Risk and continuity management in the healthcare sector

What it means for risk and continuity management in the healthcare sector when security gaps exist in the data process and hospital computers and medical equipment can be attacked at any hour was once again demonstrated at the 5th "Information Security in Healthcare" conference.

Unlike the Ransomware and WannaCry attacks that kept end users and enterprises around the world on edge in 2017 (see, e.g., May 2017 Management and Quality and the post on "WannaCry" Attack - No Breathing a Breath Yet"), there were no such large and all-encompassing outbreaks per se in 2018 except for the Emotet malware.

In November 2018, for example, a clinic in Fürstenfeldbruck, Bavaria, was completely frozen by the Emotet virus.

The clinic had to make do without computers; direct ambulances to other hospitals. As we learned right at the beginning of the conference, another, more perfidious form of malware now dominates the scene. This undermines the entire integrity of a healthcare facility rather insidiously, but can also sometimes block the entire operation.

Hospitals in the focus of attacks

Malware authors focused their attention on hospitals, especially in the second half of 2018 - mainly due to the more promising profit maximization. The detection of malware targeting enterprises increased significantly - by 79 percent to be exact - compared to the previous year.

This is primarily due to the increase in backdoor attacks, miners, spyware and information theft, which specifically includes health data.

In 2018, there was a shift in ransomware attack techniques. Instead of the classic approach of malvertising exploits that provided entry points for ransomware, threat actors conducted targeted, manual attacks.

It is very complex not only to dedect the damage, but also to clearly regulate the responsibilities of those responsible for information. Dr. Eric Dubuis, professor at the Bern University of Applied Sciences, pointed out that not only hospital managers and doctors, but also pharmacists, affiliated administrative service providers and even laboratory employees can be infected with malware and spied on.

There is a tendency for more and more users to be tapped for personal data via digital social engineering offers, e.g. via communication apps such as WhatsApp . WhatsApp, for example, was hacked in May 2019. Medical professionals are also very active users of such communication tools. The threat situation in the healthcare sector is therefore increasing with increasing digitalisation and networking.

Negligent data transmission

In the individual conference streams, one learned a great deal about the status quo of the medical industry. For example, Chris Berger, UMB AG, pointed out certain gaps in the industry: "The Swiss healthcare system is only 20 percent digitalized, if you believe a recent study by digital.swiss I want to pay attention to."

In his keynote address on "Holistic Approaches to Leveraging People and Infrastructure in Healthcare," Berger repeatedly pointed out that not only are medical devices with particularly sensitive personal data inadequately protected, but also that individual healthcare providers are negligent in their handling of data - for example, they forward unencrypted e-mails.

Digitalization and the resulting innovations support the improvement and increase the efficiency of healthcare. However, the electronic recording, transmission, processing and interpretation of health data will not be granted in the same way everywhere, Berger concluded.

On the other hand, self-contained systems such as the electronic patient dossier provide more transparency on the clinical picture or treatment steps for involved parties such as healthcare providers and patients.

This will promote closer networking between the various service providers and support a holistic view of patients' health. The collection and provision of health data in a protected patient dossier is a central instrument for the use of these possibilities.

In Rotkreuz/ZG, individually affected hospital service managers underlined the explosive nature of information security in the healthcare sector. According to Franco Cerminara, Chief Consulting Officer, InfoGuard AG, attacks happen every day. When hackers blackmail healthcare institutions by publishing patient data, they threaten to damage their reputation and violate patients' fundamental rights.

Worst Case Black Out

After all, an attack on critical infrastructure, including healthcare facilities, has serious implications for the well-being of patients (see e.g. Power outage in Venezuela in the dialysis of 15 patients).

For Swiss health care managers, "black outs" do not seem to exist, because every piece of medical equipment is equipped with spare batteries.

But are hospital service providers always informed about all their end devices linked to the network? In the event of a failure of the most important systems, comprehensive ad hoc organizational measures with high personnel deployment become necessary in order to be able to maintain operations as far as possible.

Employees of health care facilities have access to personal data that is particularly worthy of protection, but to date they have not been sufficiently sensitized with regard to IT or information security.

Only if users, providers and decision-makers "work better together", was the conclusion reached at the 5th "Information Security in Healthcare" conference, can information security and data protection in the Swiss healthcare sector be increased.

www.infosec-health.ch/conference-2019.html