Smart Hospitals – Part 2: Managing the Inherent Cyber Security Risk

by Dimitrios Gontzes

Becoming a Smart Hospital is not a utopic state. In my previous blog, I described what a Smart Hospital is and how tangible its defining assets are. In fact, hospitals are inevitably moving in this direction – they adopt new technologies and systems to enable them to respond to the increasing customer demands, achieve greater efficiencies and better react to regulatory standards and disruptive risks. Hospitals are also expected to experience great benefits from using an interconnected network of systems and devices – increased healthcare reach (through tele-health, tele-monitoring), cost and time savings, and enhanced quality of care. Furthermore, Smart Hospitals are likely to bring improvements in the areas of patient safety, medical and surgical abilities, and customer experience.

Smart Hospitals, however, seem to carry an inherent danger – the cyber security risk.

Cyber security has always been a hot topic for healthcare organisations. The data they handle is considered very sensitive and the use of devices or other technologies can have a direct impact on the health of individuals. This issue becomes even more important with the introduction of networked systems and the Internet of Things (IoT). Why? Because a system is as resilient as its weakest component. And in this world of increasing interconnectedness and numbers of IoT devices, the number of attack vectors will increase and so will vulnerabilities. In addition, as is often the case with healthcare organisations, new technologies connect with legacy systems that may remain inadequately protected. The unprecedented speed of technological innovation may also result in out-dated malware detection mechanisms, unrealistic organisation policies and lack of standard device configurations which can further weaken an organisation’s defences.

So, what are the types of cyber threats a modern hospital faces and what are the consequences?

According to a survey conducted by ENISA, the most critical threat to the organisation’s operation, staff and patients is the threat of malicious attacks. A malicious attack is a deliberate action by individuals or organisations and may include malware such as viruses and ransomware, network or device hijacking, theft of data or physical devices, medical device tampering, Denial of Service attacks (DoS) and others. Most of the time, there is a financial motive for these attacks. Hackers can take control of systems and devices, steal patient data or equipment and sell them to the highest bidder or even hold operational data hostage, demanding a ransom for their release.

The most likely threats however seem to stem from human errors. Exceptionally disruptive in a smart hospital setting are the medical system configuration errors, the patient or physician errors and the unauthorised access controls. Take the infusion pump case for example. Generally, hospitals make sure that such devices are configured in a way to prevent over-infusion of drugs but create back doors for specialised staff in case of an emergency. If the device is not configured with such access controls, patients and individuals can tamper with the device and the drug delivery protocol, which might have deadly consequences. Other threats that prove troublesome to a hospital’s operations are system failures such as software and device failure and supply chain failure particularly with third party service providers and suppliers. Such errors and failures can be critical as they pose an immediate danger to the patient’s health. In addition, they may also affect the hospital’s everyday operations and therefore its profitability and reputation.

When it comes to managing security risk and breaches, there are a few tried and tested practices. First stop, a cyber security risk assessment. What are your weakest points, what are the threats of these vulnerabilities and what is the likelihood of a breach and its potential impact? Moving to protection measures, technological solutions such as anti-malware software, regular backups, firewalls and data encryption techniques are the most commonly used. Particularly effective is the architecture measure of dynamic network segmentation where system components that are more susceptible to cyber-attacks are separated from critical components of the network. Management of assets and standard configuration protocols can minimise human errors and make the detection of malicious activity more effective. An organisation should certainly not rely solely on its technological measures. Internal security policies, distinct roles and access controls, frequent penetration testing and security audits as well as comprehensive awareness and training courses can strengthen a hospital’s resilience and minimise these cyber risks.

The future of healthcare is undeniably here. It is digital, networked, personal and collaborative. There are great benefits in embracing the technological revolution but one must be protected against its dangerous artefacts.