of healthcare organizations have experienced a data breach in the past 2 years - McKinsey
In recent years, the world of public and private health has seen numerous serious cyber-attacks with the aim of cybercrime and theft of patients' personal data.
On the one hand, the GDPR has made it possible to raise awareness in the healthcare sector on the need - and the obligation - to protect the information of patients and healthcare personnel but, on the other hand, it has made the information assets even more attractive for cybercrime professionals. In fact, the more a data is protected and is subject to regulations and potential sanctions, the more it becomes precious for hackers who see in the sanctions a huge leverage to be exploited for blackmail purposes, in order to derive an illicit gain.
The first step to defend your data and information assets from cyber attacks is to know what are the specific mix of threats to which the type of company or entity you belong to is exposed.
Understanding the major threats and vulnerabilities inherent in the healthcare world, represented by the Healthcare Cyber Risk Matrix (HCRM), is therefore a fundamental guide for security and compliance managers to define priority investment guidelines and determine the most appropriate countermeasures suitable for reducing the risks identified.
A Guide for CIOs and Security Officers: the Healthcare Cyber Risk Matrix
The Healthcare Cyber Risk Matrix is a template that provides valuable information to those responsible for the safety of the health sector on the defensive measures to be adopted, but it must be considered that, in addition to what is highlighted in the matrix, there are some issues that must be taken into due consideration and that, in the health sector, can have high impact flaps. The reference is to the very high levels of availability that must be guaranteed for medical data, services, IT infrastructures and biomedical devices.
A health facility cannot afford the slightest unavailability of equipment and information that can be essential for the protection of people's lives.
For this reason, to all the measures useful to reduce the probability of occurrence of the major cybersecurity incidents highlighted in the HCRM, it will be necessary to add all the countermeasures aimed at guaranteeing very high levels of data availability and technological infrastructures.
Maximum availability of data and health systems and the guarantee of their safety must always coexist.
Healthcare Digital Transformation: Cybersecurity for patient and data protection
The healthcare sector is characterized by some peculiarities that have important implications for cybersecurity and the ways in which it must be approached, with the implication of constraints that must be taken into account.
IT processes and systems: interdependence and fragmentation of the scenario
First of all, it is necessary to consider that the number, variety and interdependence of the different business processes, that is the processes to protect the patient's health, is very vast and expresses enormous internal complexity. The adoption of IT solutions to support these processes has not been uniform and planned but has had different evolutions, often independent and not shared, starting from the intrinsically more technological departments (such as radiology) and gradually covering all the different functions.
In the last fifteen years, digitization and in general the adoption of IT solutions has had a very strong acceleration, aiming both at the rationalization and integration of the existing and the coverage of new processes. Taking into account the starting diversity and differences, the lack of coordination at a national and sometimes regional level, the result is on average an extremely complex information system, diversified and stratified on the various evolutionary lines.
Given the very strong interdependence between applications and processes, taking into account the number and type of users, it is extremely expensive, in organizational and training terms, to replace an application. The main consequence is a strong presence of legacy solutions, designed and developed with sometimes obsolete methodologies, frameworks and technologies and in a context where security was not one of the main requirements. Today there is a complex and fragmented information application ecosystem, with integrated solutions with the most diverse technologies and methodologies, sometimes even poorly documented. It follows that the vulnerability of a single application is often reflected on the entire system and even a what-if analysis is very complex.
Correlation between applications and processes
Business processes and their efficiency depend more and more on the IT solutions implemented and the expectation of a service that is always available is always higher.
Compliance and privacy protection laws in healthcare
Culture of safety
For healthcare personnel, naturally focused on the patient and the treatment process, an awareness and training path on safety issues is essential.
At a regulatory level, the healthcare world is pervasively impacted by the laws protecting privacy and by some directives on cybersecurity (for example the Directive 2016/1148 on the security of networks and information systems, better known as the NIS Directive). Regulatory compliance is very important and disputes related to errors, or alleged errors, in the treatment processes, could be added those deriving from violations of the rights protected by the legislation on the protection of personal data.
H24 operational continuity of the hospital service
A hospital structure is characterized by the need to operate in continuity of service: there are no maintenance windows. Consequently, updating and patching systems and applications are complex to implement, also taking into account the often obsolete architectures that do not allow systems to be updated without interrupting services. It is therefore not unusual to have a large number of systems subject to vulnerabilities that have been known for some time and for which the relative patches have been released but which for the reasons mentioned above have never been applied.
Need to align attention to the safety and efficiency of health services
From the point of view of technological equipment, there are apparatuses that historically have had as their focus the search for performance in terms of diagnostics or diagnostic support, almost completely neglecting the security aspects. Hence, extremely sophisticated devices from a biomedical point of view can use obsolete and no longer supported operating systems. The situation is even more burdened by the fact that these devices require certifications which could be compromised if an attempt is made to install security solutions on these operating systems afterwards.
Medical devices used on the move: focus on safety and patient safety
Medical Device Legislation
With regulations 745/2017 and 746/2017, operational in May 2020, the European Community has placed attention on cybersecurity, placing constraints on devices placed on the EU market
The criticality of electro-medical devices is now accentuated both by a process of miniaturization and by the increasing use of wireless technologies. While this allows for the production of equipment that can be used on the move with great benefits for both staff and patients, on the other hand it poses ever greater safety problems. In addition, to ensure the operational continuity of their solutions, manufacturers often offer a remote monitoring service which however requires the opening of VPN connections, sometimes made with proprietary equipment, which are complex to manage and monitor. These connections, in some cases, are also an indispensable prerequisite to be able to take advantage of assistance on the devices themselves.
In assessing the security aspects of electromedical devices, it must be taken into account that these devices not only have a diagnostic use but are increasingly also supporting therapies and treatments. Just think of the use of robotics in precision surgery, radiotherapy or the latest discoveries that by combining different technologies such as magnetic resonance and ultrasound are able to remove damaged brain cells. Since these devices intervene directly on the patient, the problem is no longer just security but also safety: their compromise can have very serious effects.
To protect both, the European Community has moved with laws mainly aimed at manufacturers of medical devices, but security, to be effective, must be based on a shared responsibility model, therefore it is essential to ensure that the IT infrastructure in which the devices medical devices are installed, meet shared security requirements.
"Manufacturers must establish the minimum requirements for the hardware, IT network characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended." - Annex I, point 17.4
Why rely on a partner with an end-to-end security approach
Multidisciplinary for the quality of services and compliance
The combination of technical and legal skills is the sine qua non to guarantee safe performance and compliance with regulations.
The computerization and complexity of information systems have not always gone hand in hand with staffing, especially in the public sector. As a result, information systems have sometimes found themselves having to chase technological evolution, working more on emergencies than on planning. IT processes have therefore not always had the opportunity to evolve in the appropriate way and may in some cases be inadequate to manage issues such as incident management and change management that are the basis of proper cybersecurity management.
Lutech adopts a holistic approach to cybersecurity and compliance in the healthcare world, to build a pragmatic and sustainable cyber-risk strategy, taking into account:
- Threat trend analysis, to determine the most likely attack scenarios
- The accurate understanding of the processes and elements of complexity of healthcare, to identify the consequences of an attack and the possible impacts
CyberRisk=f (Probability, Impact)
Lutech, in defining a concrete strategy with related intervention plans for healthcare customers, collects, considers and compares all available information relating to cyber-risks in order to identify and optimize the most appropriate investments.
To optimize the most appropriate investments of each of its Customers, Lutech analyzes, verifies, designs, implements and manages the solutions identified as the best to guarantee the safety and operational continuity of the healthcare facility.
Security end-to-end with Lutech
We follow the customer at every stage: from advisory, to the implementation of the proposed solutions, to support in operational management, thanks to the Managed Security Services offered by Lutech's Next Generation Security Operations Center (NG-SOC).
Lutech Cybersecurity Advisory services
Lutech's Advisory Services and its portfolio of professional services that meet the needs of the healthcare world are a fundamental factor for success. In fact, it is necessary to address both more traditional and specific needs related to issues of legacy environments, technological multilayers or architectural silos typical of bio / electro-medical environments and those relating to the new multicloud paradigms, IoT or, again, to the application of Artificial Intelligence and Machine Learning.
Overall, the Advisory services make it possible to obtain a holistic view of the company or health institution, starting from the business requirements (Provision of quality services to patients) up to obtaining the right declination - made "to measure" - of suitable solutions organizational, procedural and technological, following phases and procedures defined and shared with the Customer.
Thank you for your interest!
We have received your contact request; we will be in touch shortly to further discuss your business requirements.
A unique, uniform view of all patient records, making them easier to consult and reducing errors.