The digital healthcare evolution is leading to more and more highly innovative medical technology that helps to drive efficiency and patient outcomes. Machine Learning has hugely changed clinical decision support, while digital transcription applications are saving physicians hours of pajama time each week in record keeping (and at private hospitals helping them to get paid). AI has revolutionized medical imaging, allowing for lower patient radiation dosages to be used and AI recognition of cellular mass changes vastly improving early identification of cancer and other medical conditions.
BUT this technology also adds to and expands the cyber attack surface. A proliferation of AI based medical applications and a tsunami of medical and other IoT devices is making security almost unmanageable across our hospitals. And that is before you even consider the exponential growth of personal health sensors, interactive devices, and mHealth initiatives or the portalization of physician-patient secure messaging, appointment bookings and the secure posting of lab results.
While the odds were already stacked against hospital security defenders, the imbalance today is truly disproportionate. Whether highly organized and well funded mafia crime syndicates, or state funded, sponsored, and trained offensive cyber military units within the Russian GRU (Glavnoye Razvedyvatelnoye Upravlenie) - its military intelligence directorate; this is now a David versus Goliath problem. A well equipped army of thousands of professional attackers against a minuscule group of hospital security defenders.
BUT this technology also adds to and expands the cyber attack surface. A proliferation of AI based medical applications and a tsunami of medical and other IoT devices is making security almost unmanageable across our hospitals. And that is before you even consider the exponential growth of personal health sensors, interactive devices, and mHealth initiatives or the portalization of physician-patient secure messaging, appointment bookings and the secure posting of lab results. In 2026 you no longer need to make an appointment to see your primary care physician (PCP) to have him or her, share your latest test results. In many cases the data is posted long before the physicians office will ever call you to let you know the results, or to book an appointment with your PCP to walk you through them. Simply feed your lab results into Google or a growing host of AI medical assistants, and patients can receive instant medical advice - even if that advice deviates towards the mean, as all AI systems tend to do.
While this is a global healthcare concern, the Gulf is seeing perhaps one of the world's most accelerated and dramatic expansions and modernization of healthcare services with hundreds of new systems and applications connected to medical networks every week, and new hospitals and clinics sprouting up in almost every community. There is a revolution occurring here but neither governments or providers are prepared.
While this is a global healthcare concern, the Gulf is seeing perhaps one of the world's most accelerated and dramatic expansions and modernization of healthcare services with hundreds of new systems and applications connected to medical networks every week, and new hospitals and clinics sprouting up in almost every community. There is a revolution occurring here but neither governments or providers are prepared.
The pace of technology adoption has outpaced the implementation of security tools and controls needed to protect that new technology from growing cyberattacks and data breaches. Some of this is plainly the result of the frenetic pace of adoption of new innovative tech and inadequate time or resources for security teams to keep up. But an increasing aspect of this "maturity gap" comes down to the out-of-date way in which technology and cybersecurity are perceived by executive healthcare leaders and government ministers. Rather than being seen as an integral part of the solution, an enabler of fantastic new medical services that will revolutionize patient care, they are seen as "a cost of doing business" or an "overhead" - a necessary evil to host these new AI systems and applications, and this is perhaps why the maturity gap exists between our adoption of new technologies and the security needed to safely deploy and use those technologies.
BUT the stakes are getting higher. What used to be the hospital security team defending against cyber attacks by simple criminal perpetrators out to steal and monetize PHI, has transformed into international terrorism and cyber extortion when hospitals are held to ransom - even though ransom payments are explicitly outlawed across an increasing number of countries for any critical national infrastructure (CNI) industry, many of which are owned and operated by national governments themselves.
The intent of at least some of these attacks however is not to monetize a foothold, but to inflict damage and disruption on a population, or to exact retribution against that country's government for its support for Ukraine and its defense of its land and people. Ransom and other extortionary attacks are increasingly being used as part of Putin's grey or hybrid warfare against other countries. Many of these attacks unfortunately target hospital systems which are a soft target with high population impact. Just last week the conference heard, Polish hospitals and municipal water treatment systems were targeted in new cyber attacks, ostensibly conducted by Russian criminal groups, frequently used as proxies by the Kremlin to inflict maximum damage and disruption. Indeed, Russia's vast array of organized crime groups is allowed to operate with near impunity from prosecution in return for 'favors' to the government and a share of the spoils. The Kremlin is then able to claim 'plausible deniability' for criminal acts that it has ordered against other countries as part of its hybrid warfare campaigns.
Hospitals typically have small generalist teams of cybersecurity personnel and often out-of-date technology tools with which to defend patients and health IT systems from attack. In fact medical providers are often forced to use out-of-date and end-of-life IT equipment because of inadequate IT investment and the difficulty of upgrading or replacing health IT systems that are in constant use. This is not just a security problem for providers, but chiefly a technology problem of out-of-date systems and applications many of which are rarely ever patched or updated.
This includes a huge and growing number of medical IoT devices that already make up 75% of connected IP assets across hospital networks. Many of these have a 15 or 20 year amortization schedule and many have underlying embedded operating systems based upon long out of support Microsoft operating systems, with a massive number of known and published exploits. While microsegmentation of these devices helps, many providers currently have little to no idea of what actually connects to hospital networks because of fragmented ownership, inadequate tools and poor visibility. Nor do they have an easy way to microsegment 'at-risk devices'. At the same time, providers are adding medical and other IoT systems to their networks each and every month, compounding existing problems.
Providers of medical services therefore face a multi-dimensional threat scenario. A sprawling attack surface, out-of-date and end-of-life internal IT & IoT systems, inadequate visibility of their own networks, and highly capable and motivated adversaries that have them out-gunned and out-matched and every corner.
Plainly there is an increased need for national governments to become more actively involved in the cyber defense of CNIs, and especially healthcare providers, where attacks result in increased patient morbidity and mortality. Only governments have the resources and legal mandates to take on today's cyber perpetrators, and to do what it takes to defend their citizens from increasingly crippling hybrid warfare attacks from failing states. As of yet however, governments have by and large, chosen to play a low-key role in the direct defense of their CNIs for fear of escalation. As the number of citizens killed in hybrid cyber attacks slowly increases, so that approach will be likely be questioned.
These were just some of the topics of discussion at this years WHX Dubai conference where healthcare leaders from across the world gathered to put forward suggestions and recommendations for improving patient care, safety and outcomes through smart security.
Joining me on stage at this prestigious event were Professor Attila Hertelendy, Ph.D., Mike Fell, Charles Aunger and Zekeriya Eskiocak to share their vast knowledge and experience.
