Security first – hospitals prime targets of cyberattacks

Safety should be a top priority when it comes to safeguarding human lives. That's why hospitals must protect their computer networks and data against unauthorized access. However, thanks to the proliferation of connected devices in hospitals, they are at high risk of suffering devastating cyberattacks. There is also a lack of cybersecurity awareness.

In this MEDICA-tradefair.com interview, Professor Föller-Nord explains why more and more hospitals suffer cyberattacks, describes the difference between safety and security and reveals how hospitals and medical devices can be protected from hackers.

Professor Föller-Nord, why does cybersecurity play an increasingly important role in our healthcare system?

Prof. Miriam Föller-Nord: That's because digitization and networks are ever increasing. This aspect generally plays a key role in today's society. We live in an increasingly connected world. At this point, we can research almost anything online, have full access and control everything. Needless to say, this also means an increase in risk from cyberattacks by hackers with criminal intent. This also applies to hospitals because they, too, are more and more connected. That's actually a good thing. In the past, medical devices often tended to be standalone applications. They had an encapsulation format and no digital interface and could not be externally accessed. Today that's no longer the case. These days, more and more devices are connected to only one network. They typically have a standard interface for data transfers, which allows hackers to enter the network and launch cyberattacks.

What does a cyberattack look like?

Föller-Nord: You have to differentiate between attacks launched on a hospital infrastructure or a specific medical device. It's relatively easy to attack an infrastructure through the Internet. Trojans enter a system if an employee unintentionally opens an email attachment that embeds the Trojan virus or if the associate plugs in a USB stick that he or she found in the hallway and that launches the Trojan, which can then fully spread across internal networks. These are typically Encryption Trojans that encrypt the hospital's data and files. Meanwhile, hackers can also attack medical devices. Some devices have a wireless interface, which usually doesn't offer great protection. If an attacker gains access to the device, he or she can access and analyze data. He or she can control the data if he/she knows the format.

Cyberattackers are mostly financially motivated. By encrypting the data, they can blackmail hospitals and demand ransom. Their goal might also be espionage, as in industrial espionage for example. When it comes to hospitals, the goal is to access sensitive patient records. A classic malicious intention of hackers is to simply paralyze hospital operations or to destroy equipment functionality.

What does that mean exactly? What are the effects of cyberattacks - both for the hospital and patients?

Föller-Nord: Unfortunately, this type of attack can fully cripple a hospital, especially when data on hard drives is being encrypted. In other words, neither the hospital admission procedures nor the diagnostic and treatment processes can be carried out. Not only does this translate into financial losses, but it is also damaging to a hospital's reputation, which in turn has a major financial impact. Meanwhile, patients tend to be more indirectly affected by the attack. Having said that, if a hospital is no longer able to admit emergency cases, it will obviously directly harm those patients that are in dire need of treatment. The same applies to surgeries that can no longer be performed because the network is down. Having said that, if the attack specifically targets an insulin pump or a pacemaker, it directly puts lives at risk. If the function of devices is compromised, it can physically harm patients to the point of death. However, the high cost of attacking one person is not proportional to the minor benefits yielded from this type of attack.

Normally, the attack targets the hospital infrastructure. And this is where hospitals are indeed at high risk. According to a survey by the Hessian state government, every fourth hospital has fallen victim to cyberattacks over the past two years. One study by a management consulting firm actually indicates that 64 percent of all hospitals have been attacked at one point or another. What’s more, there is a percentage of unreported cases, because the attack was either detected too late or not at all or hospitals simply chose not to publicize an attack. Based on this information, we can assume that hospitals everywhere are being attacked on a weekly basis.

How can hospitals and medical devices be made safer and more impenetrable to cyberattacks?

Föller-Nord: It is crucial - and this was something that has not been the case in the past - that cybersecurity awareness is already being incorporated into software development processes. We simply need secure software. Security is more than just functional safety, which means the device operates correctly and does not endanger patients. Devices also have to be safe from unauthorized third-party access. What's interesting is that the German language only has one word for safety and security ("Sicherheit") and makes no distinction between the two concepts. The English language differentiate between functional "safety" and cyber "security" to set the two ideas apart. In other words, it is simply not sufficient to ensure that a device is functionally "safe", yet deliver it without "secure" software due to time constraints and simply adapt it later on for the next upgrade. Cybersecurity must be part of the software development process from the outset. This also applies to hospital settings. The hospital network must be secured and protected against cyberattacks right from the start.

Humans are the weakest link in the cybersecurity chain and thus play a key role. Hospital employees must be trained and educated to understand how these attacks can happen. In other words, they should know that they must never plug in a USB stick they found somewhere or open an email attachment from an unknown source. From my perspective, those are the critical success factors to improve cybersecurity in hospitals or medical devices.

This means both developers and users assume equal responsibility for this endeavor.

Föller-Nord: That's right. Government agencies and public authorities should also be tasked. They must introduce uniform standards or cybersecurity guidelines for the healthcare sector. All hospitals would then have to comply with these official regulations and standards.