by Fernando Guerrero B., OT Security Expert
Today more than ever, the healthcare industry is on the road to real digital transformation. In health centres, where patient treatment is urgent, there are many factors that need to be meticulously managed every hour of every day.
- Medical records must have up-to-date and reliable data
- Examinations and laboratory tests must not be duplicated (unless that is the physician’s order)
- Laboratory test results must be available to medical staff as soon as possible
- Prescriptions must be handled so that medications are distributed without failure
- Testing devices (CT scans, x-rays, labs) need to run smoothly
- Food has to be distributed to patients according to medical instructions
- Surgeries must be planned taking into account hospital capacity.
In general, all systems, communications, devices, and even suppliers and subcontractors, must run like clockwork to ensure not only the well-being of patients, but also the safety of staff.
And hospitals are just one element in the complex web of the healthcare industry. The supply chain also includes medical equipment manufacturers, pharmaceutical companies, rehabilitation institutes, research institutes, medical systems manufacturers, laboratories, basic service providers (electricity, water, telephone, internet) and many others, which make the protection of this industry even more difficult.
In this context, digital transformation is indispensable, especially during the current pandemic. It is equally important to protect and secure all components of the medical supply chain, including and prioritising data from personnel and patients. In addition, it is necessary to consider and prioritise the regulatory framework and mandatory standards in each country and region for the entire supply chain.
What must be protected?
Undoubtedly, the lives of patients and the safety of medical and healthcare personnel are the first priority for protection. Fortunately, there have been no reported cases in the healthcare industry in which a life has been directly lost due to a cyber security incident. However, the possibility of this happening is latently present.
The second priority, but also with very high importance, is confidentiality. It is necessary to guarantee at all times that only those who are authorised to know, for example, about a person’s medical history, biometric, genetic, and financial information, as well as the results of laboratory tests, have access to this data. We should not wait for more patient medical records to be leaked (like in this case in the United States ) to start increasing security in the industry.
It is important to point out that security does not only mean specifying which data can leave a trusted perimeter, but also which data can enter, so as to avoid, for instance, the existence of malware that alters CTI or MRI images to include non-existent tumours. See this fascinating experiment conducted by researchers in Israel .
There is also a need to protect the 24/7 operation of the entire healthcare sector, especially emergency medical care centres. Having access to first-hand information in a timely manner is a critical factor for medical decision making and adequate disease treatment. In addition, the operability of medical equipment must be guaranteed at all times. Although internet-facing computers deployed in medical systems constitute a significant risk factor, unpatched legacy equipment and systems are more vulnerable to attacks, and therefore pose a higher risk of affecting day-to-day operations.
It should be noted that information protection must be managed at all levels, including the intellectual property of drugs, vaccines and medical device architecture. Consider this recent example of an attack to one of the organisations associated with the cold chain of the COVID-19 vaccine  – demonstrating the need to improve the security levels of an industry that handles sensitive information and critical products. It is evident that adequate protection is not only crucial for the IT (Information Technology) environment of health system companies, but also for their OT (Operational Technology) environment.
Why do we need to cyber-protect the Healthcare industry?
Worldwide, there are regulations, standards and guidelines in various countries and at regional level related to:
- The protection of information systems (e.g. NIS Directive, EU Cyber Act)
- The protection of medical information (e.g. HIPAA)
- Protection in the manufacture of medical equipment (e.g. MDR, and Cybersecurity for Medical Devices Guidance, Annex I)
- Cyber security requirements for network-connected medical devices (BSI)
- Critical infrastructure protection (e.g. BSI’s KRITIS)
- Pprivacy protection (e.g. GDPR).
The number of legal instruments is growing due to the increasing threats to the supply chain, as well as improved awareness of cyber security and privacy amongst societies and governments. It should be emphasised that in many countries non-compliance with local regulations leads to significant administrative (financial) and even criminal liabilities, so compliance is not only good practice, but an obligation for company directors and security chiefs.
Fernando Guerrero B., OT Security Expert
“It is also necessary to take into account the risks faced by the industry. In recent months, there has been an increase in the number of phishing attacks , seeking to acquire credentials and circumvent security controls through deception. Similarly, there have been more ransomware attacks  (as we will explain in a subsequent article), which aim to hijack information for ransom. In addition, the medical records of twelve million patients have been leaked , which could be used fraudulently as they contain not only medical information but often provide a full digital fingerprint of a person, including credit card number, passport details, addresses and other personal data.”
How to improve cyber security in Healthcare?
The best way to protect the medical industry is by educating and preparing each of the stakeholders within this sector. A good example of this is the execution of transnational cyber security incident response exercises, such as CYBER EUROPE, which on this occasion is focused on the healthcare sector. Internal awareness programs are also a key pillar of cyber security, as they decrease the probability of successful phishing or ransomware attacks.
Investing in cyber security is also an important point, not only at the level of healthcare facilities, but in all components of the supply chain. Some countries have already taken an important step in this direction. Germany is investing 3 billion euros for the digital transformation and cyber security of its healthcare sector through “Funds for the Future of Hospitals” . The UK government will provide £500k for the healthcare sector to improve cyber security, especially for small and medium-sized organisations . Additionally, the UK’s National Health Service (NHS) is collaborating with Imperial College London in an effort to improve cyber security in the healthcare sector . Thanks to these examples and many others around the world, it is believed that between 2020 and 2025 around USD 125 billion will be invested in the healthcare industry worldwide .
This entire budget must be distributed in an orderly manner, addressing the most critical risks first, some of which were mentioned above. To this end, there are frameworks that aim to improve cyber security in companies through the prioritisation of controls and best practices based on risk analysis (e.g. NIST’s CSF, ANSSI’s CIIP, HITRUST, CIS, among others). These frameworks can also be supported by international security guidelines and standards such as “ENISA -Procurement Guidelines or Cybersecurity in Hospitals”, “ENISA- Baseline security recommendations for IoT”, IEC62443, ISO270001, ISO81001, IEC62304 and IEC 80001-1.
Fernando Guerrero B., OT Security Expert
“In this context, the most critical risks should form the basis of a Strategic Cybersecurity Plan which takes into account the business vision to prioritise the implementation of controls on critical assets in order to ensure continuous operation and delivery of services to patients.”
However, healthcare organisations need not wait for a complete cyber security overhaul before making efforts to protect information, medicines, medical staff and patients. For example, based on a comprehensive risk analysis, some healthcare entities are implementing an information security management system (ISMS), in order to improve their administration of security controls. There are others working on the segmentation of communication networks supported by traffic monitoring and incident response from a Security Operations Centre (SOC) in order to reduce the impact of possible attacks. There are also organisations that are centrally managing updates and patches to eliminate known vulnerabilities in their systems, while identity and access management is helping to prevent unauthorised access to information. Finally, some organisations are prioritising security copies and backup management to minimise the impact of a ransomware attack.
The way forward
Over the last 12 months, cyber security in the healthcare sector has become an increasingly urgent priority for many countries. This has been driven by the COVID-19 pandemic, and the consequences that cyber-attacks can have on peoples’ lives. We help companies in the healthcare sector to improve their security levels with comprehensive risk analysis, implementation of corresponding mitigations, and the establishment of cyber security programs. We also provide network monitoring services and incident response as part of our Security Operations Centres (SOC), as well as many other security services.
We are involved in around 30 innovation projects including SafeCARE, which is integrating cyber-physical security for health services. The objective of SafeCARE is to bring together the most advanced technologies from the physical and cyber security spheres and to deliver high-quality, innovative and cost-effective solutions in system security. These solutions focus on mitigating cyber-physical threats, their interconnections and potential cascading effects.
Find out more about SafeCARE