Cyber attacks on healthcare organizations reportedly increased by a massive 45% worldwide in the last two months of 2020. This came at a time when any interruption in healthcare would have been potentially catastrophic as hospitals in many countries were overwhelmed by the rise in coronavirus patients
Hospitals make attractive targets for cyber-criminals. Many have obsolete IT systems and medical devices with weak or no protection.
In addition, they rely on third-party services, which exposes them to supply chain vulnerabilities, and they store a wide range of personal data from their patients. The growth of connected medical devices in hospitals has exacerbated the situation by accelerating the convergence of the once separate domains of IT and operational technology (OT).
The challenge, from a cyber security perspective, is that unlike business systems, hospital networks are actually designed to facilitate ease of access from different networks. In an IT environment, a cyber security strategy aims to protect the confidentiality, integrity and availability of information systems (CIA).
In hospitals, the convergence of IT and OT technologies places the focus is on protecting the safety, integrity, availability and confidentiality (SIAC) of a diverse range of traffic, ranging from life-critical patient data requiring immediate delivery and response, to general administrative data.
Hospitals and other critical systems also place a greater emphasis on availability. The easiest way to understand this is by considering what happens in the event of an attack.
For IT-led organizations, one of the first lines of defence is shutting the entire system down. In hospitals, however, life-saving medical devices must be able to run permanently to ensure patient safety. In addition, medical devices need to be able to communicate freely throughout the hospital.
The same is also true for other essential services, such as pharmacies and nursing stations. Shutting down is just not an option.
Unfortunately, the emphasis on maintaining an open network, with the ability to provide a quick response to the medical needs of patients, makes hospitals relatively easy targets for cyber criminals. The risks are two-fold: in a worst-case scenario, attacks could stop critical medical devices from working properly; a hacked medical device could also provide a gateway into the hospital network to steal sensitive patient data.
In 2017, hospitals around the world fell victim to the WannaCry ransomware attacks that denied affected computers access to patient health records. It resulted in the cancellation of critical surgeries and emergency patients being turned away because doctors could not check medical histories or allergy warnings.
Medical devices were also affected.
The newly updated cyber security standard IEC 80001-1 defines the roles, responsibilities and activities that are necessary for the risk management of IT-networks incorporating medical devices. It deals with safety and effectiveness, as well as data and system security, in the context of healthcare organizations, manufacturers of medical devices and providers of other information technology.
IEC 80001 is the only standard that addresses how medical devices can be connected to IT networks to achieve interoperability without compromising the organization and delivery of health care.
Read more here about IEC 80001-1:2021 PRV, Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software - Part 1: Application of risk management.
Sign up to receive selected stories