State of CPS Security Report

We have been conditioned as an industry to equate healthcare cybersecurity with data privacy. The Health Insurance Portability and Accountability Act (HIPAA) has been the impetus for this approach for 27 years by zeroing in on the protection of personal patient information and enacting privacy and security rules aimed at keeping such data confidential.

For its time—especially as data breaches ran wild in the early 2000s— that strategy was sufficient as the totem for healthcare-related cybersecurity. Today, disruption to the availability of connected medical devices can severely impact patient care and quality of life. Moving forward, as more connected medical devices and patient systems come online, we expect to see a rising tide of cyberattacks focused on disrupting hospital operations.

In Team82’s first “State of CPS Security Report: Healthcare 2023,” we examine these cybersecurity challenges to patient safety. Our aim is to demonstrate the broad connectivity of critical medical devices—from imaging systems to infusion pumps—and describe the implications of their exposure online. Vulnerabilities and implementation weaknesses frequently surface in our research, and a direct line can be drawn to potentially negative patient outcomes in each of these cases.