Why IoT is the backbone of ransomware in hospitals 🚨
Connected devices generate data...and attacks
Hello and welcome to Careviser by Marie Loubiere, the weekly newsletter that cuts through the healthcare noise with a single focus: productization of the latest research and tech breakthroughs.
The number of cyberattacks in hospitals has been growing tremendously in the past few years. Hospitals are getting more and more vulnerable as they add more connected devices to their infrastructure. When an attacker takes control of a respirator, the impact on patients can be dramatic.
Crisis Standards of Care: Cyber Attack During a Pandemic, Hana Akselrod, Annals of Internal Medicine
🗝️ Why it matters: Cyberattacks against hospitals have become more and more common. They can be deadly and paralyze medical devices, EMR, communication solutions... Attackers know that hospitals are likely to pay ransom to regain control of their infrastructure.
🔎 The article: In the midst of the covid-19 pandemic, Universal Health Services (a network of hospitals and clinics in the US) was the target of a successful ransomware attack called “The Ryuk”. Providers were not able to access the EHR, the operating room scheduling software, and the electronic device monitoring. They had to rely on pens, papers, and phone calls to coordinate care and access crucial information about patients. They could only receive covid-19 test results verbally, and a miscommunication led to the unfortunate exposure of a team.
✅ Findings: Hospitals are not only a profitable target for cyberattacks, but they are also particularly vulnerable
Many software and systems are interconnected meaning that when one system is down, the entire tech platform of a hospital can be down
Many hospitals have under-invested in IT: they are lagging behind (remember the “Wannacry” ransomware in the UK on NHS hospitals whose OS was an outdated version of Windows XP in...2017!)
Updating software is tricky, beyond the simple financial cost, they are interconnected to devices and custom apps that have been built over the years and are hard to maintain
🚀 Opportunities ahead: there is room to build a new wave of cybersecurity solutions that are custom-made for the specificities of hospitals and medical practices.
Scope Security was founded two years ago as a holistic cybersecurity software solution for healthcare. They claim to detect attacks on:
IT systems (e.g., phishing)
Clinical systems (medical devices)
EHR
Once an attack is detected, they warn IT teams that can stop them. Their founder is an experienced healthcare/device security expert as the former Director of Product Development Security at GE and Chief Security Officer at Lookout. They seem to have raised a small round. However they do not share customer success stories on their site, nor do they have a dedicated sales team. It seems that it’s pretty early to tell whether they have achieved traction.
In 2017, a wave of startups tackling the medical device security industry was born: Asimily, Cylera and Cynerio.
🤯 The problem: Medical devices are the Achilles’ heel of hospitals. A lot of them are connected to the overall network and they rely on ancillary proprietary firmware. They are also pretty close to the patient so they can endanger them if they fail.
🤗 The solution:
The three companies created an IoT cybersecurity platform that tracks all devices and assesses existing risks. They then help hospital biomedical and IT teams mitigate them by segmenting the risk profile of devices.
There are also operational use cases on top of the cybersecurity ones: monitoring devices in real-time enables to calculate the ROI of each device and potentially to increase their utilization rate.
📈 The traction: Medical devices firmware/ OS don’t offer APIs. In order to integrate them into their offer, cybersecurity companies need to partner with device manufacturers.
Cylera shows the widest range of partners on their website. They have also raised a US$10m series A a few months ago with investors such as Maverick Ventures. They have a small sales team but no customer success story shared publicly.
Cynerio is actively hiring several people for sales and SDR roles. They raised a US$7m round in 2019.
Asimily has a smaller team with less sales people. They raised US$3m last year.
That’s a wrap for today! Don’t hesitate to reply to this email with comments, I read and answer all emails :)