This is true not only in monetary terms, but information security could even be a question of life and death.
In September 2020, a breaking article confirmed the inevitable – the first death caused by a ransomware attack. The alleged victim is a woman who necessitated urgent medical care and had to be re-rerouted to another hospital as a result of a ransomware attack on a Dusseldorf hospital. According to the Associated Press, the attack resulted in the failure of the hospital’s IT system making it impossible to access data and therefore requiring emergency patients to be moved and surgical operations to be rescheduled.
The attack appears to have been a mistake on the part of the hackers who withdrew their ransom request after being contacted by the German police and systems are now being restored (the note was addressed to a university). The vulnerability which led to the attack seems to result from failure to update a known security flaw in commercial software.
This event ever so unfortunately demonstrates the vitality of integrally approaching cybersecurity and of building a culture of security into organizations. Cybersecurity in this case and in countless cases that we will surely see in the future is not just about ticking boxes on an audit checklist, it’s about having successfully operationalized and embedded cybersecurity principles and best practices into daily operations, by way of affirmed technical and organizational measures. Systems must always be protected – vulnerabilities patched, anti-virus software up-to-date. There is no room for failing to do so when the question could be one of life and death.
Earlier this year ENISA published information concerning cybersecurity in the healthcare sector which in light of COVID-19 has become increasingly relevant. In fact, the EU Agency notes, “the sector has become a direct target or collateral victim of cybersecurity attacks. Malicious actors taking advantage of the COVID19 pandemic have already launched a series of phishing campaigns and ransomware attacks. Hospitals have shifted their focus and resources to their primary role, managing this extraordinary emergency, which has placed them in a vulnerable situation. Hospitals, and the whole healthcare sector, now have to be prepared.” But even before COVID, security incidents in hospitals were nothing new. In fact, according to research carried out by Clearswift, in 2019, 67% of companies in the healthcare sector suffered cyber incidents.
With healthcare becoming ever-more dependent on network-connected devices, including medical instruments, the sensitive nature of health data, and the potential for a breach in availability, the importance of cybersecurity in the healthcare sector is becoming increasingly evident.
It is therefore recommended that organizations in the sector work towards cyber resilience and availability as ENISA suggests, by:
- Raising awareness within the organization of cyber risks, such as phishing emails
Having a plan to deal with incidents
- Ensuring business continuity through effective procedures for backup and restoration, “Business continuity plans should be established whenever the failure of a system may disrupt the hospital’s core services and the role of the supplier is such cases must be well-defined.”
- Having a coordinated incident response plan in place and to “Collaborate with vendors for incident response in case of medical devices or clinical information systems.”
- Having procedures in place to freeze system activity and to disconnect affected machines, move the network offline and to contact national CSIRTs.
- Foreseeing network segmentation to isolate or filter traffic and prohibit access between network zones.