IT security professionals in the European healthcare industry have a difficult job to do. Every day they face the seemingly impossible task of delivering on two opposing goals: enabling the connectivity and transparency that power digital healthcare, while maintaining strong barriers to protect data, devices and networks from data breaches and cyber-threats.
This challenge is made even harder because digital healthcare allows ever more non-security trained medical staff to access and share confidential patient data. New security vulnerabilities are opening up all over the place and, if left unprotected, will quickly be seized on by cyber-attackers.
The growing threat
According to the Ponemon Institute[i], the number of criminal attacks on healthcare organisations has doubled in the last five years. In 2015, 112 million medical records were breached in the US alone, 78.8 million of them exposed in a single hacking attack on healthcare insurer, Anthem Blue Cross. Europe is equally vulnerable: in February 2016, a number of hospitals in Germany were hit with ransomware attacks, leading to critical operations being postponed.
To date, many European governments and individual healthcare providers have been free to make their own decisions about cyber-security and protection, which in practice often meant that investment in IT security was minimal. This is about to change.
The European Union’s new, unified and far stricter General Data Protection Regulation (GDPR) is complemented by another legislative item, the Network and Information Systems (NIS) Directive. The GDPR has now been formally approved, after years of debate and modification, and will come into effect in May 2018. The NIS Directive is still being finalised, but is expected to be formally approved in the coming weeks. Once that happens, member states will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services. Any way you look at it, from 2018, healthcare organisations that fail to comply with relevant requirements will have nowhere to hide.
Healthcare providers and their IT security teams need to understand and address the requirements that affect them. Not just for the sake of ‘tick-box’ compliance or to avoid a punitive fine and embarrassing reputational damage, but because doing so will ensure that they and their patients can reap the many rewards of advanced digital healthcare, confident in the knowledge that data, devices and networks are secure.
The drive for connected healthcare
The healthcare sector in Europe is harnessing the power of the internet and digital technologies to enhance medical care for a growing and ageing population, while reducing operational costs and improving efficiency. This digital transformation includes concepts such as eHealth, mHealth and connected clinical environments.
The introduction of electronic healthcare records (EHR) enables patient data to be transferred between different healthcare providers and even across national borders, delivering accurate, consistent and continuous care. Mobile devices such as smartphones and wearables allow long-term chronic conditions – on the rise across Europe – to be managed remotely, while medical equipment, from MRIs to pacemakers and drug infusion pumps, can be connected with each other and share, analyse, adjust and trigger treatment seamlessly in real-time.
Everywhere, patients benefit, healthcare professionals benefit, and overall costs to the nation are reduced.
Country differences lead to security fragmentation
Different European countries are at different stages of the digital journey. For example, while some countries have set detailed requirements regarding the content, security, encryption and hosting of EHRs[ii], others haven’t. Around half of European countries have access restrictions in place for different health professionals, such as doctors, dentists or pharmacists.
These differences have resulted in a fragmented security landscape. This makes it harder to ensure that confidential patient data being shared between countries is equally protected wherever it goes.
(dis) integrated IT systems
Security vulnerabilities can also be found in the IT infrastructure of healthcare providers. New IT approaches, including the cloud, virtual environments and wireless networks are being widely introduced as part of digital transformation. However, these new technologies are often patched onto legacy IT infrastructures and components, with mission-critical equipment frequently left running on old and outdated operating systems. If there are any gaps in security or resilience the healthcare provider could be at risk of accidental data leakage. At worst, they could be offering cyber-attackers ways into their immensely valuable data repositories that these criminals won’t hesitate to exploit.
Employees
In many healthcare organisations, however, the greatest vulnerability is its employees. Highly-trained and experienced healthcare professionals are not IT security experts. Yet they are increasingly the custodians of highly confidential digital records and data. The best IT security measures in the world will fail unless employees understand the risks and know how to handle information with responsibility and care.
The appeal of healthcare to cyber-attackers
Cyber-criminals are drawn to healthcare for a number of reasons. These include the lucrative black-market and blackmail value of confidential patient medical data; the extortion opportunities of ransomware; the opportunity for a targeted attack through equipment and dosage tampering; and the malicious pleasure of paralysing a hospital or clinic by disabling its systems. Kaspersky Lab’s own research has shown that it can be relatively easy to hack into a hospital.[iii]
Healthcare providers and their IT security teams need to implement the sophisticated, high quality protection that will allow them to withstand such attacks. From today, they need to do so in a way that complies with the new GPDR and NIS regulation.
What the GPDR and NIS mean for healthcare
The GDPR runs to over 200 pages. That’s a lot to take in. If an organisation gets it wrong, the penalties will be swift and severe. For example, after May 2018, any data breach will have to be formally declared within 72 hours, and those affected will need to be informed as well. Further, the GDPR includes detailed instructions around the ‘anonymisation’ of personally-identifiable data, something that is more complex in healthcare because such information can also include biometric, visual (X-ray etc.) and DNA data.
However, it’s the NIS Directive that will have the greatest impact on IT security in healthcare. This establishes the security and notification requirements that need to be met by the network and information systems of those operating essential services such as healthcare. These requirements will need to be integrated as standard when designing and managing such systems.
How to get regulation-ready
There are a number of things healthcare providers and their IT security professionals can do to ensure they comply with the new regulations. The good news is that many of these already appear on the list of security best practice.
They include implementing a comprehensive, multi-layered security solution that encompasses new and well as legacy systems, not to mention all kinds of devices, as well as making sure that device software is up-to-date, encrypting all data as standard, and introducing robust authentication measures. This should be complemented by sound information governance policies, such as ensuring that confidential or personally-identifiable information can be tracked and accounted for at all times, restricting data access to authorised individuals, and educating employees.
Conclusion
Over the next few years, the pace of healthcare’s digital journey will accelerate, introducing ever greater connectivity and generating ever more data. At the same time cyber-attackers will become more creative and professional and the number of attempted attacks will increase. It is only a matter of time before healthcare-specific regulation will be introduced and by then the penalties will be even more unforgiving. Don’t wait until tomorrow to introduce the safeguards your patients and organisation deserve today.
[su_box title=”About Kaspersky Lab” style=”noise” box_color=”#336588″][short_info id=’59584′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.