The war in Ukraine has been accompanied by talk of a growing cybersecurity threat. Electronic health records (EHRs), data sharing, telehealth and ICT have become common in healthcare, making the field more interdependent, and hackers have increasingly targeted healthcare organisations.
In February, one day after the invasion of Ukraine, the American Hospital Association issued a warning about potential cyber threats from Russia, stating that hospitals could be directly targeted or become collateral damage in a malware attack. For Dr Sabina Magalini, a senior surgeon of emergency trauma at the Gemelli University Hospital in Rome, the nature of the threat has changed, moving away from individuals seeking financial gain. “The intent now is not to do ransomware but it is to do harm,” she said.
Magalini, who was recently involved in an EU-funded cybersecurity project called Panacea, says that healthcare professionals are busy, and IT departments work in different siloes from their medical colleagues. While medicine increasingly relies on digitisation and AI, cyber-hygiene is uneven, she explained. “I always say, if you were working in a nuclear power plant, maybe you would be more compliant with the requirements. Working in healthcare, cybersecurity is not your chief focus.”
Putting patient lives at risk
A system failure in healthcare can be catastrophic. The Irish healthcare system lost access to phone and email communications after a ransomware attack last May, when a staff member opened a malicious MS Excel file. In 2020, a cyber-attack in Germany led to the death of a patient when treatment was delayed.
The EU is expected to update its strategy for enhancing cybersecurity across the EU, the NIS directive, later this year. Europe’s agency for cybersecurity, Enisa, has published a report on how pseudonymisation can help protect patients’ data, and offers training webinars to improve workforce skills. Enisa says more than 350,000 cybersecurity positions are unfilled across the continent.
The rapid digitisation of healthcare during the COVID-19 pandemic created two different security weaknesses, according to Alessandro Ortalda, a researcher at the Vrije Universiteit in Brussels who has advised governments and public institutions on cybersecurity. One is the potential for cyber-criminals to jeopardise patient safety by hacking connected devices. The other is that they would obtain patient data and sell it or hold it to ransom.
Of the two, data breaches are more critical, Ortalda says. “If you target a specific medical device you are targeting one person or a small group of people. But if you target a database that hosts data from hundreds or maybe thousands of people, the potential gain is much, much higher. And accessing these kinds of databases is way easier than violating a medical device.”
Regulations like GDPR provide a solid framework for data protection but can be hard to comply with, Ortalda said. “One of the aspects that often is difficult for security personnel is how to translate these high principles into actionable requirements at the implementation level.”
Although awareness of the cyber-threat is growing across healthcare, experts say that financing is an issue. Better resourcing, and the creation of new data protection officer roles (DPOs)—a position envisaged by the GDPR—would help healthcare institutions be prepared, Ortalda suggests. “Right now DPOs and privacy departments are heavily understaffed and heavily under-resourced. This is a huge problem for organisations like hospitals or pharmaceutical companies.”
Meanwhile, both defence and attack strategies will evolve, he said. “The one ahead is always the attacker. It’s always easier to attack than to defend.”