Cybersecurity emergency for health organizations

Blog articles


Paralyzed hospitals, pacemaker or insulin pump disruption, resale of medical data ... Examples of malicious attacks in the health sector are not lacking and are convincing. In the age of health 2.0, it is impossible not to give priority to the cybersecurity.

Digital technology promotes exchange, sharing and decompartmentalization between the various players and thus puts efficiency first. But it also creates new challenges in terms of securing information systems and patient protection.

The cloud, a new challenge for healthcare organizations



By 2022, Gartner estimates that more than 30% of hospital data centers will be hosted in the cloud. Yet, according to a survey conducted by Netwrix 1 in 2019, one in three health organizations does not sufficiently protect their data, while the health sector is one of the main targets of computer attacks. 26% of industry players say they have experienced at least one cloud-related security incident over the past year. Despite these alarming numbers, 32% of healthcare organizations store sensitive data in the cloud without adequate protection resources. All health data is automatically considered sensitive data. These data include medical information and personal information to identify customers and employees.

More and more healthcare organizations want to prioritize the Cloud, rising from 31% to more than half of respondents in just one year. 34% of them even consider turning exclusively to the cloud. However, we do not see the same increase in the budgets allocated to securing information systems. In 85% of companies, they simply did not change at all in 2019. In addition, a third of the IT teams surveyed claim to receive no financial support from their management. Nevertheless, 70% of respondents make data encryption a priority, followed by monitoring data usage. But to deal with these new cloud-related threats, many players are seriously looking to backtrack by repatriating certain data on-site, including information about healthcare and customers.

The consideration of cybersecurity in the health sector is progressing ... slowly but positively. 76% of establishments now have an incident management unit. It remains to complete these efforts with more substantial budgets and a real desire on the part of the directorates of health organizations to rethink their IT security.

1 - https://www.netwrix.com/2019cloudsecurityreport.html .

What are the risks for patients and health care providers?


Of course, cybersecurity costs can be important, but they are ultimately the guarantors of the relationship of trust that must exist between users and health organizations. In health facilities, it is not the confidentiality of the data that is the main source of concern but the reliability of the latter. Only clearly identified persons should be able to modify these data and according to clearly defined processes. The American publisher Morphisec Labs conducted a survey dedicated to the users' point of view on the threats surrounding the health sector. Patients are more concerned about health risks (59%) than hackers having access to an Internet-connected medical device (41%). However, all these elements are in fact linked and form the links of a large chain. If a virus paralyzes applications used in emergency management, the resulting incident can lead to disruption of interventions and access to information about a patient's health status. It is not the use of information systems in health care facilities that is involved here, but the possible links between an IT incident and its impact on patient safety and the quality of its management.

And the number of vulnerabilities in the information systems of health organizations is not about to fall. Indeed, the growing number of connected objects used, the presence of unpartitioned networks, weak access controls and the dependence on aging systems make the health sector particularly attractive to hackers. In 45% of hacking cases, the authors take advantage of an application bug, go through a malicious email or cryptovirus software. The impact of a safety accident can be dramatic from a financial point of view; it can also lead to a real risk to the patient.

As examples, an intrusion with the decommissioning of the information systems of an ARS during 24 hours has generated intervention costs by a service provider of the order of 10 000 €, the loss of productivity is estimated at nearly € 40,000, for a total of € 50,000; a cryptovirus in EHPAD cost € 50,000 in direct intervention costs and indirect costs; the piracy of the standard of a hospital center has generated a telephony overcharging of the order of 40 000 €.

As another example, Dick Cheney, former Vice President of the United States, revealed that his cardiologist had disabled the wireless function of his pacemaker for fear of terrorist hacking. Fortunately, no one has been affected to date, but this kind of scenario worthy of an American series is now a reality.

How to protect an organization effectively?


As in any fight, it is important to know your opponent. Risk mapping is the cornerstone of any information system security action plan. The various staff and partners and the same users must be trained, sensitized, and educated on the latest attack techniques and vulnerabilities.

It is in this sense that the various institutions at European and French level act. While the implementation of the GDPR has played a major role in raising awareness among health organizations of the importance of securing quality data, efforts must be strengthened.

In France, since 1 October 2017, health structures have been required to report to regional health agencies ("ARS") IT security incidents that are considered "serious" and "significant". The "Asip santé" was responsible for providing support for incident handling, through the "ACSS unit" and in conjunction with the "ARS". But the french Ministry of Health chaired by Agnès Buzyn wants to go further and proposes to extend the incident reporting system to all health actors and to set up a national cybersurveillance service by 2020.

Most security vulnerabilities are due to a "lack of vigilance" and a "misunderstanding" of cybersecurity rules. It is therefore important to be accompanied and effectively protect its security systems by equipping itself with real-time threat detection tools such as security detection probes Gatewatcher. It is interesting to also develop machine learning and artificial intelligence that can anticipate the evolution of hacking techniques.br>
Piracy of connected objects is a major concern, particularly in the health sector, that’s why the French national drug safety agency has launched a public consultation to better take into account the cybersecurity of medical devices in Europe. As the culture of cybersecurity is very heterogeneous among medical device manufacturers, it is becoming essential to regulate so that the risk of cyber attacks is taken into account from the product design stage. See you in December for the final results of this exclusive consultation in Europe.

How to detect the most crafted attacks?

Download our whitepaper about the latest rising threat : Hybrid Malware.



DOWNLOAD YOUR COPY



Related Contents

This website uses cookies to ensure you get the best experience on our website. Learn more.