CyberCompare

Cybersecurity in healthcare: a growing danger

Increasing risk of an attack on healthcare systems

The threat level in healthcare is constantly rising. According to the Verizon 2020 Data Breach Investigations Report, around 15% of reported cyber incidents occurred in this sector. And it affects every player along the value chain, from pharma companies to labs to medical device manufacturers to hospital chains, and even individual local hospitals.

The sensitive nature of the (patient and health) data being handled and the fact that seamless processes in labs, hospitals, and pharma companies are essential to protect human life, makes these organizations especially attractive targets. The proliferation of IT, OT, and IoT systems at healthcare companies (see image) and – at least in hospitals – access control systems that are difficult to regulate make efficient cyber protection an extremely complex issue. In hospitals particularly, the situation is complicated by heterogeneous and frequently outdated infrastructure.

 

Verizon’s 2020 report also showed that the threat to healthcare primarily comes from criminal organizations, which account for 36% of all attacks. 55% of cases involve system disruption or a full operations shutdown, and in 31% of cases confidential information is leaked.

Pharmaceutical companies are a special case at increased risk of APTs (advanced persistent threats, usually directed at government bodies), most recently driven by the COVID-19 situation and the value of unlawfully obtained information about vaccines or drugs. Risks include the loss of critical IP (intellectual property), production shutdowns, and massive reputational damage. One particularly spectacular case was the NotPetya ransomware attack on Merck in 2017, which led to a six-month production shutdown and a loss of more than USD 1 billion. Other incidents occurred in 2018 at Bayer (corporate espionage) and in 2020 at Gilead (espionage) and Fresenius (illegal publication of sensitive data). The situation is all the more tense because criminal organizations believe that most pharmaceutical companies are financially capable of paying high ransoms. One statistically less relevant risk (2% of incidents) involves “hacktivists” who, for example, do not agree with policies that govern how licenses are awarded. Although the number of cases is lower, they usually have a major negative PR aspect and cannot be resolved by paying a ransom since the perpetrators are acting on idealistic principles.

For manufacturers of networked medical devices, the risks of production shutdown and information loss run parallel to their responsibility for product safety – in this case the cybersecurity of said medical devices. This has previously affected Abbott, which was forced to issue safety updates for its pacemakers and defibrillators, and insulin pump manufacturer Medtronic, as reported in the newspaper Frankfurter Allgemeine Zeitung.

As mentioned above, hospitals are particularly susceptible to hacking, the most recent examples being the attacks on Dusseldorf University Hospital – which resulted in one death – and the COVID-19 test clinic in Brno (Czech Republic). In January this year, security firm Limes released a comprehensive report about the current situation in German hospitals, suggesting that nearly one-third have significant gaps in their security. The authors referred to this as “a national security risk”. Equally horrifying is the fact that larger hospitals especially have a higher number of critical vulnerabilities and gateways, such as the continued use of Windows 2003 servers (without security updates). Attackers have a wide choice of systems to exert malicious influence: alongside medical devices with unlocked USB ports, building technology itself (e.g., air conditioning systems) or the HIS (health information system) can become easy targets.

Help is on the way?

The issue of cyber risk in healthcare has not passed legislators by. German law-makers have already delivered both regulatory and financial interventions in the form of the KRITIS directive and IT SiG 2.0 and specifically for hospitals through the Hospital Future Act (KHZG).

Of course, that does not relieve industry players of their own responsibility to take action. A good starting point for most companies is to use the latest frameworks (standards) to set up and run efficient cybersecurity protection, and to plan other measures in detail. For office IT these might include NIST CSF & 800-53, ISO 27001, and SANS CIS-20, and for medical and lab equipment IEC 80001, MDCG, UL 2900-1/2900-2-1, and HIMSS/NEMA1.

CyberCompare supports clients in assessing their own cyber risk, in deriving a practical and efficient cybersecurity strategy, and in tendering and commissioning providers to implement the planned measures. Talk to us today!

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.

Help is on the way?

The issue of cyber risk in healthcare has not passed legislators by. German law-makers have already delivered both regulatory and financial interventions in the form of the KRITIS directive and IT SiG 2.0 and specifically for hospitals through the Hospital Future Act (KHZG).

Of course, that does not relieve industry players of their own responsibility to take action. A good starting point for most companies is to use the latest frameworks (standards) to set up and run efficient cybersecurity protection, and to plan other measures in detail. For office IT these might include NIST CSF & 800-53, ISO 27001, and SANS CIS-20, and for medical and lab equipment IEC 80001, MDCG, UL 2900-1/2900-2-1, and HIMSS/NEMA1.

CyberCompare supports clients in assessing their own cyber risk, in deriving a practical and efficient cybersecurity strategy, and in tendering and commissioning providers to implement the planned measures. Talk to us today!

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.