/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
Healthcare systems routinely train for catastrophic events such as terrorist attacks, yet rarely engage to establish what happens if several key IT systems go offline.
Expert speakers at the HIMSS23 European Health Conference and Exhibition in Lisbon (7-9 June) have called on health organizations to prioritize preparedness training and rehearsals to increase resilience in the event of cyber incidents.
This is an important issue as cyberattacks become more sophisticated in Europe and around the world, often forcing hospitals to suspend operations and putting patient care at risk.
Some of the biggest issues include mail phishing, smishing (using fake text messages to trick people into downloading malware, sharing sensitive information or sending money to cyber criminals) and deepfakes (digitally manipulated media).
Speaking at the session ‘Rethinking cyber security for a connected world’ on Wednesday (7 June), Dr Saif Abed, founding partner of Abedgraham Healthcare Strategies, explained that cyber security is “a systems problem, not an IT problem.”
The impact of cyberattacks is often measured by the number of patient deaths, but Dr Abed argued that it would be more accurate to look at the overall impact on patients. For example, if stroke treatment is delayed by 30 minutes, the patient’s recovery may be affected.
“We are here to protect public health and safety, not just prevent cyber attacks,” Dr. Abed said.
Prevention is not always better than cure
As health care systems become increasingly decentralized and remote working becomes more common, the risks of cyberattacks increase further. New connected technologies are being adopted faster than they can be secured, making cyber attacks more challenging to defend against.
Traditionally, the emphasis has been on preventive cyber security measures, but this alone doesn’t go far enough, according to Lisbeth Nielsen, director general of the Danish Health Data Authority. It is essential that back-up procedures are put in place in case systems such as the Electronic Health Record (EHR) system go offline.
“We’re not just trying to protect ourselves from attacks. Our focus now is on business continuity and patient safety,” Nielsen said. “Although we cannot prevent security breaches, we need to know how to react and recover.”
He explained that the Danish Health Data Authority is working in collaboration with five regional data centers to map vulnerabilities and exchange knowledge about cyber attacks using a security analysis system.
“It is about raising awareness, but also practical tools and factual monitoring – steps too small to improve every day and raise awareness of how this (cybersecurity) affects nations,” Nielsen said. .
A similar approach has been adopted in France, according to Charlotte Drapeau, head of unit at ANSSI, the French national security agency. He said the agency has focused on developing effective solutions considering risk and impact rather than comprehensive solutions that rely on successfully preventing all attacks. ANSSI systematized this approach by developing its EIBOS risk management methodology to prioritize responses to different attack scenarios.
reduce human error
One of the biggest risks to cyber security stems from human error, making it essential that all employees are up to date with the latest practices. However, insufficient funding for cyber security across Europe means that resources are often lacking.
The 2022 HIMSS survey of 159 cybersecurity professionals found that workforce challenges were a significant challenge for healthcare leaders with 84% of those who responded rating recruiting qualified cybersecurity staff as their top concern. Then there was insufficient budget as another concern.
Dr. Sabrina Magalini, surgeon at the Agostino Gemelli University Policlinic in Rome, stressed the critical need to train all clinical staff in cyber hygiene measures.
“Medical training needs to include cyber security training in the first year of medical training. Cyber security training should be inside the soft skills they teach us,” argued Dr Maglini.
He added that it is also important to engage in clinical revalidation and accreditation for cyber security knowledge.
Dr Magalini coordinated the Panacea project on people-centred hospital cyber resilience, which was launched in 2019 under the EU’s H2020 initiative.
The project developed nine tools, including a Behavioral Newsing tool that encourages employees to address risky behavior based on the Human Vulnerability Inventory identified in the early part of the project. It sends alerts such as “Stop, Think, Log Out” to remind employees to follow best cyber hygiene practices.
bringing vendors on board
Ricardo João Correia, researcher at software firm VirtualCare, said vendors often neglected basic cyber security because it was seen as a cost driver rather than a sales driver.
Particular risk may come from vulnerabilities in hardware infrastructure such as routers and load balancers, which have been found to be major channels for cyberattacks.
Correa stressed the importance for all vendors to comply with the regulations and come up with service level agreements (SLAs) for the software.
Correa concluded, “The connected world is a mess and it’s getting messier.” “We have to engage suppliers in this service level way, so that they feel they need to bring new things to this area and not just what they are paying for.”
