averaged 1,463 cyberattacks per week in 2022, up 74% vs. 2021
- US healthcare organizations averaged 1,410 weekly cyberattacks per organization, up 86% vs. 2021.
Other statistics of note includes:
- 53% of hospital connected devices are at risk of a cyberattack (Cynerio)
- 24% of respondants (Ponemon Institute 2021) and 53% of respondents (Cynerio and Ponemon Institute 2022 ) noted an increase in mortality rate following a cyberattack
Building management systems (BMS) are critical to the operation of hospitals and healthcare facilities, as they control HVAC, lighting, security, access control, elevators, and other key building systems. BMS are also vulnerable to cybersecurity threats, including:
- Physical Security Breaches: Physical security breaches can occur when unauthorized individuals gain access to the hospital BMS equipment, such as through theft, tampering, or social engineering. Physical access to BMS equipment can enable cybercriminals to compromise the system and disrupt building operations, including impacting patient care and safety.
- Malware Attacks: Malware can be introduced into the BMS through phishing attacks or by other means. Malware can disable the system or grant unauthorized access to cybercriminals, allowing them to control or disrupt the building systems.
- Remote Access Exploitation: BMS equipment is often accessible via remote access, either by authorized personnel or third-party vendors. Cybercriminals can exploit vulnerabilities in remote access systems to gain unauthorized access to the BMS and potentially disrupt facility operations or impact patient care.
- Distributed Denial of Service (DDoS) Attacks: DDoS attacks can overwhelm the hospital BMS with traffic, causing the system to become unresponsive and potentially shut down critical building systems.
- Insider Threats: Insider threats can come from employees, contractors, or third-party vendors with access to the hospital BMS. These threats can be intentional, such as employees intentionally tampering with the BMS, or unintentional, such as employees accidentally causing system disruptions.
Overall, hospitals and healthcare facilities must ensure that their BMS are protected from cybersecurity threats to prevent disruptions to building operations and to ensure the safety of patients and staff. Traditional approaches to implement cybersecurity measures, include physical security controls, malware detection, and monitoring for unusual activity. A newer approach, based on a NIST-compliant Zero-Trust framework, enables protecting building controls from unauthorized communication, creating secure tunnels between devices, and encrypting data in motion so that hackers are not able to gain any intelligence by sniffing network traffic between building controls. There are several key reasons why this is a better approach to securing BMS and BAS controls including purpose-built design for OT cybersecurity, real-time protection that stops cyberattacks, ease of implementation, speed of protection, and secure communication.