When it comes to cybersecurity, hospitals must accept that threats are no longer just an eventuality. Cyberattacks are now a fact of life, and health providers are a primary target on multiple fronts. It is no longer a case of if, but when they will strike. Even before the pandemic, this was the prevailing trend.
Incidents like the 2017 WannaCry attack on the NHS in the UK grabbed the headlines. But they were only the tip of the ice-berg. The 2020 HIMSS Cybersecurity survey revealed that 70% of hospitals questioned had experienced a significant security incident in the past 12 months.
From phishing and ransomware to data breaches, they were already dealing with a multiple threat: an increased burden of financial loss, reputational damage, compromised clinical outcomes, and serious concerns about patient privacy.
A wave of digital health technology
When the pandemic struck, the wave of digital health technology and connectivity that enabled the continuation of services swept into every healthcare setting. For all its benefits, it was also accompanied by a rise in hospital exposure to cybersecurity risks and the stealth of bad actors. The presence of technology in new places, the implementation of new systems, and the proliferation of connected medical devices created new opportunities for threats to penetrate even the most robust firewalls.
As COVID-19 put healthcare institutions under unprecedented strain, so did a rise in cyberattacks. The impact was noted by the European Union Agency for Cybersecurity (ENISA), which said there had been a 47% increase in attacks on hospital and healthcare networks during 2020.
“Throughout the pandemic, healthcare organisations found themselves under increasing strain,” says Engin Demirel, head of customer solutions EMEA, Digital Health, Olympus Europe. “Digital health technologies were used effectively in many areas to overcome staff shortages, time constraints, and to avoid room overcrowding, ultimately reducing the infection risk. However, the increased adaptation and usage of digital health technologies in the health domain led to the increased vulnerability to ransomware and other cyberattacks.”
Hospitals are already well aware of the measures they should be taking to mitigate and reduce the risk of attack. Some of these are policy-based and culture-focused: regular awareness and prevention campaigns for staff, and the establishment of robust business continuity plans. Others concern the security and management of IT systems and devices.
Many administrative, clinical and healthcare applications are moving to virtual and cloud platforms. And the Internet of Things (IoT) is growing at pace, with connected devices gathering data as a matter of course. This is where the importance of a strong, interactive relationship with a hospital’s medical technology providers comes into play.
Multiply and diversify
“The healthcare industry is being transformed and at times disrupted by the increasing number of IoT tools and devices,” says Demirel. “These are often handling sensitive and patient data, like personally identifiable information (PII) and protected health information (PHI). This data could be misused if it falls into the wrong hands.”
He points to a recent study revealing that 53% of connected medical and other healthcare IoT devices have at least one unaddressed vulnerability. Despite the improvements such devices have brought to patient care and healthcare facilities, these vulnerabilities will multiply if they do not include appropriate security control measures.
These measures include encrypted data streams, strong authentication tools, and continuous software and security updates – all of which can suffer from fragmented provision and management in today’s complex hospital IT infrastructures. There are positive signs that digital leaders are stepping up their efforts on this front.
“Hospitals have dramatically increased their focus on security in recent years and this has resulted in both better protection of their critical assets and more in-depth questions with technology suppliers,” says Mike Ryan, global head of digital engineering at Olympus. “I would encourage everyone in healthcare to make security a high priority for their institutions – and we intend to be a role model for bringing highly secure digital products that address real clinical needs to market.”
More than integration
Enhanced systems integration is a key aspect of cybersecurity for mitigating the impact of an attack. Today’s hospital systems often benefit from automated security patches, virus and malware updates, and have comprehensive reporting capabilities so that IT teams always have a complete picture of the security status. But they must be compatible across the board.
Also, as Engin Demirel points out, even with the latest tools and systems, the tight integration of the IT infrastructure with IT security systems is often not enough to prevent an attack. Continuous monitoring, combined with a multilayer approach to security – a combination of best practice and standards-based technology – is essential. This is the approach advocated by Olympus and embedded in the development of its content management system (VaultStream) and connected devices.
“We understand that security is foundational to a viable product and are taking steps to drive security for both the product and the related information systems,” says Mike Ryan. “We are actively working on a security roadmap to stay current and drive leverage across our various digital products.”
This is the level of cybersecurity integration that hospitals should now be demanding from their technology providers. Being able to trust the security of sensitive health data throughout the care continuum is essential, and not just to ensure that healthcare institutions are compliant with data protection regulations such as the GDPR. It is equally important that patients and clinicians can trust hospitals to manage access to their data.
Due diligence for sensitive data
This makes it even more urgent that healthcare providers work with each of their partner vendors across the digital estate – and carry out due diligence before committing to a new relationship. With third-party vendor involvement so prevalent across the healthcare sector, IT leaders should have a clear understanding of the data security measures that every vendor takes, and how their security concept works.
“One-time actions and measures are not sufficient to build the trust of data subjects,” says Demirel. “Constant action and improvements are required. Choosing vendors and other partners without carefully assessing the data security risks and without extensively determining the responsibilities raises the risk of breaches of patient and staff data.”