InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
In the healthcare sector, digitisation and networking are opening up huge opportunities, but they also entail risks. All too often, cyber criminals can find insufficiently protected networks such as classic local area networks (LANs), mobile networks (WLANs) and provider networks (4G, 5G, etc.). Incidents range from data theft to blackmail, sabotage and attempts to deliberately manipulate medical technology and medical data. In this blog article, we tell you what you need to be aware of, and how to overcome these challenges.
The top priorities for healthcare providers and innovators are saving lives and providing the best possible care for the sick, but unfortunately, the systems used in medicine every single day are extremely attractive targets for cybercriminals: There are repeated attacks on medical systems and hospital information systems (HIS).
Frequently, ransomware attacks are what jeopardise patient safety and cause enormous financial damage. Health care facilities are under enormous pressure to restore their systems in the event of a ransomware attack, as patient safety is at risk. In some cases, healthcare systems offer little resilience against attackers. Some attackers have publicly stated that they would not attack health facilities during the COVID-19 pandemic, whereas other groups have stepped up their attacks on precisely these establishments, because a victim who is already being put under pressure by the pandemic is much more likely to pay a ransom.
There are few sectors where safety and security are as closely linked as in the healthcare sector. Attacks on IT infrastructures in the healthcare sector also involve a direct threat to patients. When you add to this the fact that the data processed in the healthcare sector is subject to very high data protection requirements, it becomes clear that a whole host of challenges need to be met. For security reasons, only staff who have been authorised and securely authenticated are allowed to access this data, but from a safety perspective, rapidly gaining access to medical data can be a matter of life and death. There may not be enough time available to unlock screens and find the right password. This is absolutely understandable from a safety point of view, but from a security standpoint it is definitely a “no go”! Unfortunately, there are many challenges like these, and what makes it even more difficult is the unique structure of IT systems in the health sector.
At one level, all healthcare providers have office management systems for administrative tasks, and here, the healthcare sector is pretty much like other businesses. Despite there being open questions here too in terms of protecting these systems, at least there are comprehensive standards in place, such as ISO 27001, NIST CSF and ICT Minimum Standard, and “Best Practice” approaches.
On another level, healthcare providers often have a wide range of networked medical devices. These range from infusion pumps and insulin monitors to cutting-edge MRI scanners, all connected to a network for the purposes of monitoring, advanced diagnostics, data analysis, data sharing and remote access. These devices have to comply with stringent safety requirements that are often incompatible with basic cyber security practices like regular software updates.
Many of the computers integrated into medical devices are based on operating systems that are no longer supported by the manufacturer. Staff need access to medical data from their office workstations, so it is not possible to completely isolate these non-secure systems. Furthermore, many hospitals and clinics have contracts with specialist providers such as tele-radiology companies operating in different time zones to provide coverage outside normal working hours.
Thirdly, there is a system that is frequently forgotten about – the Supervisory Control and Data Acquisition (SCADA) system that monitors and controls establishments. Hospitals and clinics desperately rely on these systems to function correctly, but they are often “overlooked“, but then again an attack on the control systems is precisely what can bring about life-threatening situations within a matter of minutes, and that is every healthcare provider's nightmare.
Doctors and nurses may access a myriad of electronic devices and records when providing medical care to patients to ensure the best possible care. When doing so, it is important to keep an eye at all times on the 5 crucial requirements in the healthcare sector:
1. Low latency
While the encryption of electronic protected health information (ePHI) is not required under many regulations, the only way to meet regulatory security requirements today is via encryption. As a result, much of the network traffic is encrypted via TLS. It is important for medical establishments to be able to transmit large amounts of data over the network in an encrypted form without compromising network performance, because high latency times negatively impact the healthcare sector, from staff productivity to patient care.
2. Data Integrity
It is critical to ensure the integrity of patient data throughout its lifecycle, with the growing integration of clinical applications driven by interoperability requirements and increasing market partnerships. It is also important to secure research and DevOps environments and separate them from patient care networks. Furthermore, healthcare organisations must be able to demonstrate in audits that they comply with standards and regulations in the area of security and data protection.
3. Operational Efficiency
IoMT- based services are becoming increasingly common – but this is also increasing the attack surface available. In order to close security gaps, many healthcare providers buy an additional standalone product for each security issue or use the security tools provided by their public cloud provider. This is how the security architecture becomes increasingly fragmented, as these tools are not integrated with each other, often leading to operational inefficiency.
4. Decentralised Locations and External Partners
As in the case in most industries, in healthcare there is a trend towards cooperation, consolidation and acquisitions. On top of this, there is a complex network for collaborating with partners, suppliers, affiliated and independent clinics, hospitals, research locations, insurance carriers, etc.
All these bodies use and transmit electronic protected health information (ePHI) that originates from the institution's health system. The different stakeholders' systems are not usually interconnected, so there are inevitable problems with transparency, data control, access auditing and compliance reporting. Consequently, it is difficult to implement uniform security controls across all healthcare providers.
5. Costs
Health insurance providers are paying for fewer and fewer health services, and cutbacks are a daily occurrence, especially in the area of operating costs. Each additional expense leads to rising patient costs, which in turn means that investment in IT and cyber security are frequently put on hold.
The already sprawling infrastructure is becoming ever more complex as health technologies are evolving. This is resulting in a rapidly growing attack surface and an increasing number of third party users accessing network resources. Inherently, healthcare-related IT systems are highly complex, but the regulatory environment they exist in is absolute maze. In the healthcare sector, the order of the day is changes in sector guidelines, data protection and security. This is partly due to the introduction of new technologies and partly due to changing regulatory requirements. All this is making compliance more and more difficult. Healthcare institutions need to be able to put in place robust yet fail-safe security to keep up with major developments, security that is capable of incorporating new tools and components into an integrated architecture without having to completely replace the basic system every couple of years.
For example, Security Fabrics from Extreme Networks provides a stable, flexible foundation that enables a range of third-party tools to be seamlessly integrated. This security structure is supported by an open ecosystem and robust API tools. By comprehensively integrating security solutions into the traditional network (on-premises) and in the cloud, completely new opportunities can be opened up. For instance, security workflows can be comprehensively automated, from threat detection and mitigation to resolution. In addition, management, analytics and event management tools can help security teams to take a proactive approach to cyber security rather than being reactive.
Unfortunately, with IT security in the healthcare sector, there are no simple solutions or processes, which is why InfoGuard is supporting many Swiss hospitals and healthcare institutions to individually set up future-proof cyber security and sustainable cyber defence. Set us a challenge too – our experts would be delighted to accept it!
Come and see us at the “Information Security in Healthcare Conference“ from 21 September 2021 in Cham. Together with our partners Aruba, Juniper and Vectra, we will show you how to approach cyber security in the healthcare sector, with all its challenges.