Healthcare: a complex industry with a need for strong cyber security
Share
by Fernando Guerrero B., OT Security Expert
Today more than ever, the healthcare industry is on the road to real digital transformation. In health centres, where patient treatment is urgent, there are many factors that need to be meticulously managed every hour of every day.
Medical records must have up-to-date and reliable data
Examinations and laboratory tests must not be duplicated (unless that is the physician’s order)
Laboratory test results must be available to medical staff as soon as possible
Prescriptions must be handled so that medications are distributed without failure
Testing devices (CT scans, x-rays, labs) need to run smoothly
Food has to be distributed to patients according to medical instructions
Surgeries must be planned taking into account hospital capacity.
In general, all systems, communications, devices, and even suppliers and subcontractors, must run like clockwork to ensure not only the well-being of patients, but also the safety of staff. And hospitals are just one element in the complex web of the healthcare industry. The supply chain also includes medical equipment manufacturers, pharmaceutical companies, rehabilitation institutes, research institutes, medical systems manufacturers, laboratories, basic service providers (electricity, water, telephone, internet) and many others, which make the protection of this industry even more difficult. In this context, digital transformation is indispensable, especially during the current pandemic. It is equally important to protect and secure all components of the medical supply chain, including and prioritising data from personnel and patients. In addition, it is necessary to consider and prioritise the regulatory framework and mandatory standards in each country and region for the entire supply chain.
What must be protected?
Undoubtedly, the lives of patients and the safety of medical and healthcare personnel are the first priority for protection. Fortunately, there have been no reported cases in the healthcare industry in which a life has been directly lost due to a cyber security incident. However, the possibility of this happening is latently present. The second priority, but also with very high importance, is confidentiality. It is necessary to guarantee at all times that only those who are authorised to know, for example, about a person’s medical history, biometric, genetic, and financial information, as well as the results of laboratory tests, have access to this data. We should not wait for more patient medical records to be leaked (like in this case in the United States [1]) to start increasing security in the industry. It is important to point out that security does not only mean specifying which data can leave a trusted perimeter, but also which data can enter, so as to avoid, for instance, the existence of malware that alters CTI or MRI images to include non-existent tumours. See this fascinating experiment conducted by researchers in Israel [2]. There is also a need to protect the 24/7 operation of the entire healthcare sector, especially emergency medical care centres. Having access to first-hand information in a timely manner is a critical factor for medical decision making and adequate disease treatment. In addition, the operability of medical equipment must be guaranteed at all times. Although internet-facing computers deployed in medical systems constitute a significant risk factor, unpatched legacy equipment and systems are more vulnerable to attacks, and therefore pose a higher risk of affecting day-to-day operations. It should be noted that information protection must be managed at all levels, including the intellectual property of drugs, vaccines and medical device architecture. Consider this recent example of an attack to one of the organisations associated with the cold chain of the COVID-19 vaccine [3] – demonstrating the need to improve the security levels of an industry that handles sensitive information and critical products. It is evident that adequate protection is not only crucial for the IT (Information Technology) environment of health system companies, but also for their OT (Operational Technology) environment.
Why do we need to cyber-protect the Healthcare industry?
Worldwide, there are regulations, standards and guidelines in various countries and at regional level related to:
The protection of information systems (e.g. NIS Directive, EU Cyber Act)
The protection of medical information (e.g. HIPAA)
Protection in the manufacture of medical equipment (e.g. MDR, and Cybersecurity for Medical Devices Guidance, Annex I)
Cyber security requirements for network-connected medical devices (BSI)
The number of legal instruments is growing due to the increasing threats to the supply chain, as well as improved awareness of cyber security and privacy amongst societies and governments. It should be emphasised that in many countries non-compliance with local regulations leads to significant administrative (financial) and even criminal liabilities, so compliance is not only good practice, but an obligation for company directors and security chiefs.
Fernando Guerrero B., OT Security Expert
“It is also necessary to take into account the risks faced by the industry. In recent months, there has been an increase in the number of phishing attacks [4], seeking to acquire credentials and circumvent security controls through deception. Similarly, there have been more ransomware attacks [5] (as we will explain in a subsequent article), which aim to hijack information for ransom. In addition, the medical records of twelve million patients have been leaked [6], which could be used fraudulently as they contain not only medical information but often provide a full digital fingerprint of a person, including credit card number, passport details, addresses and other personal data.”
How to improve cyber security in Healthcare?
The best way to protect the medical industry is by educating and preparing each of the stakeholders within this sector. A good example of this is the execution of transnational cyber security incident response exercises, such as CYBER EUROPE, which on this occasion is focused on the healthcare sector. Internal awareness programs are also a key pillar of cyber security, as they decrease the probability of successful phishing or ransomware attacks. Investing in cyber security is also an important point, not only at the level of healthcare facilities, but in all components of the supply chain. Some countries have already taken an important step in this direction. Germany is investing 3 billion euros for the digital transformation and cyber security of its healthcare sector through “Funds for the Future of Hospitals” [7]. The UK government will provide £500k for the healthcare sector to improve cyber security, especially for small and medium-sized organisations [8]. Additionally, the UK’s National Health Service (NHS) is collaborating with Imperial College London in an effort to improve cyber security in the healthcare sector [9]. Thanks to these examples and many others around the world, it is believed that between 2020 and 2025 around USD 125 billion will be invested in the healthcare industry worldwide [10]. This entire budget must be distributed in an orderly manner, addressing the most critical risks first, some of which were mentioned above. To this end, there are frameworks that aim to improve cyber security in companies through the prioritisation of controls and best practices based on risk analysis (e.g. NIST’s CSF, ANSSI’s CIIP, HITRUST, CIS, among others). These frameworks can also be supported by international security guidelines and standards such as “ENISA -Procurement Guidelines or Cybersecurity in Hospitals”, “ENISA- Baseline security recommendations for IoT”, IEC62443, ISO270001, ISO81001, IEC62304 and IEC 80001-1.
Fernando Guerrero B., OT Security Expert
“In this context, the most critical risks should form the basis of a Strategic Cybersecurity Plan which takes into account the business vision to prioritise the implementation of controls on critical assets in order to ensure continuous operation and delivery of services to patients.”
However, healthcare organisations need not wait for a complete cyber security overhaul before making efforts to protect information, medicines, medical staff and patients. For example, based on a comprehensive risk analysis, some healthcare entities are implementing an information security management system (ISMS), in order to improve their administration of security controls. There are others working on the segmentation of communication networks supported by traffic monitoring and incident response from a Security Operations Centre (SOC) in order to reduce the impact of possible attacks. There are also organisations that are centrally managing updates and patches to eliminate known vulnerabilities in their systems, while identity and access management is helping to prevent unauthorised access to information. Finally, some organisations are prioritising security copies and backup management to minimise the impact of a ransomware attack.
The way forward
Over the last 12 months, cyber security in the healthcare sector has become an increasingly urgent priority for many countries. This has been driven by the COVID-19 pandemic, and the consequences that cyber-attacks can have on peoples’ lives. We help companies in the healthcare sector to improve their security levels with comprehensive risk analysis, implementation of corresponding mitigations, and the establishment of cyber security programs. We also provide network monitoring services and incident response as part of our Security Operations Centres (SOC), as well as many other security services. We are involved in around 30 innovation projects including SafeCARE, which is integrating cyber-physical security for health services. The objective of SafeCARE is to bring together the most advanced technologies from the physical and cyber security spheres and to deliver high-quality, innovative and cost-effective solutions in system security. These solutions focus on mitigating cyber-physical threats, their interconnections and potential cascading effects.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent
1 year
Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Cookie
Duration
Description
bcookie
2 years
LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie
2 years
LinkedIn sets this cookie to store performed actions on the website.
lang
session
LinkedIn sets this cookie to remember a user's language setting.
lidc
1 day
LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory
1 month
LinkedIn sets this cookie for LinkedIn Ads ID syncing.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
personalization_id
2 years
Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
