IT security in the healthcare sector: overdue regulation

Healthcare and many medical processes are no longer possible efficiently without IT, which is made clear by terms such as computer tomography or electronic patient files. Increasingly, IT-supported devices are supporting or taking over medical processes: In the doctor's office, ultrasound or blood pressure monitors provide the basis for decision-making by the staff; state-of-the-art technology also uses Big Data: state-of-the-art ultrasound devices, for example, can directly highlight conspicuous areas in the image from a medical point of view. Artificial intelligence recognizes patterns and provides decision-making aids, but is still far from being able to prescribe decisions itself. In the end, the medical professional must have the competence to interpret the results correctly and draw conclusions. On the other hand, there are already automatic machines that work independently: For example, infusion devices that deliver a certain amount of medication over a certain period of time, or laboratory machines that measure and process results.

Interfaces and outdated systems as security risks

Unlike a few decades ago, medical devices such as pacemakers today have interfaces to read out data and adjust parameters. In the stationary environment, these interfaces are common and necessary for maintenance and configuration. However, this opens up opportunities for misuse if they are not secured against unauthorized access. The question arises as to how easily an interface can be accessed and from which environment. Are components controllable via radio or the Internet? The probabilities of such attacks have not been conclusively clarified, but external manipulation is conceivable, which is particularly delicate for IT such as pacemakers, which directly affect people.

In general, the manipulation and alteration of data by unauthorized persons, which support the physician in making a decision, is critical - be it surgery on the wrong leg or wrong laboratory values. Manipulated components can also be dangerous in the production of drugs, when IT systems support the dosage for mixing ratios.

Another difficulty in ensuring IT security is that, due to the high costs, medical devices and equipment are used over a long period of time: The investment in e.g. imaging procedures (e.g. computer tomographs) must be amortized and the machines remain in use for a correspondingly long time, especially since they require high demands on manufacturers and approval. As a result, equipment continues to be used which, from an IT point of view, is no longer state of the art, as it runs with old operating systems and components without virus protection but, from a medical point of view, still fulfils its purpose. In each individual case, the operator must weigh up the risks associated with the outdated IT technology, whether these are acceptable or whether and what measures must be taken to reduce or completely eliminate the risks. This is not always possible: If a generation of pacemakers has a security gap, not all of them can necessarily be replaced, as there may be patients for whom the procedure represents an unacceptable medical risk.

In the healthcare sector, there is always a clash of interests: staff think about their needs in order to fulfil business processes, hospital management thinks about economic KPIs and, due to a shortage of skilled staff and cost pressure, IT security experts are not in every hospital. It requires competencies to manage the IT infrastructure securely and the efforts are not keeping pace with the requirements. Skilled workers are expensive and hospitals compete with industries that can offer better conditions for skilled workers. This framework determines the level of security - if an attack occurs, it is not enough to blame the hospital. Attacks on hospitals with crypto Trojans in particular have increased in recent years, but the threat situation varies - some areas have the necessary know-how and awareness of threats, others do not. Unfortunately, there are no simple solutions for complex (threat) scenarios.

IT security prevents manipulation and unauthorized access

Overall, IT is considered secure when unauthorized persons cannot harm patients and manipulation is also impossible. This also includes incorrect use, when qualified personnel accidentally press a wrong button, the IT recognizes the error and follows up. The "secure by design" approach can achieve this: the devices are inherently secure and only become vulnerable when they are deliberately opened or modified, which can be reduced via defined deployment environments. Another principle of IT security is segmentation. If functional networks are separated - admin area from business processes, administration from the medical area - hackers, for example, have less of an easy time and malware does not spread easily because additional security hurdles have to be overcome within IT.

Targeted regulation is lacking

A central problem for IT in the healthcare sector lies in the lack of regulation and the non-existent concrete specifications for IT security. The topic has been in a state of flux for about two to three years and is increasingly the focus of regulatory attention.

Regulation must focus on products that come into direct contact with humans and whose misuse can harm them. Hospital information systems, as a central tool, also have interfaces with medical devices and must be safe. However, regulation must be carried out with a sense of proportion: IT must not decide for the medical practitioner, who can even compensate for errors in the technology with his knowledge. A risk assessment must therefore be carried out.

In order to create a uniformly high level of protection in IT security, a level playing field must be achieved for all manufacturers and participants. This can be achieved with concrete specifications and targets defined by the regulatory authorities. In doing so, it is necessary to reconcile different interests. If a product cannot be used quickly because of its authentication and security procedures, this can harm the patient just as much as a lack of IT security: Defibrillators - which contain a lot of IT via their sensors - do not require authentication, for example, as this would take too much time in an emergency.

Conclusion

It must be ensured that unauthorized persons cannot use the IT in medical devices and systems against the patient and that components and systems are only open to authorized persons. Companies specializing in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards - although a sense of proportion is required here. Because overregulation can also cause damage.