The leakage of healthcare data (personal data, medical records, etc.) is the number one attraction for cybercriminals and ransomware has highlighted the weakness of hospital systems around the world.
On the black market, medical data is already worth ten times more than economic data. By way of example, a single clinical record on the darkweb can cost around 1,000 dollars.
However, it is necessary to look beyond the digital realm. Industrial cybersecurity (OT) is becoming a priority for the industry today.
"The failure or intrusion in a digital system will expose our most personal information. The failure of hospital equipment can cause irreversible problems for the physical health of patients," says Alejandro Villar, Global Director of OT Cybersecurity at Entelgy Innotec Security
"We are talking about the security of a pacemaker, a holter, an insulin pump, tomography machines, ultrasound, X-ray, radiotherapy, surgery robots, defibrillators and all types of wearables," he says.
"All of this communicates with the digital (IT) systems of a hospital."
This is also pointed out in the report 'Good practices for the security of healthcare services' by the European Union Agency for Cybersecurity (ENISA).
OT cybersecurity issues in hospital environment
The main security problem in the hospital environment is that FDA (The Food and Drug Administration) regulations and the nature of medical devices make them untouchable.
"It is not allowed to install any third-party software on a medical terminal, nor to improve its operating system for safety reasons, since this action is not certified by the manufacturer," says Villar.
"Today much of the medical software is out of support and many of the systems in use are outdated and deeply deployed, so it can be costly to replace them. "There is a great risk in exposing a hospital's machinery and tools to all the threats of a digital environment," he says.
Plan to ensure safety in hospitals
Ensuring complete cybersecurity, from digital to physical, requires a specific security plan that goes through several phases: discover, assess, protect, monitor and optimise.
Discover: know the digital model of the hospital and its connected assets, make an inventory, know which machines are connected, what connections exist between one device and another, where their information is consumed, etc.
Assess: scan all connected devices for vulnerabilities and calculate the risk of each of them.
Protect: organise devices to decide which machines are authorised to access the information of others and establish controlled and secure access. Collaboration between teams is also relevant. Involve professionals from different areas who are able to identify critical devices that can be attacked.
Monitoring: In the industrial environment, you have to live with risk all the time.
"Implementing an urgent detection and response framework is necessary to uncover policy deviations and respond effectively," says Villar.
Optimise: Take the opportunity to improve the environment, to optimise devices, their connections and security.
"Given the real threat situation, the next step will be for companies and public administrations to assign responsibilities and establish specific plans for these environments," says Villar.
"The recommendation is to operate with three interconnected teams in the hospital environment. One will be in charge of information security. Another will be in charge of network infrastructure. A third will specialise in biomedical engineering. It will also be necessary to replace legacy systems that are obsolete and impossible to upgrade," he says.
"Those capable of understanding the industrial world and the digital world and their interlocution will be those who can manage both spaces and who have a chance of success and existence in the future. The hospital sector is a strategic national asset. Its security becomes a complex scenario that requires cooperation from all parties involved."