Rob Suárez, HCISPP, Chief Information Security Officer for BD

The health care industry continues to face escalating cybersecurity threats¹. To protect our customers and patients, BD is on a journey to continuously improve cyber defenses and resilience. This includes regularly assessing how cybersecurity controls are performing, conducting cyber preparedness exercises and empowering customers with information about cyber risks and vulnerabilities. Simultaneously, we look ahead to anticipate emerging risks and threats. In 2023, we expect the following cybersecurity trends to continue:

1. Threat actors will employ increasingly sophisticated techniques. The threat landscape in health care is expanding and increasing in complexity with greater adoption of connected and digital solutions. Threat actors are also using more sophisticated techniques in their attacks. Examples include leveraging a model known as ransomware-as-a-service (RaaS), removing system backups to complicate data restoration and encrypting servers that house critical data^2,3. BD proactively monitors for suspicious activity, including phishing attacks, malware and ransomware attacks, insider threats and human error. In 2022, our global cybersecurity operations center blocked an average of 114 million intrusion attempts per month. We also maintain strategic resilience measures, including secure backups, and we regularly collaborate with government and industry leaders who share real-time threat intelligence. This helps us address emerging risks and threats even as threat actors adjust their tactics.
    
2. Health care providers will expect greater transparency. BD was one of the first medical technology companies to develop a mature vulnerability disclosure program in accordance with the U.S. Food and Drug Administration (FDA) Postmarket Management of Cybersecurity in Medical Devices guidance. Today, BD is authorized as a Common Vulnerability and Exposures (CVE^®) Numbering Authority by the CVE Program and we work closely with the Cybersecurity and Infrastructure Security Agency (CISA) on vulnerability disclosures that are published on the CISA website and the BD Cybersecurity Trust Center in coordinated fashion. We also share our vulnerability disclosures with the Health Information Sharing and Analysis Center (H-ISAC) to maximize awareness. Customers expect this transparency, and I believe we will see a higher demand for it throughout the industry in 2023.
   
   In addition, the industry is moving toward greater software bill of materials (SBOM) visibility. This year, BD will begin utilizing machine-readable SBOMs in our processes. This will help us to more efficiently determine whether BD products and systems are impacted when zero-day vulnerabilities emerge in third-party software components. This increase in efficiency matters because cybercriminals scan for vulnerable attack surfaces within minutes when new vulnerabilities are announced⁴.
    
3. Impactful collaborations will enhance cybersecurity across the industry. In addition to taking steps to protect BD, our customers and patients from cybersecurity threats and risks, we also seek to contribute to and learn from the broader community. BD collaborates with customers, government agencies, cybersecurity working groups, security researchers and fellow medical device manufacturers to advance cybersecurity in health care. We often refer to cybersecurity as a team sport. Coming together to tackle common challenges and address emerging threats is even more valuable in health care because we are not just protecting systems and data. We are protecting patient safety and privacy. Effective collaboration accelerates outcomes and helps us advance the industry’s cybersecurity posture, which serves to further safeguard customers and patients.
    

The coming year will bring increased connectivity as health care continues to expand into more care settings. Securing medical devices and protecting patient safety and privacy will demand consistent proactive and preventive controls, along with greater transparency and collaboration. To learn more about our approach to cybersecurity, read BD Publishes 2022 Cybersecurity Annual Report.

¹2022 SonicWall Cyber Threat Report. SonicWall. https://www.sonicwall.com/2022-cyberthreat-report/. Published July 26, 2022. Accessed October 4, 2022.

²Hive Ransomware. U.S. Department of Health & Human Services. https://www.hhs.gov/sites/default/files/hive-ransomware-analyst-note-tlpwhite.pdf. Published April 18, 2022. Accessed October 4, 2022.

³Alert (AA22-187A): North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector. Cybersecurity & Infrastructure Security Agency. https://www.cisa.gov/uscert/ncas/alerts/aa22-187a. Published July 6, 2022. Accessed October 4, 2022.

⁴Dinu C. Attackers Conduct a Vulnerability Scan Once Every Hour, New Research Reveals.
https://heimdalsecurity.com/blog/attackers-conduct-a-vulnerability-scan-once-everyhour/. Published May 20, 2021. Accessed October 12, 2022