by Fernando Guerrero B., OT Security Expert
Today more than ever, thanks to an unexpected impulse, the healthcare industry is on the road to a real digital transformation. In health centres, where patient treatment is urgent, there are many factors that need to be meticulously managed every hour of every day. Medical records must have up-to-date and reliable data, examinations and laboratory tests must not be duplicated (unless that is the physician’s order), laboratory test results must be available to medical staff as soon as possible, prescriptions must be handled in such a way that medications are distributed without failure, testing devices (CT scans, X-rays, labs) need to run smoothly, food has to be distributed to patients according to medical instructions, and surgeries must be planned taking into account hospital capacity. In general, all systems, communications, devices, and even suppliers and subcontractors, must run like clockwork to ensure not only the well-being of patients, but also the safety of the staff.
An environment as complex as a hospital is only the beginning, as the healthcare industry contemplates several additional components of the supply chain, including medical equipment manufacturers, pharmaceutical companies, rehabilitation institutes, research institutes, medical systems manufacturers, laboratories, basic service providers (electricity, water, telephone, internet) and many others, which would make the protection of this industry even more complex.
In this context, digital transformation is undoubtedly indispensable, especially in times of the Covid-19 pandemic. Consequently, it is equally important to protect and secure all components of the supply chain, including and prioritising data from personnel and patients.
In addition, it is necessary to consider and prioritise the regulatory framework and mandatory standards in each country and region for the entire supply chain.
What must be protected?
Undoubtedly, the lives of patients and the safety of medical and healthcare personnel are the first priority for protection. Fortunately, there have been no reported cases in the healthcare industry in which a life has been directly lost due to a cyber security incident. However, the possibility of this happening is latently present.
The second priority, but also with very high importance, is the privacy of information. It is necessary to guarantee at all times that only those who are authorised to know, for example, about a person’s illness or treatment, have access to this information. This privacy relates to a person’s medical history, biometric, genetic, and financial information, as well as the results of laboratory tests. We should not wait for more patient medical records to be leaked (see case in the United States) to start increasing security in the industry.
It is important to point out that security does not only mean specifying which data can leave a trusted perimeter, but also which data can enter, so as to avoid, for instance, the existence of malware that alters CTI or MRI images to include non-existent tumors .
There is also a need to protect the 24/7 operation of the entire healthcare sector, especially emergency medical care centres. Having first-hand information in a timely manner is a critical factor for medical decision making and adequate disease treatment. In addition, the operability of medical equipment must be guaranteed at all times. Although Internet-facing computers deployed in medical systems constitute a significant risk factor, unpatched legacy equipment and systems are more vulnerable to attacks, and therefore pose a higher risk of affecting day-to-day operations in places where they are essential.
It should be noted that information protection must be managed at all levels, such as intellectual property of drugs, vaccines, medical device architecture, among others. Consider the recent example of an attack to one of the organisations associated with the cold chain of the vaccine against COVID-19 ; it demonstrates the need to improve the security levels of an industry that handles sensitive information and critical products. It is evident that adequate protection is not only crucial for the IT (Information Technology) environment of health system companies, but also for their OT (Operational Technology) environment.
Why do we need to cyber-protect the Healthcare industry?
Worldwide there are regulations, standards and guidelines in various countries and at regional level, for the protection of information systems (e.g. NIS Directive, EU Cyber Act), the protection of medical information (e.g. HIPAA), the protection in the manufacture of medical equipment (e.g. MDR, and Cybersecurity for Medical Devices Guidance (Annex I), cyber security requirements for network-connected medical devices (BSI), critical infrastructure protection (e.g. BSI’s KRITIS), and for privacy protection (e.g. GDPR). The number of legal instruments is growing due to the increasing threats to the supply chain, as well as improving cyber security and privacy awareness of societies and governments. It should be emphasised that in many countries non-compliance with local regulations leads to significant administrative (financial) and even criminal liabilities, so compliance is not only a good practice, but an obligation for company directors and security chiefs, among others.
Fernando Guerrero B., OT Security Expert
“It is also necessary to take into account the risks faced by the industry. In recent months, there has been an increase in the number of phishing attacks , seeking to acquire credentials and circumvent security controls through deception. Similarly, there have been more ransomware attacks  (as we will explain in a subsequent article), which aim to hijack information for ransom. In addition, medical records of twelve million patients have been leaked , which could be used fraudulently as they contain not only medical information but often provide a full digital fingerprint of a person including credit card number, passport details, addresses and other personal data.”
How to improve cyber security in Healthcare?
The best way to protect the medical industry is by educating and preparing each of the stakeholders within this sector. A good example of this is the execution of transnational cyber security incident response exercises, such as CYBER EUROPE which on this occasion is be focused on the healthcare sector. Internal awareness programs are also a key pillar of cyber security, as they decrease the probability of success of phishing or ransomware attacks, and therefore these programs should also target patients.
Investing in cyber security is also an important point, not only at the level of healthcare facilities, but in all components of the supply chain. Some countries have already taken an important step in this direction. Germany is investing 3 billion euros for the digital transformation and cyber security of the healthcare sector through the “Funds for the Future of Hospitals” . The UK government will provide £500k for the healthcare sector to improve cyber security, especially for small and medium-sized organisations . Additionally, the National Health Service (NHS) of the UK is collaborating with the Imperial College of London in an effort to improve cyber security in the healthcare sector . Thanks to these examples and many others around the world, it is believed that between 2020 and 2025 around USD 125 billion will be invested in the healthcare industry worldwide .
This entire budget must be distributed in an orderly and prioritised manner, addressing the most critical risks first, some of which were mentioned above. To this end, there are frameworks that aim to improve cyber security in companies through the prioritisation of controls and best practices based on risk analysis (e.g. NIST’s CSF, ANSSI’s CIIP, HITRUST, CIS, among others). These frameworks can also be supported by international security guidelines and standards such as “ENISA -Procurement Guide lines or Cybersecurity in Hospitals”, “ENISA- Baseline security recommendations for IoT”, IEC62443, ISO270001, ISO81001, IEC62304 and IEC 80001-1.
Fernando Guerrero B., OT Security Expert
“In this context, the most critical risks should form the basis of a Strategic Cybersecurity Plan which takes into account the business vision to prioritise the implementation of controls on critical assets in order to ensure continuous operation and delivery of services to patients.”
However, this orderly approach does not mean that efforts cannot be made in advance to protect information, medicines, medical staff and patients. Based on a comprehensive risk analysis, there are for example, healthcare entities who work on the implementation of an information security management system (ISMS), in order to improve the administration of security controls in their companies. There are others working on the segmentation of communication networks supported by traffic monitoring and incident response from a Security Operations Centre (SOC) in order to reduce the impact of possible attacks. There are also organisations that are centrally managing updates and patches to eliminate known vulnerabilities in their systems. Identity and access management is also performed to prevent unauthorised access to information.Finally, there are some that have prioritised their efforts on security copies and backups management to minimise the impact of a ransomware attack.
The way forward
Cyber security in the healthcare sector is a priority in many countries, now even more so due to the Covid-19 pandemic and the consequences that cyber-attacks can have on peoples’ lives. We have presented examples of threats and attacks perpetrated within the industry, as well as examples of legislation, standards, guidelines and frameworks that exist to combat these threats. Finally, we have presented how to start, continue or improve the maturity of information security and IT or OT systems throughout the supply chain, in particular thanks to tools and methods based on risk measurement, while taking into account legacy systems.
We help companies in the healthcare sector to improve their security levels with comprehensive risk analysis, implementation of corresponding mitigations, and the establishment of cyber security programs. We further provide network monitoring services and incident response as part of our Security Operations Centres (SOC), as well as many other security services.
We are involved in around 30 innovation projects including SafeCARE, about Integrated cyber-physical security for health services. The objective of SafeCARE is to bring together the most advanced technologies from the physical and cyber security spheres and to deliver high-quality, innovative and cost-effective solutions in system security. These solutions focus on mitigating cyber-physical threats and incidents and their interconnections and potential cascading effects.
Find out more about SafeCARE