Cybersecurity in the public and healthcare sectors is a growing concern as cyberattacks become increasingly sophisticated and frequent. However, many existing vulnerabilities can be easily addressed to deliver more robust and resilient systems. Selecting a fully supported and patched application runtime eliminates possible vulnerabilities that can be exploited. This strengthens the security protections for healthcare and public infrastructures. Organizations can thus protect their businesses, patients, and citizens while improving their reputation and cost-effectiveness.
The engineering team behind the Payara Platform closely monitors incidents of cyberattacks on public and healthcare systems globally, particularly focusing on how to protect the mission-critical application infrastructure in order to support end users with a robust solution. Current trends indicate that the number of data breaches and cybersecurity attacks targeted at healthcare and public bodies’ systems is increasing. In particular, the Center for Internet Security found that malware attacks in 2023 increased by 148% compared to the previous year. According to the report, 2023 also saw a 313% rise in endpoint security services incidents, such as data breaches, unauthorized access, and insider threats.
Whenever these issues occur, a cascade of issues takes place. For healthcare providers, the delivery of care can be delayed, compromising patients’ lives. When it comes to state and local public offices, such issues can threaten citizen privacy, disrupt government functions, undermining confidence in governance.
In both cases, data safety is affected and organizations incur unpredictable expenses. While public sector expenses for data breaches are relatively low, at USD 2.60 million per incident, healthcare reported the highest costs of all industries. The average expenditure to address a healthcare data breach is estimated at USD 10.93 million, with such a figure increasing by 53.3% over the past three years.
The U.S. government’s Health Insurance Portability and Accountability Act (HIPAA) reported on the causes and costs of security breaches in healthcare. It also offered insight into why healthcare systems are particularly exposed to cyberthreats.
It states: “The healthcare industry is struggling to deal with increasingly sophisticated cyberattacks, although in many incidents cyber threat actors have exploited vulnerabilities that should have been identified and addressed long before they were found and exploited by hackers. Many healthcare organizations are failing at basic security measures and are not consistently adhering to cybersecurity best practices due to budgetary pressures, difficulty recruiting and retaining skilled IT security professionals, and confusion about the most effective steps to take to improve resilience to cyber threats.”
Similarly, when it comes to the United States’ nation’s state, local, tribal, and territorial (SLTT) governments, “SLTT organizations reported not performing a number of cybersecurity activities or doing so only in an informal or partial manner”, according to the Nationwide Cybersecurity Review: 2022 Summary Report.
Cyberattacks on public and healthcare systems occur simply because state and local governments, public offices, medical trusts, hospitals, clinical, and patient data provide valuable targets and can be lucrative if ransom demands are met. Besides, healthcare providers and government bodies are typically viewed by hackers as an easy target for cyberattacks, since they can take advantage of a number of vulnerabilities in their system infrastructures. For example, when looking at application runtimes, a number of production systems in these sectors often rely on legacy, unsupported, or outdated solutions. A typical example is companies running production systems on the GlassFish Project or open source technologies that lack commercial support and are not designed for mission-critical business applications and production environments.
In effect, neither offer the high level of protection that can reduce vulnerabilities. This leaves a broad attack surface and opportunity for such vulnerabilities to be exploited by malicious actors.
While the current situation may seem dire, there are a number of existing solutions that healthcare organizations and public bodies can already leverage to enhance the security and regulatory compliance of their application servers and digital systems. Firstly, companies should migrate to a commercially supported and up-to-date application runtime.
The ideal solution should offer a variety of tools that support advanced encryption, authentication, authorization, verification, segmentation and compartmentalization. In addition, it should quickly deliver security reports with critical security vulnerabilities as Common Vulnerabilities and Exposures (CVE) to users and public security databases, as well as making the relevant public disclosures. These activities help to swiftly identify and address exploits.
By establishing a solid relationship with an application server provider and its support team, healthcare organizations and government bodies can better protect their systems, data, citizens, and patients against the evolving threat landscape. Even more, such a partnership can help streamline the application server migration process, slashing the associated time, cost, and resources while ensuring the performance and effectiveness of the software applications.
When looking for a suitable vendor, it is important to favor a provider with a strong security policy and that releases frequent security fixes and upgrades for their products. For example, the Payara Platform Enterprise benefits from monthly releases. In addition, partnering with a specialist that adheres to key standards and specifications while contributing to cyber resilience technical working groups and taskforces is highly beneficial.
Finally, protecting systems and businesses through a comprehensive service level agreement (SLA) is key to minimizing downtime and its associated costs. This agreement not only outlines the responsibilities and expectations for both parties but also includes provisions for regular maintenance, incident management, and penalties for non-compliance. By establishing these guidelines, organizations can ensure continuous operation, mitigate risks, and protect patients’ safety.
At Payara, we are dedicated to helping organizations deliver world-class applications through our fully supported Jakarta EE runtimes. We offer standard-based APIs and advanced security tools that are designed to protect application resources accessed by multiple users and data traveling across unprotected networks, such as the internet. In addition, we align with the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) and adhere to guidelines set by the Open Web Application Security Project (OWASP). Payara is also part of the Eclipse Foundation’s Open Regulatory Compliance Working Group to help develop specifications that enable the Enterprise Java software development industry to meet regulatory requirements, such as those outlined in the EU Cyber Resilient Act (CRA).
Finally, transparency and quick resolution of security issues are paramount to us. We report CVEs to The Mitre Corporation and other public security databases. Also, as a CVE Numbering Authority (CNA), we help control the information published on the CVE Index, ensuring quick identification, resolution, and transparent communication of security vulnerabilities.