It has generally been assumed that sectors like finance, energy and transport are most at risk for attacks by cyber criminals. But according to forecasts by Europol, in 2017 sensitive medical data of patients stored in poorly secured hospital systems will be in the front lines of cyberattacks. Blocking of the IT system or leaking of patient data can disrupt the work of a medical unit to such a degree that it is unable to treat patients until it pays a heavy ransom to cyber criminals. Is it possible to protect against such a scenario?
Effective medical treatment depends on the reliability of IT systems
After many years of effort, the healthcare sector is going digital, and no doubt this process will continue. Medical data are stored in electronic form on hospitals’ computer systems. New arrangements for electronic prescriptions or electronic issuance of sick-leave certificates are expected any day. Telemedicine is growing rapidly, with patients’ diagnostic information transmitted to specialists in multiple locations. Various medical applications for self-administration by patients are also being created. Medical robots are helping surgeons carry out more and more complicated operations. New solutions using the Internet of Things are taking over tasks previously performed by medical personnel, enabling direct communication between medical devices and automatic establishment of parameters such as insulin dosages. Successful treatment increasingly relies on the security of the hospital’s IT system.
Medical data are the hottest item on the illegal darknet market
The dark side to technological progress is an increased risk of loss of data as a result of the actions of cyber criminals. As shown by an event in the UK in October 2016, the script for ransom attacks goes as follows. A number of emails are sent to hospital staff (e.g. notifying them of a scientific conference, inviting them to participate in an interesting research project, or the like). When the email is opened, it automatically installs a type of illegal malware called “ransomware” on the employee’s computer. The malware scans the network the computer is connected to, blocks access to patient data and transmits it in encrypted form to the attacker’s computer. With the data lost and the hospital’s IT system blocked, the hospital cannot function medically. The hospital administrators then receive an email demanding payment of ransom in exchange for returning the data and unblocking the system.
Cybersecurity costs a lot, but its absence costs more
In the United States in 2015, some 111 million cyberattacks on the healthcare system were recorded, affecting a total of 35% of the American society. In the biggest such attack to date, against Anthem, there was a one-off escape of the data of over 78 million patients. It is estimated that in 2017–2021 the global value of losses from cyberattacks will reach USD 6 trillion, and the expenditures required to ensure cybersecurity during the same period will take at least USD 1 trillion.
But in hospitals there is little awareness of the enormity of the threat of cyberattacks. A consequence of this is the lack of appropriate internal procedures for protecting IT systems, and this in turn is the immediate reason for inadequate security for sensitive patient data.
Legal regulations enacted and in the works
Adoption and implementation of regulations protecting against cybercrime is a long-term process requiring the involvement of European and national legislators and dialogue with stakeholders from various sectors of the economy, including healthcare. Given the scale and complexity of cyber criminality, it is essential to develop an interdisciplinary system of specialised laws, particularly covering regulatory regimes and data protection.
Two key legal acts for the security of IT systems and the data stored in them were adopted in the EU in 2016:
- Network and Information Security Directive (2016/1148)
- General Data Protection Regulation (2016/679).
As we have reported in previous articles, the NIS Directive is designed to create a legal and institutional framework for cybersecurity. It requires EU member states to develop a national cybersecurity strategy, identify the operators of critical infrastructure (including hospitals), and build a national cyberattack response system based on computer security incident response teams (CSIRT). In Poland the Ministry of Digital Affairs has drafted a government resolution setting forth the country’s National Cybersecurity Strategy for 2016–2020.
The General Data Protection Regulation provides for stricter duties of data controllers and processors (such as hospitals) in the protection of stored personal data. The lack of security measures adequate to the threat can be grounds for imposition of harsh fines by the country’s data protection authority (in Poland, the Inspector General for Personal Data Protection—GIODO), of up to EUR 10 million or 20 million, depending on the type of violation, and in the case of enterprises up to 2% or 4% of their total annual turnover in the preceding financial year (see our article “New era for personal data protection”).
Assuming an optimistic scenario, under which the member states implement the NIS Directive on time, the provisions of both acts will begin to apply in May 2018 at the earliest. But healthcare institutions must prepare for entry into force of the new regulations, and in the meantime should comply with voluntary standards for protection against cyberattacks.
Six steps to security
There are many sets of cybersecurity standards and best practices developed by various institutions, such as the Good Practice Guide for Incident Management from the EU Agency for Network and Information Security (ENISA). Among the most popular is the Computer Security Incident Handling Guide, the NIST 800-61 standard developed by the National Institute of Standards and Technology at the US Department of Commerce. This is a universal standard which can be applied in the healthcare sector.
In the simplest terms, under NIST 800-61 the steps to ensure cybersecurity are as follows:
- Preparation. This is a crucial and time-consuming step requiring identification of potential sources of computer security incidents, examining weaknesses in the protection of computers and networks, identifying people responsible for cybersecurity (e.g. appointing an internal or external CSIRT), assigning responsibilities to specific individuals and developing procedures for action and reporting in the event of a security incident.
- Detection. If the monitoring of system operations indicates an irregularity, there is a risk that a cyberattack has occurred. The challenge is not only to detect the attack but also to determine the type of attack and the scale of the threat to data security.
- Response. The response must not only be adequate to the threat, but also rapid if it is going to hold the losses to a minimum. For example, if one computer is infected with malware, cutting it off from the system may limit the loss to the data stored on that device, rather than affecting data on all computers in the network.
- Eradication. Once the threat is stabilised, the risk factor must be eliminated for the future, for example by updating antivirus software and training staff on the safe use of email.
- Recovery. Depending on the scale of the cyberattack, the return to normal operations may take several phases, for example, first a return to delivering emergency care, followed by a return to essential lifesaving procedures, and later scheduled surgery. On the IT side this will require regaining access to medical documentation and making necessary backup copies.
- Improvement. This is the final step, but must not be forgotten because over the long term, any occurrence of a cybersecurity incident should lead to strengthening of systems for protecting patient data. Once the preceding steps are complete, the task of the person responsible for cybersecurity is to prepare a summary report for the hospital administration, including conclusions and recommendations for preventing similar incidents in the future. This usually means working through these six steps again.
- 2016 Internet Organised Crime Threat Assessment
- Critical Controls—Center for Internet Security
- Verizon Data Breach Report 2016
- Handbook for CSIRTs
- Creating a CSIRT
- Cyber Integration for Fusion Centers
- Expectations for Computer Security Incident Response
- US Department of Defense Cyber Strategy
Joanna Krakowiak, Life Science & Regulatory practice, Wardyński & Partners
This article is an expanded version of a presentation delivered at the 60th Congress of the Union Internationale des Avocats, held in Budapest on 28 October – 1 November 2016.