According to a report by IBM, cyber-attacks on hospitals and other healthcare facilities more than doubled in 2020. These attacks came in the midst of the coronavirus pandemic, at a time when hospitals around the world were struggling to cope with the dramatic rise in patients.
The growth of connected medical devices in hospitals has complicated cyber security by accelerating the convergence of the once separate domains of IT and operational technology (OT). The challenge is that, unlike business systems, hospital networks are actually designed to facilitate ease of access from different networks.
In an IT environment, a cyber security strategy aims to protect the confidentiality, integrity and availability of information systems (CIA). In hospitals, the convergence of IT and OT technologies places the focus is on protecting the safety, integrity, availability and confidentiality (SIAC) of a diverse range of traffic.
Hospitals and other critical systems place a much greater emphasis on availability. The easiest way to understand this is by considering what happens in the event of an attack.
For IT-led organizations, one of the first lines of defence is shutting the entire system down. In hospitals, however, life-saving medical devices must be able to run permanently to ensure patient safety. In addition, medical devices need to be able to communicate freely throughout the hospital.
The same is also true for other essential services, such as pharmacies and nursing stations. Shutting down is just not an option.
Unfortunately, the emphasis on maintaining an open network, with the ability to provide a quick response to the medical needs of patients, makes hospitals relatively easy targets for cybercriminals.
A recent IEC Technical Report (IEC TR 60601-4-5:2021) provides detailed guidance on adapting IEC 62443 to the specific needs of the healthcare sector. IEC 62443 was originally developed for the industrial process sector but is now used in all cyber physical environments.
IEC TR 60601-4-5 provides security specifications for medical electrical equipment and systems connected to hospital IT networks. These include the seven foundational requirements set out in IEC TS 62443‑1‑1: identification and authentication control; use control; system integrity; data confidentiality; restricted data flow: timely response to events; and resource availability.
The report defines four security levels and the technical capabilities that a device requires to reach a specific level. It specifically references the security level requirements for components of an IT network set out in IEC 62443‑4‑2, which is required reading for anyone using the report.
Other key standards included in the report are IEC 60601-1 and IEC 80001. The former covers general requirements for the basic safety and essential performance of medical devices, while the latter deals with the application of risk management for hospital networks incorporating medical devices.
Above all, IEC TR 60601-4-5 underlines the importance of medical device manufacturers and operators sharing responsibility for security.
Sign up to receive selected stories