Cyber attacks on healthcare infrastructures are intensifying in number and quality and are increasingly successful, bringing to the fore the need to improve prevention and response strategies. We will briefly describe the main technological and organizational areas on which it is necessary to immediately pay attention and take actions also at the budget level.
Medical instrumentation is now pervaded by digital and is therefore subject to increasingly dangerous attacks for this reason, it must be suitably protected. In the health sector, the majority of the data processed can be classified as sensitive and is used in different ways by different types of users, and for this, consequently, it must be managed and protected with preventive and protective actions. Below, we will also address the issue of managed security services that can be decisive in helping healthcare organizations to increase their effectiveness in preventing and responding to Cybersecurity risks. of high skills, difficult to obtain without impacts that are excessively burdensome for the structures themselves.
Evolution and current picture of Cyber risk
In 2019, an Alabama woman sued a local hospital for failing to inform her that she had received a cyber attack the day before. According to the woman, during the birth, the healthcare staff did not have the full availability of the digital tools necessary during the intervention and this would have caused damage before and subsequently the death of the newborn. The hospital said the attack occurred the day before the birth. The prosecution argued that the woman, if she had been informed of the attack, could have changed her decision, choosing another structure.
Another important episode, which took place in September 2020, sees the death of a woman due to a cyber attack in Germany. The ransomware-type attack made digital reception services unavailable and therefore the woman was forced to be transported to another hospital. The delay caused his death.
In Italy, the state of the art does not seem to be much more favorable even if to date there have been no cases of this kind.
Precisely, in the course of 2021 there were as many as 30 incidents, attacks and privacy violations affecting the world of healthcare, as graphically reported by the 3Q 2021 report of theExprivia Cybersecurity Observatory. Numerous attacks were recorded at the beginning of the year, while incidents (successful attacks) to a lesser extent.
Despite a positive data in terms of safety, the good news ends there. In fact, during the 2Q 2021 and 3Q 2021 the gap between attacks and accidents has drastically narrowed.
Analyzing the data in detail, this increase in security incidents inevitably indicates a greater attention of cybercriminals in carrying out increasingly sophisticated attacks and, secondly, less attention on the part of users and operators who become victims.
In addition to cybercrime, the violations of privacy reported by the Guarantor are of considerable importance. There are 12 reports in the first part of the year and this aspect, which certainly cannot be traced back to criminal activities, suggests strong reflections from an organizational and structural point of view.
Last consideration on the data in Italy collected and analyzed by theCybersecurity Observatory di Exprivia, it concerns the attack techniques used against the structures and health systems; the techniques that provide for the exploitation of known vulnerabilities and to follow phishing campaigns with fatal results dominate.
While on the one hand the well-being of a community cannot ignore the need to invest in health care, making it increasingly effective from an organizational point of view, making the best use of the technologies that the market makes available, on the other hand it is unthinkable that these benefits may not go through an aggressive digitization process that is accompanied by a continuous assessment of the IT risk associated with it.
The greater the use of digital services, the greater the exposure of these services to attacks and consequent incidents.
In the light of the data in our possession, therefore, the areas of greatest attention and related suggestions follow.
Awareness of the risks related to a cyber attack
Although the attackers have the opportunity to exploit extremely sophisticated techniques, the incident is often caused by falling victim to traps perpetrated through phishing campaigns that are extremely trivial for professionals, but which may be less obvious for personnel with different duties and specializations. Specifically, the staff specialized in IT is a minimum percentage of those who work in direct or indirect contact with the patient (doctors, nurses ...). It should therefore come as no surprise that phishing accounts for a large chunk of attack methodologies used in healthcare.
It is therefore necessary to invest in awareness programs. The human firewall is often the most effective barrier against cybercrime.
Verification of the degree of awareness
The next step, after having raised awareness and acquired awareness, is to invest in controlling the quality of the approach, therefore evaluating how the various awareness programs have introduced improvements.
Certification
The certification of skills is an industry best practice that cannot be ignored even in the field of healthcare. Making awareness programs achieve certifications on appropriate platforms (for example Open Badge 2.0) is a consequence of this.
Cyber range
To verify how high the awareness of individuals is and how ready the health organization is to manage a cyber attack, it is possible to make simulations and observe the behavior of the population. This practice, known as cyber-range, is common in IT environments and in other industries that can use ad hoc developed frameworks (for example TIBER-EU), but which must and can be adapted to the world of healthcare.
Device update and zero-trust
Most successful attacks in the healthcare industry are traceable to known vulnerabilities and therefore are avoidable incidents. This should not be surprising as the perimeter in healthcare is extremely extensive and physical control is difficult to monitor as individual IT devices are often used. Having a single management of the infrastructure that identifies and enforces the policies, due to the diversity of the services offered, to the heterogeneity of the staff who access the services, is extremely difficult and complex.
We must also add that digitization implies a strong interconnection of services and devices and, therefore, the malfunction of one could cause problems for a patient apparently not involved in the accident.
In Germany, the patient's death is a consequence of the attack on the patient reception service, which apparently may not seem extremely critical as it is reversible.
Protection of digital health devices
Healthcare and medicine more generally, sees more and more electronic tools in support of diagnostics, therapy and management of the patient. The use of intelligent devices (IoT) are proof of this.
These tools, which are increasingly numerous in hospitals and often entrusted directly to patients, offer on the one hand the opportunity to qualitatively and quantitatively improve the work of healthcare personnel, on the other hand, unfortunately, they expose the healthcare facility to cyber-type attacks. which can be extremely dangerous and cause significant damage to people and things.
IoT devices are extremely attractive to cybercriminals as they can be used as a basis for Distributed Denial of Service (DDoS) attacks. Not only that, there are frequent cases in which the malicious have interrupted the services of entire hospital wards asking for one or more ransoms (so-called double extrortion).
It is therefore inevitable and necessary to start designing the IT and network structures according to these risk factors and to foresee suitable defense instruments.
Adopting zero-trust policies also using network micro-segmentation techniques is necessary to prevent inadequately protected devices from coming into contact with people and other devices that have different security policies.
Privacy and data protection
When we talk about cybersecurity we often refer to the possibility of a service being interrupted. However, we cannot forget that in Italy there have been data breaches relating to privacy in excess of security incidents in the world of health.
Added to this is the fact that criminals are often interested not so much in interrupting the service, but in stealing data (lately, double extortion techniques have also developed in which first the data is stolen and then the database is encrypted so that you can blackmail the victim to restore the data, but also to return the data).
In fact, if the data is fundamental to the execution of the service, in healthcare it is extremely critical and attractive on the black market. More generally, data is "critical" because it helps machines to make patients live, but it is also "sensitive". If on the one hand the data must be protected from possible malicious interference, on the other hand it is necessary to guarantee a high level of privacy protection.
For this reason, different levels of protection are required, such as the adoption of appropriate encryption techniques both in storage and during transmission, careful profiling of the users / systems and roles that can access them and finally a continuous control of the activities able to identify fraudulent acts both from external and internal actors of the organization.
The peculiarities of personal data in the health sector suggest particular management strategies
Health data are characterized by being subject to simultaneous processing by at least three macro categories of users and different services at the same time:
- they are obviously subject to use from a clinical point of view in support of medical staff to manage diagnostic and therapeutic activities;
- at the same time the data are also used to support the operational structure of the hospital in order to be able to properly manage operations, costs and equipment;
- finally, health data are often of research interest for statistical or analytical purposes, also in this case with specific characteristics of use.
These three approaches converging on the same data in reality do not always have the need to access the entire set of information present, nor to do so in the same way.
For example, the treatment for scientific purposes probably never needs to access the personal identity data of the people who are essential to the other types of treatment, vice versa the management and operational treatments, generally do not need to go into particular detail on the aspects medical analytics of information relating to a certain person, but more typically they stop at quantitative factors, such as the number and types of different tests, regardless of the result of the tests themselves.
These considerations suggest immediately adopting a data protection and access strategy that takes into account these differences in use and that allows an efficient and effective segmentation of data and their access levels.
For this reason, it is advisable that from the planning stage of the databases, strategies for the protection of classified and granular information should be envisaged, precisely because not all uses require all the information as a whole. Although this may appear more complex at first than a monolithic management of encryption, actually taking into account the entire life cycle of the data and the need for access control, this is not the case because individual access profiles are easier to protect and expose less data.
The preventive segregation and granularity of cryptographic masking represent an important factor in designing one's own protection retention strategies according to the different uses, exposing less information during use and then simplifying all the control part and the protection of the processing results. .
Organization of health safety
Healthcare structures aspire to the protection and well-being of the individual, therefore they are mainly widespread and structured organizations on the territory. This implies that they must be basically distributed on the territory and agile.
This feature, of course, poses some challenges in the context of cyber security management, mainly because the skills and security structures that are necessary to be able to fulfill the role and protect with the best possible effectiveness, are difficult to organize on small and small territorial structures. medium size, either due to an intrinsic lack of skills in the current security sector, but also and above all for obvious economic and organizational considerations.
It is therefore considered appropriate to evaluate the adoption of organizational strategies that favor the sharing and usability of highly specialized skills that are more critical for the Cyber sector so that they can be shared by more structures with greater efficiency and economy.
The approach based on managed services is therefore to be seen with great interest because it allows access to the best skills on the many and different specific sectors of the security sector, when and as necessary, without taking on excessive economic burdens and without forcing internal figures to training courses of excessive commitment in terms of knowledge and skills.
Cyber Security is structurally constantly evolving, with new approaches and new strategies due to the adoption of new technologies. It is unthinkable that it is an agile structure such as a hospital to be able to equip itself with all the Cyber Security skills that are now indispensable within its IT structures.
Fabiano Vincenzo Malerba (Exprivia Security Researcher)
