Cybersecurity is the ultimate team sport. Anthony Kitzelmann, Chief Information Security Officer at the Australian Digital Health Agency and General Manager at the Agency’s Cyber Security Centre, underscores as he shares with Hospital Insights Asia why cyber resilience is crucial in healthcare, why cybercriminals are always looking for a good opportunity to attack, and how hospitals should prepare and respond to a data breach.
Why must hospitals be cyber resilient?
Trust is non-negotiable in healthcare. Patients go to hospitals and doctors they trust. Cybersecurity is a natural extension of this trust, as patients have a right to expect that their data will be looked after and the health system is secure.
Looking at it from a business perspective, the cost of cybercrime can be massive. If a hospital’s patient booking system for surgeries, for example, is affected by a ransomware attack, surgical procedures will have to be postponed, thereby, impacting the hospital’s revenue and its ability to sustain the workforce and meet the needs to the community it serves.
It may not be too obvious for others, but cybersecurity has a direct impact on patient care. A breach in the health system can delay surgeries, just as what happened recently at University Hospital Düsseldorf, where a patient died following a ransomware attack that delayed her surgery.
Hospitals should remember that cybercrime actors can attack booking systems, compromise imaging databases, patient databases, and corrupt data, which can all have an adverse effect on the safety of patients and the efficient delivery of hospital services.
But why do cybercriminals attack hospitals?
Cybercriminals have one specific focus – that is, to make money easily and quickly. They attack healthcare systems to gain access to personally identifiable information, like names, birthdates, health card number, and even banking details stored in the system, and use these data to take control of someone’s identity, sell data on the dark web, get bank loans, and make the hospital pay a ransom to get their data back after a ransomware attack.
Recently, across the globe, there has been a massive increase in phishing attacks with a focus on COVID-19. These come in an email urging you to open the link to supposedly find newest updates on the pandemic, which users often fall prey to as they are enveloped with fear for themselves and their families, thus, want to be constantly informed.
Cyber adversaries know the game they’re playing. They understand people’s emotional vulnerabilities at this difficult time and use these to their advantage. Now that people are slowly returning to physical work arrangements from remote working arrangements, we see cybercriminals adjusting their approach, targeting employees through a phishing email masked as someone from the company’s IT department. In other words, cybercriminals understand the uniqueness of the human psyche and this gives them leverage.
So how do hospitals up their cyber defences?
Cybercriminals can only gain an advantage if you leave a way for them to get into your system. To have a cyber-resilient health service, hospitals should make sure that all connections to the internet go through a managed gateway. Think of it as filtering the way the information comes to your hospital, thereby, allowing you to filter out the bad guys and letting the good guys through your front door. You can’t have a thief finding the unlocked door and walking through it that easy, can you?
Another important measure is to keep your technology patched and updated, as cybercrime is primarily a technology-based challenge. Just as you make sure your children get the latest vaccinations for the flu virus, you also need to ensure your servers and workstations are equipped with the most recent security so cyber-adversaries can’t possibly break in.
In the same way, educating the workforce is equally crucial, particularly for large hospitals. As cybersecurity involves a team rather than an individual, keeping hospital staff aware of good cyber hygiene practices and cyber risks is one way of avoiding someone in the organisation mistakenly clicking on a phishing email. A shared understanding of the risks, therefore, can help hospitals respond in a unified way. Further, it will increase the chance to level the playing field with cybercriminals as the latter often discuss and plan together what they’re going to do, whereas, this is not so common of a practice in healthcare organisations.
Part of this is also building confidence within the team to engage and take responsibility for cybersecurity. People make mistakes, and someone might accidentally open the front door to cybercriminals. But with a culture where everyone is not afraid to be transparent about potential breaches in the system, cyber-attacks can be prevented.
What can a hospital that experienced a cyber-attack do?
Finding out that your hospital is under attack isn’t something you need to hide because everybody gets attacked anyway. So, the first thing you need to do is to immediately call for professional advice and support.
Next, you need to make the system safe, therefore, it requires you to contain the attack so it won’t get to your secondary systems. When your booking system, for instance, has been compromised, you should isolate this specific component from the network so it won’t break into the primary health network where patients’ health data is stored.
Collecting as much information as possible and sharing it with partners follow. Cybercriminals aren’t just going to attack your hospital, but they’re also planning to attack other hospitals. In cybersecurity, there are “indicators of compromise”, something like fingerprints that help you identify which cybercriminals are attacking you and how they’re attacking your system. When other hospitals have such information, they can successfully block the same attack by understanding the technical tradecraft the adversaries are using.
Equally crucial is having a Cyber Incident Response Plan in place, which shall cover three facets, namely, the technical capabilities, communications, and roles and responsibilities of management. The technical workforce needs to have the appropriate tools and support, so they can efficiently fix the system in case of an attack without having to wait for someone to give the go signal allowing them to make the necessary decisions to contain and stabilise the system. Additionally, should a cyber-attack happen, it is crucial to have a planned communications plan that includes these key aspects: acknowledgement of the cyber-attack in the hospital systems, actions taken to engage cybersecurity experts, assurance in putting patient data as the top priority, and commitment to advising the public as things unfold. This response builds a level of confidence for your patients as they know your hospital is being transparent about the issue and is actively taking necessary steps to correct the attack. Lastly, it is critical to clearly define the roles and responsibilities of your crisis management team, meaning, to have the right people make the right decisions and keeping key business stakeholders informed throughout the process.
Cybersecurity is a key part of the healthcare ecosystem, regardless of where they are located and their size. It is high time that hospitals acknowledge the magnitude of educating its workforce, ramping up its cyber resilience, and preparing for when a cyber-attack happens.
Kitzelmann uses a brilliant analogy that hospitals can refer to as a reminder of this: Cyber resilience and cybersecurity are a lot like washing our hands and putting a mask on before treating a patient. They ensure both the healthcare provider and the patient are safe and protected. If everyone practices good cyber hygiene, hospital systems might just be able to protect the trust of patients as well as the business.