The war in Ukraine has been accompanied by talk of a growing cybersecurity threat. electronic health records (EHR), data sharing, telehealth, and ICT have become commonplace in health care, making the field more interdependent, and hackers have more and more objective healthcare organizations.
In February, one day after the invasion of Ukraine, the American Hospital Association issued a warning about potential cyber threats from Russia, stating that hospitals could be targeted directly or become collateral damage in a malware attack. For Dr. Sabina Magalini, senior emergency trauma surgeon at Gemelli University Hospital in Rome, the nature of the threat has changed, away from people seeking financial gain. “The intention now is not to do ransomware, but to do harm,” she said.
Magalini, who was recently involved in an EU-funded cybersecurity project called Panacea, says healthcare professionals are busy and IT departments work in different silos from their medical colleagues. While medicine is increasingly reliant on digitization and AI, cyber hygiene is uneven, she explained. “I always say that if you were working on a nuclear power plant, maybe you would qualify more. Working in health care, cybersecurity is not your primary focus.”
Putting the lives of patients at risk
A system failure in health care can be catastrophic. Irish health system lost access to phone and email communications after ransomware attack last may, when a malicious MS Excel file was opened by a staff member. In 2020, a cyber attack in Germany led to death of a patient when treatment was delayed.
The EU is expected to update its strategy to improve cybersecurity across the EU, the NIS directivelater this year. The European cybersecurity agency, Enisa, has published a report on how pseudonymization can help protect patient data and offers training webinars to improve the skills of the workforce. Enisa says more than 350,000 Cybersecurity positions are vacant across the continent.
The rapid digitization of healthcare during the COVID-19 pandemic created two different security weaknesses, according to Alessandro Ortalda, a researcher at the Vrije Universiteit in Brussels who has advised governments and public institutions on cybersecurity. One is the potential for cybercriminals to compromise patient safety by hacking into connected devices. The other is that they would obtain patient data and sell it or hold it for ransom.
Of the two, data breaches are the most critical, says Ortalda. “If you’re targeting a specific medical device, you’re targeting one person or a small group of people. But if you’re targeting a database that hosts data from hundreds or maybe thousands of people, the potential gain is much, much higher. And accessing these types of databases is much easier than breaking into a medical device.”
Regulations like GDPR provide a strong framework for data protection, but can be difficult to comply with, Ortalda said. “One of the things that is often difficult for security personnel is how to translate these high principles into actionable requirements at the implementation level.”
Although awareness of the cyber threat is growing in health care, experts say funding is an issue. Better resourcing and the creation of new data protection officer (DPO) roles, a position envisioned by the GDPR, would help healthcare institutions be prepared, Ortalda suggests. “Right now, DPOs and privacy departments are severely understaffed and under-resourced. This is a big problem for organizations like hospitals or pharmaceutical companies.”
In the meantime, both defense and attack strategies will evolve, he said. “The one who is ahead is always the attacker. It is always easier to attack than to defend.