Cybersecurity in health: supporting a cyber-resilient healthcare organization

Arnaud Dechoux, Public Affairs Manager, Europe

More than two years after the Wannacry ransomware crippled medical facilities and other organizations worldwide, millions of people’s health data is still freely available on the internet due to unprotected servers. Others have had their personal data exposed as a result of cyberattacks on their primary healthcare system. These cases are not isolated and all health institutions today face evolving cyberthreats such as targeted ransomware.

In this context and on the occasion of European Cyber Security Month 2019, Kaspersky and the Paris-based think tank Renaissance Numérique launched a debate dedicated to the issue of cyber-risks to our healthcare systems. Bringing together healthcare professionals, technology providers and legal experts, we aimed to address the specific challenges of a sector that handles our most sensitive data.

The report released this month by Renaissance Numérique provides an overview of the current challenges and strategic recommendations for public authorities and health organizations. One major finding is that training and collaboration are two key factors in a shared cyber-resilience in the health sector.

“I don't agree with the conventional wisdom that users are always the weakest link in terms of IT security because they are potentially the strongest link, but only they are educated, if they have been made aware of the consequences of their actions. This is education, because, for a doctor, a nurse or an administrator, in their daily actions, ‘logging off’ may be considered a meaningless act, a waste of time. It is therefore necessary to give them the right information so that they can integrate it into their daily routine. That's what cybersecurity is all about, it's not just stacking up layers of IT solutions, it is above all about working on the human factor and that's where we have the greatest potential for development today,” emphasizes Bertrand Trastour, Head of B2B, Kaspersky France.

Three recommendations for a resilient health system

1. RAISE AWARENESS OF CYBERSECURITY ISSUES AMONG ALL THOSE INVOLVED IN THE CARE PROCESS

These awareness-raising efforts must be carried out with the initial training of health professionals, and then throughout their professional careers. They must also include the other actors in the chain, up to providers and patients. This awareness-raising approach must be sustained over time in order to adapt to changing risks.

2. SECURE THE ENTIRE HEALTHCARE CHAIN BY CONSOLIDATING CONTRACTUAL RELATIONS BETWEEN HEALTHCARE INSTITUTIONS AND PROVIDERS

One way of doing this is by developing or strengthening clauses relating to audits of the internal processes put in place by providers who handle health data (e.g., providing for the frequency of these audits, a grid of the elements to be audited, details on the coverage of the associated costs, etc.).

3. RELYING ON LEADING HEALTHCARE INSTITUTIONS TO DISSEMINATE GOOD PRACTICES IN DIGITAL HYGIENE WITHIN THEIR TERRITORIES

For example, a university hospital center that is particularly advanced in crisis management methods could participate in the support of other less well-equipped establishments with which it collaborates in the same territory. Regional and local professional health communities should be leveraged to raise awareness of cybersecurity challenges among actors in the healthcare system, but also to carry out crisis management exercises involving the relevant actors.

Source: Cybersecurity: Supporting an evolving health system, February 2020

This confirms the assessment made by ENISA in its recent guidelines for hospitals as well as Kaspersky’s own research. Our statistics show that 28% of computers and devices in medical organizations were infected in 2019; we also witnessed a number of ransomware attacks against healthcare facilities in several countries. According to recent survey results^[1], there are two key reasons for such cyberattacks: a lack of attention to the risks of digitalization and a lack of cybersecurity awareness among staff at medical facilities.

“From our research into underground forums we see that medical records are sometimes even more expensive than credit card information. Our 2020 forecast predicts that the number of attacks on medical facility devices in countries just starting the digitalization process in the field of medical services will grow significantly next year. Another serious issue is the lack of proper security standards implemented in medical IoT devices. Security researchers are constantly finding vulnerabilities in various medical equipment. We hope that drawing attention to this subject will make manufacturers collaborate with the security community and contribute more to the creation of a safer environment in the world of smart medicine,” explains Yury Namestnikov, head of Kaspersky Global Research and Analysis Team, Russia.

Read also:

• The report: Cybersecurity: Supporting an evolving health system: https://www.renaissancenumerique.org/ckeditor_assets/attachments/467/note_cybersecurite_et_sante.pdf
• Cybersecurity of connected healthcare 2020: Overview and predictions: https://securelist.com/healthcare-predictions-2020/95385/
• ENISA Procurement Guidelines for Cybersecurity in Hospitals: https://www.enisa.europa.eu/news/enisa-news/prevention-is-the-cyberdefence-for-hospitals

^[1] Kaspersky conducted a survey among healthcare sector employees in the US and Canada that revealed nearly a third of all respondents (32%) had never received any cybersecurity training from their workplace. One-in-10 employees in management positions also admitted that they were unaware of a cybersecurity policy in their organization.