According to Leon Poggioli, the regional director of Australia and New Zealand at Claroty, all healthcare providers must focus on the increasing cybersecurity risk and the need to protect systems and patient safety.
The aims of cybersecurity programs differ depending on the function of an organisation.
For many, the protection of customer information is paramount, as we have seen from recent high-profile breaches in Australia.
For others, it might be protecting valuable intellectual property, or ensuring that essential services such as electricity or water supply are not compromised.
For healthcare organisations, there is another vital goal that trumps all others - protecting patient safety.
This is in addition to protecting particularly sensitive personal information found in healthcare records, a prized target for hackers.
People can easily change their credit cards or driving licences but cannot change their health records.
Patient safety is becoming a growing concern thanks to the increased use of internet-connected devices for patient treatment and monitoring, collectively called the Internet of Medical Things (IoMT).
IoMT embraces any medical device that connects to a healthcare provider’s internet network. Unfortunately, this functionality also makes them a top target for cybercriminals.
The potential consequences of compromise are very serious. Data corruption can lead to incorrect diagnosis or inappropriate treatment, and direct tampering with systems delivering drugs or monitoring vital signs can be fatal.
Cybersecurity in healthcare
According to a 2021 study, approximately half of the world’s hospitals experienced an IT shutdown due to a cyberattack in the first half of 2021.
The study said there had been an 84 per cent rise in reported cyber incidents in Australia’s healthcare sector between 2019 and 2020, and 85 reported data breaches in the first half of 2021 alone.
In 2019, seven major regional hospitals in Victoria were locked down by a ransomware attack. This was followed by an attack in 2021 on UnitingCare, one of Australia's leading providers of aged care services.
In 2021, the Ponemon Institute surveyed 597 IT and IT security professionals in healthcare delivery organisations (HDOs) to understand how COVID-19 had impacted how healthcare delivery organisations protect patient care and patient information from increasingly virulent cyberattacks, especially ransomware. Its headline finding was a 22 per cent increase in patient mortality due to ransomware.
Ransomware attacks also contributed to longer patient admission times, delays in procedures and tests, increased patient transfers or facility diversions, and complications from medical procedures.
The Australian Digital Health Agency has responded to the increase in cyber threats on health systems and data by beefing up security requirements for clinical information systems connected to the Government’s My Health Record system. All such systems must now conform to the Australian Cyber Security Centre’s strategies to Mitigate Cyber Security Incidents, known as the Essential Eight.
Health cybersecurity mistakes to avoid
IoMT devices and their security challenges do not exist in a bubble. They are one component of a broader ‘cyber-physical system’, a term coined over a decade ago but now taking on greater relevance due to the interconnection of legacy operational technology with modern IT systems.
Most healthcare organisations understand the importance of a framework for securing cyber-physical systems, but this is often not implemented. Here are some of the most common mistakes healthcare providers make:
- Using standard IT security tools in the mistaken belief they can secure IoMT devices. Unfortunately, most of the security tools designed to protect our traditional IT systems are inadequate for connected medical devices, which frequently use different protocols that make them incompatible. Organisations need purpose-built tools designed to protect both IT and IoMT devices;
- With this lack of proper tools mentioned above, organisations resort to creating silos and separately managing medical device security from the rest of their IT security. When cybersecurity silos form within a healthcare organisation, it makes it difficult to respond to cybersecurity threats in a coordinated manner. A converged approach to cybersecurity is essential;
- Organisations fail to assess risks associated with third-party systems they connect to their networks. Any risk or vulnerability associated with a third-party system can result in compromise to the healthcare provider. To protect against these risks, third-party systems must be assessed prior to any engagement and be continuously monitored for the emergence of new vulnerabilities; and,
- Organisations do not know what they need to protect. If an organisation does not have a complete inventory of all connected medical devices, including information on their vulnerabilities and locations, it is impossible to make a realistic risk assessment or develop a strategy to secure them.
Meeting the cybersecurity challenge of patient safety
To complete any task successfully, healthcare organisations need the right tools. Securing healthcare cyber-physical systems to maintain patient safety is no exception. Purpose-built healthcare security tools ensure medical devices are well protected and well managed, resulting in better outcomes for patients and safer provision of care.
But this journey does not have to be undertaken alone. Finding a specialised security partner with deep healthcare expertise can simplify the process, ensuring health providers are using the most appropriate tools with maximum effectiveness, and ensuring serious mistakes are not made during implementation that would compromise patient safety.