Healthcare sector must adopt regulations, standards, guidelines in view of rising threats

Digital transformation is unavoidable in the connected healthcare sector, but it has also led to greater cybersecurity concerns, raising the requirement to protect and secure all components of the supply chain, including and prioritizing data from personnel and patients.

The changing landscape in the healthcare sector has led to greater adoption of regulations, standards and guidelines in various countries and at a regional level, for the protection of information systems, medical information, and to meet cybersecurity requirements for network-connected medical devices, critical infrastructure protection, and privacy protection. 

The number of legal instruments is growing due to the increasing threats to the supply chain, as well as improving cybersecurity and privacy awareness of societies and governments, wrote Fernando Guerrero B, an operational technology (OT) security expert, in an Airbus blog post. It should be emphasized that in many countries non-compliance with local regulations leads to significant administrative (financial) and even criminal liabilities, so compliance is a good practice, apart from being an obligation for company directors and security chiefs, among others, he added.

To protect the healthcare sector, the medical industry must educate and prepare the various stakeholders within this sector, Airbus said. Internal awareness programs are also a key pillar of cybersecurity, as they decrease the probability of success of phishing or ransomware attacks, and therefore these programs should also target patients. It is also important to invest in cybersecurity, not only at the level of healthcare facilities but across all components of the supply chain. 

Earlier this year, the International Electrotechnical Commission (IEC) said that hospital networks have been designed to facilitate ease of access from different networks, posing a far greater cybersecurity risk. The COVID-19 pandemic has led to the rise of connected medical devices across hospital networks, which has accelerated the convergence of the once separate domains of IT and OT, thereby widening the threat landscape, it added.

Based on comprehensive risk analysis, healthcare entities could work on the implementation of an information security management system (ISMS), in order to improve the administration of security controls in their companies, according to Airbus. There are others working on the segmentation of communication networks supported by traffic monitoring and incident response from a Security Operations Centre (SOC), in order to reduce the impact of possible attacks. 

Identity and access management is also performed to prevent unauthorized access to information, according to Guerrero. Apart from this, healthcare entities have prioritized their efforts on security copies and backup management to minimize the impact of a ransomware attack, he added.

“Cybersecurity must be a continuous effort, in which people must be trained, organization policies must be enforced, and new technologies must be gradually deployed,” said Daniel Ehrenreich, cyber defense trainer and consultant at SCCE (Secure Communications and Control Experts). “Cyber defense efforts must constantly focus on a variety of internally and externally generated attacks and supply chain-related incidents. Organizations must separately protect the cyber-physical and the information technology parts of their network. These networks must not converge, but can be securely interconnected as part of the ongoing digitalization process, need to enhance productivity and reduce the cost of maintenance,” he added.

Cybersecurity firm OTORIO revealed ransomware attacks during the COVID-19 pandemic on healthcare targets that led to the paralysis of the operations of some hospitals by these attacks after they categorically refused to pay the ransoms. With cybercriminals increasingly targeting hospitals and medical practices in ransomware attacks, holding healthcare records hostage, the worst-case scenario comes true for any organization – particularly for a healthcare organization, wherein patient lives are put in danger owing to malware attacks. 

Hackers shut down telephone systems, and hospital network administrators had to turn off the internet and other network services to keep the ransomware from spreading, OTORIO said in a blog post. This shutdown snowballed – affecting surgical devices, patient records, appointments, medication management, bed allocation, and medical staff scheduling. Patient interventions and procedures were canceled, and critical patients were moved to other hospitals, it added. 

Initially, the Dax Hospital in southwestern France was hit by a ransomware attack on Feb. 9. This was followed by a similar attack on a hospital in Villefranche-sur-Saône, near Lyon. Both attacks used the Ryuk ransomware. In addition to the two hospitals,  French health insurance company Mutuelle Nationale des Hospitaliers (MNH) was hit by ransomware in early February, disrupting operations.

According to the French National Information Systems Security Agency (Anssi), ransomware attacks in France surged 255 percent last year compared to 2019, with the increase particularly affecting the healthcare sector. There were 27 cyberattacks on French hospitals in 2020, according to the French Ministry for Digital Transition and Communications. 

“These lessons are clear warning signs that what is happening to hyper-connected environments that are more easily attacked will continue to expand into other areas where security by obscurity and air gaps are no longer effective dissuading tactics or strategies,” wrote Jean-Francois Gignac, OTORIO’s director of sales for Canada and North America, in a LinkedIn post.

Criminals typically target smaller practices and clinics that often lack sophisticated technology infrastructure with security safeguards, wrote Michael J. Sacopulos, founder and president of the Medical Risk Institute, in a HUB International blog post.

The good news, however, is that average ransom payment went down 34 percent to US$154,108 from $233,817 in the third quarter of 2020, according to ‘The Coveware Quarterly Ransomware Report,’ which describes ransomware incident response trends during the fourth quarter of last year. The median payment in the fourth quarter also recorded a drop to $49,450 from $110,532, registering a 55 percent reduction. 

With ransomware payments showing a decline, hackers could decide to try out other and more extreme methods to get businesses to meet their demands, which may sometimes have dangerous or even deadly ramifications.

Data released in February by IBM Security X-Force showed that the healthcare sector jumped from last place in 2019 to seventh place in 2020, among the top targeted industries, a surge that was probably driven by COVID-related healthcare attacks and a barrage of ransomware attacks against hospitals. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.