Executive summary
The increasing incorporation of technology into the health field is leading to greater precision in healthcare; however, advancements in cybersecurity measures are still required. According to a 2016 report by IBM and the Ponemon Institute, the frequency of data breaches in the healthcare industry has been rising since 2010 [
1], and it is now among the sectors most targeted by cyberattacks globally [
2]. Due to its immutability, the information accessed through health data breaches is of particular interest to criminals [
3]. Blood type, past surgeries and diagnoses, and other personal health information are contained in an individual’s medical file. As these records include private data such as name, date of birth, insurance and health provider information, as well as health and genetic information, it is not possible to restore privacy or to reverse psychosocial harm when private data are compromised.
These sorts of attacks are not only a threat to patients’ identity and finances, but they can also impede hospital operations and place the health and well-being of patients at risk. The United Kingdom’s National Health System hospitals, which suffered from the WannaCry ransomware attacks in May 2017, were forced to delay treatment plans and even to reroute incoming ambulances because they lost access to hospital information systems [
4]. Among these operational delays and the financial consequences of data breaches and ransomware attacks, cyberattacks have long-term detrimental effects on the reputation and revenue of hospitals and health facilities.
In response to these global attacks, the
M8 Alliance undertook a project that began with a scoping review on cyberattacks against hospitals [
5]. The review was a basis for several teleconferences conducted by a multidisciplinary team of experts. A workshop ensued in April 2018 at the bi-annual
Geneva Health Forum (GHF). The purpose of these meetings was to exchange perceived threats, to promote interdisciplinary discussion, and to propose practical recommendations for hospitals across the globe. The onsite meeting at the GHF was organized as a
World Health Summit Expert Meeting on the cybersecurity of hospitals [
6].
Here, we describe the most prominent discussions and recommendations from this working group for other security officers, hospital decision makers, vendors, manufacturers, industry representatives, and academics in the field. We begin with some case examples that serve to illustrate what these attacks look like and how health organizations have responded in the past. We then discuss the need to address cybersecurity through the product lifecycle in a preventative and proactive way as well as an approach to cybersecurity that values quality IT at the foundation with a stable application base and strong IT infrastructure. A risk-based approach is recommended, beginning with the identification of at-risk IT assets, followed by management of tradeoffs between risks and benefits, as well as different types of risks. The training of end-users is emphasized, alongside strategies such as vulnerability management and patch management, the controlled and restrictive granting of administrative privileges, and the development of incident response and business continuity plans. Information sharing between stakeholders is also recommended in order to build resilience. We conclude with a discussion on privacy-conscious data sharing and the unique challenges medical devices pose to security.
Introduction
Personally identifiable information (PII) and protected health information (PHI) are handled by almost every department in a hospital, in one or more health information system. All healthcare providers (e.g., physicians, physician assistants, nurses, pharmacists, technicians, dietitians, physical therapists) use electronic health records (EHR), e-Prescribing software, remote patient monitoring, and/or laboratory information systems; the billing office works with insurance and financial information through medical billing software; scheduling and administration departments work with clinical data on scheduling software, and the list continues. While PII in organizations within most other fields (e.g., academic institutions or businesses) are typically contained within limited departments where cybersecurity measures can be centralized, in a hospital setting, the data are highly sensitive and valuable, yet almost all departments handle it at least in some manner. Cybersecurity measures aim to protect PII and PHI by securing devices, electronic systems, networks, and data from attacks.
In other fields, such as the financial sector the issue of cybersecurity has been confronted for decades, hence they have established policies and dedicated resources to invest in security, whereas the health field struggles to give sufficient attention and resources to the problem, as it is relatively new to this field. As healthcare is extremely cost constrained, very limited resources are allocated to IT security. Despite these constraints, cybersecurity in hospitals must take into account the thousands of interconnected medical devices and the often-inconsistent business processes. Connected medical devices introduce numerous vulnerabilities in a hospital’s cybersecurity; nevertheless, these devices are used throughout the hospital and can even be used off-site. The business process in hospitals can vary significantly from patient to patient, and is difficult to computationally model, this often requires openness (for data interoperability and access to health records in case of emergency), and hence, insecure codes.
Cybersecurity in the health field is unique due to the type of information at risk and the consequences for patient safety. When a credit card number is stolen, the bank cancels the card, issues a new one, and reimburses the client. However, when a patient’s PHI is stolen, the patient cannot change, for example, their birthdate, blood type, and health and genetic information. Once stolen, health information is widely applicable and valuable for a range of crimes, from identity theft to medical fraud. An individual’s health information is valued significantly more on the dark web than their social security number or credit card number; it can sell for 10 to 20 times more than this type of data [
7,
8].
The regulatory framework around PHI has been evolving over the past two decades. In the United States (US), the Health Insurance Portability & Accountability Act (HIPAA) was passed in 1996; it enforced the protection of health information usage, disclosure, storage, and transmission [
9]. This was followed by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, which increased penalties for HIPAA violations, strengthened breach notification, and encouraged the meaningful use of electronic health records [
10]. In 2016, the General Data Protection Regulation (GDPR) was adopted by the European Union (EU) to replace existing regulations, and it entered into force in May 2018. GDPR implements provisions and requirements pertaining to the PII of all EU citizens, including provisions for breach notification and penalty implementation [
11]. Although the increasingly strict regulations pose technological and organizational challenges for health institutions, they are for the protection of data and the cybersecurity of hospitals, as well as the sake of patient safety.
Cyberattacks risk delay and disruption of sensitive hospital operations and place patients’ lives at risk. When the British National Health Service hospitals were attacked in the global WannaCry attack of May 2017 or in the Hollywood Presbyterian Medical Center attack of February 2016, surgeries had to be delayed and patients diverted to nearby hospitals [
4]. Cyberattacks can threaten a wide variety of services within a hospital, from surgeries to drug delivery, by targeting advanced equipment such as blood-product refrigerators, imaging equipment, automated drug dispensers and electronic health records, as well as by targeting supporting critical systems such as heating, ventilation, and air conditioning (HVAC). When EHR integrity is compromised, or they are suddenly encrypted in an attack, such as ransomware, providers lose access to critical information (e.g., patient allergies, current medications, and comorbidities). Hospitals are especially at risk in extreme or conflict situations, where stealth malware can stay hidden in the system until conveniently activated, thus leading to severe consequences when healthcare is most urgent (e.g., following a natural or human-instigated disaster). Cyberattacks can also compromise the trust in a doctor-patient relationship, e.g., if data are breached [
12].
Moreover, when PHI is stolen, or patients’ lives are put at risk in a cyberattack, it is often nearly impossible to pinpoint the guilty party. Digital forensics is a challenging task in a hospital setting. Data are already used by many services and, when medical devices are involved, few services are equipped to collect necessary traces, run intrusion detection, or forensic analyses. It is difficult to track down the attacker(s), even when a ransom is paid, especially when anonymous cryptocurrencies such as Bitcoin, Dash, Verge, Monero, or ZCash are used. The question of liability is also complex, as there are uncertainties in liability attribution (e.g. in software liability), hence problematic for those who run operations. Assigning responsibility can lead to an oppositional relationship between hospitals and manufacturers. Instead of working together to ensure the highest security practices, they can become competitors by trying to avoid responsibility. However, without assigning responsibility and liability, it is difficult to maintain accountability and effectively deter future attacks.
In 2016, IBM X-Force reported that the healthcare industry faced more cyberattacks than other industries, even surpassing the financial sector [
13]. That same year, the Ponemon Institute announced that the frequency of data breaches and their annual economic impact had been rising since 2010 [
1]. A 2017 report also averaged the global cost per stolen record to be the highest in the healthcare sector [
14]. The case examples in the following section (II) provide concrete details of recent attacks on healthcare organizations.
Recommendations for connected medical devices
The FDA defines medical devices as
An instrument, apparatus, implement, machine, contrivance, implant, in vitro reagent, or other similar or related article, including a component part, or accessory [ … ] intended for use in the diagnosis [ … ] cure, mitigation, treatment, or prevention of disease [ … ] [
72].
This definition encompasses equipment such as beds, in-house treadmills, intravenous pumps, and monitors, as well as implantable and connected devices such as pacemakers and insulin pumps. Additionally, wearable devices (such as Fitbits) that monitor, and record health and lifestyle data can now be connected to clinicians’ devices. These devices can propagate flaws or incidents in cybersecurity and act as weak elements in the security chain by which malware can spread. The diversity in devices can also make it difficult to enact strict security policy, but the cybersecurity of these devices is critical. Medical devices are typically in direct contact with patients and can increase risks to hospital operations and patient safety.
Advancements such as the Internet of Things enables remote medical care and precision in healthcare delivery. However, clinical care utility and safety need to be balanced with security and privacy. Devices are highly interconnected in the hospital network and large sums of collect clinical data that need to be securely transferred, but these devices also have inherent limitations that expose them to vulnerabilities. They often do not have the proper security measures because they do not have the battery power or the built-in resources to efficiently employ security measures such as encryption and forensic processes, threat modeling activities, and malware detection [
58,
60]. Devices designed to function in isolation often end up integrated into the network, whereas physical security of the wearable devices is nearly impossible as they do not typically have long life spans and their operating system or relevant platforms become outdated relatively quickly [
56,
58].
Decision makers should evaluate the expected lifetime of devices (e.g., manufacturer/vendor-support or operating system-support) before purchase. In conjunction, equipment maintenance is critical to medical-device security. Hospitals and manufacturers, with support from certifying authorities, should develop a patching policy that minimizes equipment downtime and enables timely updates through a collaboration with the external manufacturing community and internal stakeholders. Collaboration with manufacturers can allow facilities to better monitor new alerts in order to keep up with critical or urgent patches and updates. Facilities should also develop and budget for life-cycle management in order to retire devices that cannot be replaced right away.
It is also essential for IT to maintain a regularly updated inventory of all devices on the network (authorized and unauthorized). Hospital networks often have numerous personal devices that are integrated. Patients and physicians often connect external mobiles and wearables [
73], thus increasing exposure and complicating bring your own device (BYOD) policies. The health organization should enact reasonable measures and policies to block connectivity of unapproved personal devices (mobiles, tablets …) [
55], even using mobile device management or software distribution systems. Besides this, health facilities should enforce local data encryption, when possible, in a preventative stance.
Conclusion
A year and a half after this workshop, attacks on hospitals continue to take headlines. At the beginning of October 2019, three hospitals in Alabama (US) faced a ransomware attack that forced them to diverge new patients to nearby hospitals [
74]. Around the same time, another ransomware infection on seven Australian hospitals was reported [
74]. There continues to be an outbreak of these attacks, further stressing the urgency of the matter at hand.
Building the cyber resilience of a hospital is vital and it is a shared responsibility. Users (i.e., clinicians and administration staff) should undergo training and should practice digital hygiene, decision makers should enforce the proper policies and consider cybersecurity in purchasing decisions, and manufacturers should equip their products with the appropriate cybersecurity measures. The information security teams of hospitals should also enact and upkeep the proper tools to safeguard the hospital and patients.
Information security teams should equip users to counter social engineering methods by, for example, filtering e-mail content, auto-checking suspicious URLs in e-mails for linked malicious code, whitelisting trustworthy websites and applications, as well as blocking Flash, advertisements and untrusted JAVA code on the Internet, as necessary [
55]. Other tactics for reducing exposure should be used, such as intentionally changing default passwords and regularly updating security configurations on laptops, servers, workstations, firewalls, etc. [
47]. Antivirus software is also important, along with penetration tests, control of physical access, and the maintenance of regularly updated backups (which should be stored offline). The organization’s website and the industrial control systems, including HVAC, cameras, fire alarm panels, should be secure and locked down from attacks. EDR Software can also help detect malware breaches and react properly to recorded infections. Finally, there should be appropriate tools in place for protecting data shared across different departments or medical institutions in a privacy-conscious way, therefore reducing the risk of intentional or unintentional breaches through trust distribution [
64].
Cybersecurity is also a matter of arbitrating tradeoffs [
39]. As mentioned, utility and safety need to be balanced with security, privacy, and compliance with data protection regulations, especially in the highly distributed and collaborative environments required for precision medicine. Yet, convenience cannot be left out of the equation. Without considering the latter point, these recommendations will remain theoretical and inapplicable in actual practice. A physician who wants to store or access clinical data on their mobile phone is not doing so to increase exposure to cyber threats but for the sake of convenience and efficiency in the delivery of care, and the quality of care. Similarly, an information security officer who takes a system offline to apply updates or patches does not intend to inconvenience health providers but to decrease the risks against unexpected downtime from large-scale attacks. There should not be two sides working independently of each other towards their own goals, but a collective, multidisciplinary team working towards protecting and improving patient care and data.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.