Is our healthcare system (cyber)secure?

Life expectancy is increasing in Europe and the population is aging. The proportion of elderly people in our countries is increasing together with the number of citizens suffering from chronic diseases (about 40% of the population over the age of 15).

También es importante tener en cuenta la ciberseguridad en el sector sanitario

These factors increase healthcare costs in Europe. In most European countries, healthcare is a growing GDP segment, in some cases still a growing part of public spending, representing between 4% and 12% of the GDP of EU Member States.

The quest for more efficient ways of providing the population with good medical attention at lower costs is crucial. The application of information and communication technologies and also an ethical use of data are of great help. In other words, eHealth is now seen as one of the best ways of keeping quality healthcare services affordable. Consequently, the uptake of eHealth solutions and technologies is expected to soar in upcoming years.

However, cyber-attacks are constantly increasing. Attacks of this kind focus on stealing financial information, billing information, and bank account numbers using stolen devices with un-encrypted data,  phishing and spam emails. Technological breakthroughs have led to advanced cyber warfare using SQL injections, advanced persistent threats (APT), zero day attacks, and advanced malware. The eHealth sector is no exception to this increasing threat and has already suffered severe consequences from headline-grabbing attacks.

Another crucial aspect to be factored in here is that of life-threatening patient safety risks due to tampering with health or eHealth equipment. Safety-critical medical devices are increasingly based on standard operating systems that are rarely patched and often interconnected on hospital networks. Even when these devices are personal devices, they can be often updated OTA (over the air) leaving room for manipulation and hacking with the consequent risk to the patient’s health and even life. Adequate cybersecurity safeguards during the design, development but also operation of these devices is of crucial importance.

This scenario demonstrates the need to design and deploy specific health sector cybersecurity solutions that will enable it to cater to its present and future needs.

Based on the above, the eHealth sector’s main needs can be summarized as follows:

  • eHealth service resiliency against cyberattacks. Guaranteeing system availability and business continuity is the key component for providing seamless electronic healthcare services. Access to critical health information by authorized professionals and secure access control by end-users need to be guaranteed in order to ensure the best healthcare services.
  • Real-time security and reliability monitoring.
  • Since the human factor is one of the major security threats in the eHealth domain, it is vital that personnel be made aware of the basic cybersecurity threats they are exposed to.
  • Medical Research can largely benefit from access to a large set of data not only from clinical trials, but also from monitoring the actual health parameters of patients and correlating them to environmental characteristics, population data, location data, etc. Healthcare digitization can provide this data in an unprecedented volume and with unprecedented quality, but there is a pressing need to safeguard data privacy as well as data integrity, and also ensure data subjects can control the use of their data. Transparency of data usage is an essential prerequisite.
  • Addressing the lack of harmonization of services and electronic health records (EHR) within Europe.
  • Including security and privacy by design in the development and upgrading of hospital services and, more importantly, medical devices.
  • When new devices or systems are implemented, cybersecurity aspects need to be planned and implemented right from the beginning, meaning the procurement, outsourcing, and maintenance phases of new systems needs to be defined beforehand.

GMV is chairing Sub-Working Group 3.6 in Healthcare at ECSO (European CyberSecurity Organization) looking for joint public-private solutions to these challenges.

Author: Julio Vivero Millor

Add new comment

Source URL: