Like many sectors, the digital era has opened up many new possibilities for hospitals. However, the explosion of health data is also a source of increased cyber-risks that need to be anticipated.
Since 25 May 2018, the day GDPR (General Data Protection Regulation) came into force, the notion of "health data" has been clearly defined for the first time. The French decree of January 2006 concerning the storage of personal health data set out the initial storage requirements for service providers but not for the data itself. Now, this data is the "data related to the past, present or future mental or physical health of a natural person (including the provision of healthcare services) that reveals information about this person's health status". This wide-ranging definition thus includes personal data such as that collected by bracelets and other connected objects.
The connected hospital's promises
This news comes at a time when, with an ageing population, hospitals—who, more than ever, must become a welcoming, accessible, and comfortable place—count on using new technologies to help.
The digital era also opens up an age of telemedicine (remote consultations, tele-expertise, remote medical surveillance, teleassistance and medical regulation) that promises to improve access to and the quality of healthcare. This could be a lever for resolving a structural problem with healthcare in France or in the USA: healthcare deserts. Among other measures, on 13 February 2018, the French government announced the creation of an e-health mission whose objective is to encourage online access, the digitisation of prescriptions, and the sharing of information between all healthcare professionals.
An increase in cyber-attacks against the healthcare sector
But digitisation is also synonymous with greater cyber-risks. According to the McAfee Labs Threats Report in December 2017, healthcare counts among the top two most attacked targets alongside public institutions, and it saw the greatest increase in the number of cyber-attacks all sectors combined (+35% ransomware, +24% of MacOS malware). Another cyber-security organisation even shared the figure of 32,000 attacks on average per healthcare company in 2017. Is healthcare a valuable target?
Indeed, healthcare data is essential to hospitals being able to operate: not having access to this data leaves certain practitioners working blind. Furthermore, given their criticality, medical machines are significant assets for cybercriminals since not having these machines available following an attack could have disastrous consequences.
However, the level of security has often been insufficient due to limited budgets. Recurring security problems (hard-coded passwords*, remote code execution, etc.) are also evidence of a lack of understanding or appreciation of the risks in certain healthcare organisations. Therefore, there is a greater chance of cyber-criminals getting a financial return from their attacks by targeting this sector. This is especially the case since cyber-criminals constantly change tactics, going from traditional ransomware to running malware without a file via Microsoft's PowerShell software.
"Since they lack security due to a lack of resources despite being so critical, healthcare institutions are easy prey," confirms Robert Wakim, Industry Offer Manager at Stormshield. "Blackmailers (ransomware), the mafia (the theft of private data) or even pirate wannabes (script kiddies), everyone has something to gain. It is high time that authorities give institutions greater resources so they can invest more heavily in personal data security. Which is the most precious to us patients".
Healthcare institutions are easy preyRobert Wakim, Industry Offer Manager at Stormshield
With GDPR, a new step for hospitals
"However, with few resources, health professionals often use free tools with little native protection, like Dropbox, for example. They are otherwise little aware of data protection issues," notes Jocelyn Krystlik, Business Unit Manager at Stormshield.
However, hospitals' IT services will quickly consider upping their game with GDPR's entry into force. "Some simple actions are required, such as automatically locking sessions; others are more sophisticated like encrypting hard drives and data or protecting connected medical machines like scanners behind firewalls," advises Jocelyn Krystlik.
Updating operating systems and applications must become a reflex. This point is even more critical in hospitals; there are always machines running obsolete operating systems leaving them vulnerable as the WannaCry attack showed.
Solutions to remedy weaknesses in healthcare institutions
But hospitals' weaknesses also come from the many healthcare professionals' need to collaborate with others outside their organisation (other institutions, independent practitioners, etc.). These points of exchange are all IT risks. Security comes into play at these levels to be able to provide secure collaboration services and ensure these third-parties are sufficiently protected.
The CNIL (the French data protection authority) published a series of recommendations, along with a six-step process that healthcare institutions can apply:
- appointing a data processing manager
- mapping the different ways in which personal data is processed
- prioritising actions
- managing risks
- organising internal processes
- documenting regulations and staying up-to-date
To remedy these oft-structural weaknesses of healthcare institutions, there is another possibility: blockchains that secure the storage and transmission of the enormous quantities of data that healthcare institutions must manage. A recent study from IBM revealed that 16% of healthcare sector executives planned to use this technology in 2017, and 56% planned to implement such solutions by 2020. We still need to convince the rest of the healthcare chain, from administration to practitioners!
* Hardcoded passwords: putting unencrypted passwords (in clear text) as well as other secret data (such as private keys) directly into the source code.