Cybersecurity in the Healthcare Sector – Why It Matters so Much and How to Improve It
Author
Tom CarvalhoIn the health sector, digitalisation has gained unparalleled importance over the last few years and completely transformed how medical services are provided. From electronic health records to telemedicine and the use of artificial intelligence in diagnostics – the digital revolution in the health sector opens up unlimited possibilities for the provision of faster and more efficient medical care. However, the increased interconnectedness of systems and devices also involves new challenges, particularly in the area of cybersecurity. There are numerous potential targets for cybercriminals, and it is essential to protect these targets to avert the danger from patients and facilities.
In Germany, cybersecurity in the health sector has gained particular significance since 2015, when Germany’s Federal Office for Information Security (abbreviated as BSI) was put in charge of several areas in the health sector. The involvement of the BSI is meant to curb cybercrime and support facilities such as pharmaceutical companies or hospitals in the area of information security.
Why Does Information Security Matter so Much in the Healthcare Sector?
Nowadays, ensuring adequate security, especially in the digital environment, is of crucial importance in any industry. In healthcare facilities, cybersecurity is a critical concern. An example for this are hospitals, where in Germany approx. 30,000 treatments (and in some cases even more) are carried out every year. However, even small doctor’s surgeries can be affected by security gaps in the system.
The consequences of those security gaps can be grave. In the healthcare system in particular, ensuring adequate information security is of vital importance to prevent sensitive data from falling into the wrong hands. The manipulation or even destruction of such data can lead to catastrophic results. Cybercriminals can pass on or sell the information they have stolen, and on top of that they can compromise important data that are needed for the follow-up treatment of patients. If crucial data regarding the medical history, medication, and previous treatments are missing or can only be obtained with a delay, this can lead to the wrong treatment and negatively impact the patient’s health. There may also be delays in the diagnosis and treatment of diseases if information is missing that is necessary to decide on the right therapy.
Examples, Motives, Measures
A further possible scenario is the switching off of life support machines through a cyberattack, potentially with catastrophic results.
Another way for cybercriminals to gain unauthorised access are so-called ‘technical support scams’. Fake error messages or pop-ups are displayed on a website that is visited by the victim, seemingly blocking the web browser of a facility such as a doctor’s surgery. The error messages contain a phone number, supposedly to help the victim solve the problem. In some cases, the employees call the number and let the criminals take control over the computer. The scammers may then ask for various passwords and login credentials and in this way compromise cybersecurity.
However, in most cases cybercriminals want to extort ransom money. If important systems are disrupted, especially if their downtime can cause critical consequences, the attackers demand high sums of money to reactivate them. For this reason, it is important to identify and close potential security gaps early on. If a ransomware attack occurs, the victim should always turn to external IT security experts, the BSI, and the police for support.
One of the most promising targets for cybercriminals are humans. For this reason, employees should be made aware of potential scenarios through regular, hands-on training.
Cybersecurity gaps or vulnerabilities in the health sector can be the following:
- Routers
- Vishing calls
- Devices with remote access
- Medical equipment without adequate virus protection
- Phishing emails
- Easily accessible passwords or login credentials
- Social engineering
Cybersecurity Challenges
Ensuring cybersecurity in the health sector poses many challenges to companies in the industry. It is not only hospitals and clinics that are under threat, but also surgeries, the pharma industry, manufacturers of medical equipment, and health insurances. Moreover, information relating to medicinal products, such as their composition, must be protected to prevent manipulation.
Affected are mainly the following:
- Pharma industry
- Medical facilities of all shapes and sizes
- Research facilities
- Medical equipment
- Mobile devices
- Electronic health records
Technical devices can become a target and a means to get access to internal networks in the health sector. This can happen to facilities of all shapes and sizes, be it the local physiotherapy practice just around the corner or the major hospital that is known all over the country.
Electronic Health Records
An electronic health record (EHR) can be used to store sensitive personal medical data in encrypted form. In Germany, it is provided by the health insurances, and it is up to the patient to decide what data are stored there and who may access them. For instance, it can be used to store data on blood test results, health conditions, medication, and referral letters. The electronic health record can be conveniently managed through an app.
Mobile devices belonging to patients as well as IT systems of surgeries, clinics and health insurances are potential gateways for cybercriminals who can use security gaps to get access to sensitive data.
In April 2023, Bitmarck, an IT service provider mainly for statutory health insurances, became the target of a cyberattack. Bitmarck claimed that no data had been leaked, but the attack resulted in disruptions to the use of EHRs and other digital services of several health insurances.
How Cybercrime Impacts the Healthcare Sector
There are even more ways in which cybercrime affects the health sector. It can lead to life-threatening situations for patients. In addition, sensitive personal data can be sold or made publicly accessible, which can lead to further attacks and loss of reputation.
In Germany, there are two laws focusing on the protection of patient data and IT security: the Patient Data Protection Act (Patientendaten-Schutz-Gesetz, in short PDSG) and the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0, abbreviated as IT-SiG 2.0). Under the PDSG, all clinics must implement security measures to protect their patients’ data. The IT-SiG 2.0 goes one step further by imposing stricter requirements on facilities that are considered part of the critical infrastructure in the health sector. Facilities that do not meet the new requirements in due time risk severe penalties.
If data are stolen, compromised, or destroyed, this can cause considerable damage. There have already been cases of medical facilities facing severe disruptions to their processes and economic loss. Not only the attackers, but also the facility’s owners and executives may face prosecution under civil law (if information security is compromised). Lives may be at stake when cybercriminals target equipment that is essential for the patients’ health and survival.
Ways to Improve Cybersecurity in the Healthcare Sector
Whether one opts for an in-house department or support from outside: information security should be left in the hands of experts. The various tasks in this area comprise a broad spectrum. The employees in charge also need training and instruction on a regular basis to ensure that they are always up to date and prepared for an emergency.
So there is an urgent need for action, among other things, when it comes to training employees. A well-instructed team can reliably ensure that the facility’s software remains up to date and that social engineering attacks are warded off. Still, the responsibility remains with the management in the health sector.
The most important tip is to continually raise awareness and provide training in healthcare facilities. When it comes to cyberattacks, the biggest risk factor is still ignorance among employees. Our awareness course on data protection in the health sector raises awareness among medical staff, e.g., doctors and nurses. Through a variety of animations and quizzes, they learn how to respond to common critical situations involving data protection and confidentiality. The course is specifically designed for dentist’s and doctor’s surgeries, hospitals, rehabilitation centres, mental health practitioners, and physiotherapy practices.
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/E-Health/e-health.html
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/E-Health/Elektronische-Patientenakte/elektronische-patientenakte_node.html
https://bau-medizintechnik.com/cyberangriffe-im-gesundheitswesen/
https://www.der-niedergelassene-arzt.de/kommcenter/it-in-der-arztpraxis/news-details/it-sicherheit/5-praxisbeispiele-zum-umgang-mit-cyber-kriminalitaet-in-der-arztpraxis
https://www.bundesgesundheitsministerium.de/elektronische-patientenakte.html
https://www.tagesschau.de/investigativ/panorama/patientendaten-105.html
https://link.springer.com/article/10.1365/s43439-022-00049-8
https://www.heise.de/news/Cyber-Angriff-auf-Bitmarck-Einige-Krankenkassen-Dienste-gestoert-8978360.html