The biggest privacy risk for hospitals is not from centralised digital health records but security around medical equipment, says cybersecurity expert Jeremy Hulse.
The healthcare sector ranks among the top industries most targeted by cybercriminals globally and most health service providers have responded by beefing up their IT security.
But a narrow focus on IT alone leaves organisations still vulnerable to cyberattack, with operational technology (OT) presenting cyber criminals with the equivalent of an unlocked back door.
In Australia, Office of the Australian Information Commissioner (OAIC) statistics show the health sector consistently reports the highest number of data breaches, with 85 notifiable data breaches from January to June 2021 – 19% of all reports.
In March last year, hospitals in eastern Melbourne were forced to postpone elective surgeries following a suspected cyber attack and, in September 2019, a ransomware attack caused similar disruption for several major regional hospitals in Victoria.
A new report states that over half of internet-connected devices in hospitals may have vulnerabilities that leave them exposed to hackers and could endanger patient safety.
Infusion pumps, the most common type of internet-connected device in healthcare settings, are among the biggest concerns cited in the report, given the potential to interfere with correct medication levels.
In response to these risks, health service providers have reviewed and strengthened their IT security. This is a good thing. But failure to consider the vulnerability of operational equipment, or over-reliance on ‘air gapping’ or a virtual moat around their IT and OT systems can undermine those efforts.
OT systems work in the background of hospitals, maintaining vital networks including oxygen flow, ventilation systems, elevators, doors and lighting.
In theory, ‘air gapped’ systems are safe from unauthorised intrusion because they are physically isolated from external systems or the wider Internet. However, truly isolated systems are rare.
Adding to this risk, the assumption that specialised medical equipment, such as computerised tomography (CT) or magnetic resonance imaging (MRI) scanners, are disconnected from hospital IT systems and therefore safe from external attack is not only wrong but also makes them vulnerable from both a privacy and safety perspective.
While older legacy equipment might require staff to manually extract and transfer scans or test results, modern equipment will now take the scan, send the digital result to another machine, such as a PC, which may in turn send a report elsewhere for collation and analysis.
These machines use the same wires as all other equipment at a hospital.
At the most extreme end, unauthorised access to IT and OT systems can pose a risk to life, with the potential for equipment shutdown, medications to be altered and test results changed.
Less extreme, but no less concerning, is the privacy aspect – the ability for external parties to access sensitive personal information such as an individual’s prognosis, medical testing and treatment.
Despite some community concern, the collection of health data in centralised digital records is actually quite safe. There is significant security in place around these records, including encryption and access keys.
The risk lies in where this patient health information comes from, the machines feeding in the data from the outer edges of the health network. It’s much easier to secure data in a central point than it is to secure individual machines.
It’s impossible to protect IT and OT systems if you don’t know what’s happening in them, which machines are connected to them and what they are sharing. And the situation is always changing.
Like attaching a heartbeat monitor to a vulnerable patient, continuous, real-time monitoring is the best way to identify the symptoms of cyber attack – including new connections, unusual data traffic or sharing – early enough to apply effective remedies.
Early response can be the critical difference between maintaining privacy, security and continuity of medical care and a cyber attack causing potentially irreparable harm through a health organisation’s IT or OT systems.
In the cybersecurity world, as in the medical one, prevention is always better than cure.
ED: Jeremy Hulse is chief strategy officer with Sapien Cyber.