Cybersecurity in Healthcare: what are the trends?

First of all, it is necessary to consider that the number, variety and interdependence of the different business processes, that is the processes to protect the patient's health, is very vast and expresses enormous internal complexity. The adoption of IT solutions to support these processes has not been uniform and planned but has had different evolutions, often independent and not shared, starting from the intrinsically more technological departments (such as radiology) and gradually covering all the different functions.

In the last fifteen years, digitization and in general the adoption of IT solutions has had a very strong acceleration, aiming both at the rationalization and integration of the existing and the coverage of new processes. Taking into account the starting diversity and differences, the lack of coordination at a national and sometimes regional level, the result is on average an extremely complex information system, diversified and stratified on the various evolutionary lines.

Given the very strong interdependence between applications and processes, taking into account the number and type of users, it is extremely expensive, in organizational and training terms, to replace an application. The main consequence is a strong presence of legacy solutions, designed and developed with sometimes obsolete methodologies, frameworks and technologies and in a context where security was not one of the main requirements. Today there is a complex and fragmented information application ecosystem, with integrated solutions with the most diverse technologies and methodologies, sometimes even poorly documented. It follows that the vulnerability of a single application is often reflected on the entire system and even a what-if analysis is very complex.

At a regulatory level, the healthcare world is pervasively impacted by the laws protecting privacy and by some directives on cybersecurity (for example the Directive 2016/1148 on the security of networks and information systems, better known as the NIS Directive). Regulatory compliance is very important and disputes related to errors, or alleged errors, in the treatment processes, could be added those deriving from violations of the rights protected by the legislation on the protection of personal data.

A hospital structure is characterized by the need to operate in continuity of service: there are no maintenance windows. Consequently, updating and patching systems and applications are complex to implement, also taking into account the often obsolete architectures that do not allow systems to be updated without interrupting services. It is therefore not unusual to have a large number of systems subject to vulnerabilities that have been known for some time and for which the relative patches have been released but which for the reasons mentioned above have never been applied.

From the point of view of technological equipment, there are apparatuses that historically have had as their focus the search for performance in terms of diagnostics or diagnostic support, almost completely neglecting the security aspects. Hence, extremely sophisticated devices from a biomedical point of view can use obsolete and no longer supported operating systems. The situation is even more burdened by the fact that these devices require certifications which could be compromised if an attempt is made to install security solutions on these operating systems afterwards.

The criticality of electro-medical devices is now accentuated both by a process of miniaturization and by the increasing use of wireless technologies. While this allows for the production of equipment that can be used on the move with great benefits for both staff and patients, on the other hand it poses ever greater safety problems. In addition, to ensure the operational continuity of their solutions, manufacturers often offer a remote monitoring service which however requires the opening of VPN connections, sometimes made with proprietary equipment, which are complex to manage and monitor. These connections, in some cases, are also an indispensable prerequisite to be able to take advantage of assistance on the devices themselves.

In assessing the security aspects of electromedical devices, it must be taken into account that these devices not only have a diagnostic use but are increasingly also supporting therapies and treatments. Just think of the use of robotics in precision surgery, radiotherapy or the latest discoveries that by combining different technologies such as magnetic resonance and ultrasound are able to remove damaged brain cells. Since these devices intervene directly on the patient, the problem is no longer just security but also safety: their compromise can have very serious effects.

To protect both, the European Community has moved with laws mainly aimed at manufacturers of medical devices, but security, to be effective, must be based on a shared responsibility model, therefore it is essential to ensure that the IT infrastructure in which the devices medical devices are installed, meet shared security requirements.

"Manufacturers must establish the minimum requirements for the hardware, IT network characteristics and IT security measures, including protection against unauthorized access, necessary to run the software as intended." - Annex I, point 17.4