What are the risks?

And why status quo is not an option

Healthcare is becoming a data business

Artificial intelligence is a game changer. Apple, Google and Samsung are partnering with academic researchers to leverage data from watches and smartphones, as a new way to carry out clinical studies and carry out personalized medicine. These new methods have been approved by the FDA in 2018.

Likewise in France, a national computing infrastructure, health data hub, is being built.

But more data means more cyber risks too. It's not just about data security, but can have a life or death impact. A system that can't be patched may be an actual threat that can cause harm to patient

Healthcare relies more and more on connected devices

Defining the IoT / connected devices

We define an IoT system as a set of technologies that provide a service:

• Devices with sensors and actuators. They collect, process and exchange data. Devices are usually deployed remotely, in the field.

• Communication networks. They provide a communication channel between devices and with processing systems. An IoT system can rely on multiple communication networks, wireless or wired, high or low speed.

• Processing facilities. They provide the “smartness” of the system. These processing facilities can sit in devices, in mobile application, or remotely (e.g. cloud computing). An IoT system can have one or several processing facilities.

The IoT has a few unique caveats that need to be considered, typically:

• Battery powered: the devices are often small and serve a particular function, unlike server resources which have massive calculation-driven platforms and consistent, sanitized power flow.

• Asynchronous: They are partially or completely offline, connecting only asynchronously via hub devices or when required for functionality.

• Lean: Lastly, IoT devices usually have limited calculation capabilities, and depend on central devices and servers for this processing functionality.

Despite all of these caveats, IoT devices, are extremely attractive targets to attackers due to their known single use functions and relatively lax security.

Some IoT devices provide better usability through APIs, enabling a web of things through semantic interoperability. Each individual device may be small, but together enable a federated network of edge processing, enabled by standardization work such as W3C web of things or IETF T2TRG. A practical example of application of those APIs is provided by the automation capabilities of IFTTT.

What are these devices used for?

See the "use cases" section. It's important to realize that healthcare organisations want to be able to deal with the cybersecurity issues holistically. Medical devices as well as downstream data processing should all be made for the benefit of the patient and healthcare professionals.

The current state of affairs

The extraordinary issues that the healthcare sector is currently facing come on top of long-standing challenges that have hindered the cybersecurity maturity growth in healthcare in the past:

• Low maturity on cybersecurity in the healthcare sector is evident: many hospitals still do not have a CISO, and lack comprehensive security policies and access control mechanisms

• Hospitals are easy targets for malicious attackers due to the many different ways a malicious attacker can gain access to a system

• Lack of security awareness – for example, physicians, administrative personnel and patients can use their personal devices to connect to the hospital network without following any specific strategy

• The lifespan of medical devices in use, such as CAT scanners or MRI machines, can be longer than the manufacturer has anticipated, which commonly means security updates must be performed by a third party

• The vulnerable nature of medical devices (and IoT in general). For example, manufacturers build them in order to support remote patching and updating of firmware, which creates identifiable loopholes

A taxonomy of attacks on cyber-physical systems is summarized on the following graph:

Taxonomy of attacks

With the following definitions:

What types of attacks? Source: https://arxiv.org/pdf/2105.06612.pdf

Vulnerabilities in healthcare IT and medical devices

A device not patched might mean an actual threat that can cause harm to patient

ICS-CERT cybersecurity disclosures reveals device vendors reported 400% more vulnerabilities per quarter since the FDA released their Cybersecurity Guidance. This may be a sign of improving compliance among vendors and demonstrates that regulation works. It also demystifies the idea that product certification wouldn't allow security updates.

In Germany, BSI has published the results of the manimed study which similarly analyzes the vulnerabilities found in devices deployed on the European market.

Reducing those vulnerabilities should be prioritized according to their potential impact (threat modeling helps). There exist many cyber risk management methodologies (such as ISO 27005, EBIOS RM, FAIR, etc.), but due to the nature of healthcare activities, it seems that DoCRA is well adapted as it integrates the notion of "duty of care" (mostly from a legal point of view, but this could be consolidated with the ethical mindset of hippocratic oath).

Duty of care can integrate cyber requirements too

Attacks are booming

Most of the attacks on medical organisations today are classic ransomware. So hackers are not yet exploiting the many vulnerabilities in appliances that have been deployed on the field without cyber security in mind. What's different compared to other economic sector is that it's not just data security, but can have life and death impacts.

The internet risk surface report for healthcare provides useful analysis, but mostly for the US. 'The prototypical healthcare organization has fewer hosts scattered across fewer service providers and global locations than other sectors, and a lower proportion of those assets exhibit high-value functions. That trend reverses for the findings dimension, where Healthcare’s rate of severe security findings ranks among the highest of all sectors."

Cyber surface area by sector

Within the healthcare sector, hospitals are more centralized and better prepared than smaller organizations (note: we found similar results in our interviews).

Impact of cyberattacks

In the UK, a study called "Data breach remediation efforts and their implications for hospital quality" found that hospital time-to-electrocardiogram increased as much as 2.7 minutes and 30-day acute myocardial infarction mortality increased as much as 0.36 percentage points during the 3-year window following a breach.

Here's a real life example of how cyber attacks can disorganize healthcare services:

"Cyberattack - information system out of order. Very long delays for patients that are not coming for vital emergency" (translation)

An attack may completly disorganize healthcare services (here CHU Rouen in France)

Related costs

How much does it cost to an organisation, today? Cyber insurers have the most accurate evaluations. We use the atbay simulator.

Cost simulation of a cyber attack