Healthcare systems regularly train for cataclysmic events such as terrorist attacks, yet rarely engage to establish what happens if several key IT systems go offline.
Expert speakers at the HIMSS23 European Health Conference and Exhibition in Lisbon (7-9 June) have called for health organisations to prioritise preparedness training and rehearsal to increase resilience in the event of cyber incidents.
This is a crucial issue as cyberattacks around Europe and the globe have become more sophisticated, often forcing hospitals to suspend operations and putting patient care at risk.
Some of the biggest issues include mail phishing, smishing (using fake text messages to trick people into downloading malware, share sensitive information or send money to cybercriminals) and the use of deepfake (digitally manipulated media).
Speaking in the session on ‘Rethinking Cybersecurity for a Connected World’ on Wednesday (7 June), Dr Saif Abed, founding partner at AbedGraham Healthcare Strategies, explained that cybersecurity is “a system problem not an IT problem.”
The impact of cyberattacks is often measured by the number of patient deaths caused, but Dr Abed argued that it would be more accurate to look at the overall impact on patients. For example, if a stroke treatment is delayed for 30 minutes the patient’s recovery may be affected.
“We are here to protect public health and safety, not just to inhibit cyberattacks,’ added Dr Abed.
Prevention is not always better than cure
As healthcare systems become increasingly decentralised and remote working becomes more common, the risks of cyberattacks are further exacerbated. New connected technologies are being adopted faster than they can be secured, making defending against cyberattacks more challenging.
Traditionally, emphasis has been placed on preventative cybersecurity measures, but this alone does not go far enough, according to Lisbeth Nielsen, director general of the Danish Health Data Authority. It is essential that back-up processes are put in place for the event of systems such as electronic health record (EHR) systems going offline.
“We’re not just trying to protect ourselves from attacks. Our focus now is on business continuity and patient safety,” said Neilson. “Although we can’t prevent security breaches, we need to know how to respond and recover.”
She explained that the Danish Health Data Authority has been working to map vulnerabilities and exchange knowledge about cyberattacks using a security analysis system in collaboration with five regional data centres.
“It’s about raising awareness but also practical tools and factual monitoring – so little steps for improving every day and making awareness of how this [cybersecurity] affects nations,” said Neilson.
A similar approach has been taken in France, according to Charlote Drapeau, head of unit at the French national security agency, ANSSI. She said the agency has focused on developing effective solutions based on looking at risk and impact, rather than exhaustive solutions that rely on successfully blocking all attacks. ANSSI made this approach systematic by developing its EIBOS risk manager method to prioritise responses for different attack scenarios.
Reducing human error
One of the greatest risks to cybersecurity is posed by human error, making it essential that all staff are up to date with the latest practices. However, inadequate funding for cybersecurity across Europe means that resources are often lacking.
A 2022 HIMSS survey of 159 cybersecurity professionals found that workforce challenges were a key challenge for healthcare leaders with 84% of those who responded rating recruitment of qualified cybersecurity staff as their top concern. This was followed by insufficient budget as the second concern.
Dr Sabrina Magalini, surgeon at the Agostino Gemelli University Policlinic in Rome, emphasised the vital need to train all clinical staff in cyber hygiene measures.
“Medical training needs to include cybersecurity training in the first year of medical school. The soft skills that they teach us should have cybersecurity training inside,” argued Dr Magalini.
She added that it is also important for cybersecurity knowledge to be included in clinical revalidation and accreditation.
Dr Magalini coordinated the Panacea project on people-centric hospital cyber resilience, which was started in 2019 under the EU’s H2020 initiative.
The project developed nine tools, including a behaviour nudging tool which encourages staff to address risky behaviours based on a human vulnerability list identified in an early part of the project. This sends alerts such as “Stop, think, log out” to remind staff to follow best cyber hygiene practices.
Bringing vendors on board
Ricardo João Correia, researcher at software firm VirtualCare, said that vendors often neglected foundational cybersecurity as it was seen as a cost driver rather than a sales driver.
There can be particular risk from vulnerabilities in hardware infrastructure such as routers and load balancers, which have been found to be big channels for cyberattacks.
Correia emphasised the importance for all vendors to comply with regulation and for software to come with service level agreements (SLAs).
“The connected world is mess and it’s getting messier,” concluded Correia. “We have to engage the suppliers in this service level way, so that they feel they need to bring new things into this area and not only do whatever they are being paid for.”