A healthcare system under attack

For some a difficult crisis, for others a license to print money: Cybercriminals are scrupulously exploiting the coronavirus pandemic and increasingly attacking healthcare institutions. This is presenting cybersecurity with enormous challenges, which can be overcome with the right strategies.

It was a battle of life or death. A woman who had been injured in an accident had to be transported by ambulance to the University Medical Center in Düsseldorf. Unfortunately for the patient, hackers had brought the hospital’s IT system to a standstill in a bid to extort money. As a result, the ambulance was redirected to a hospital in Wuppertal, a city located more than 30 kilometers away. It was a detour that cost precious time and the woman died. Her death was probably not the result of the hacker attack – but the incident clearly illustrates the potential threat that hacker attacks pose to hospitals. The cyberattack went on for several days and had far-reaching effects: The number of patients receiving inpatient care was reduced by half at the University Medical Center in Düsseldorf, instead of up to 120 operations, only a maximum of 15 were performed each day.

Attacks have increased dramatically

The incident occurred last fall, right in the midst of the coronavirus crisis, which had already pushed the German healthcare system to its maximum capacity. And that was precisely when the attackers struck. Just a coincidence? “No, the attacks on healthcare institutions have increased dramatically,” says Christian Dameff, Medical Director of Cybersecurity at the University of California in San Diego. The figure has risen by nearly 30 percent just during the pandemic. The criminals adapted quickly and took advantage of larger targets created, for example, by the increasing amounts of people working from home or resulting from higher workloads in clinics and medical practices. “Those who are involved in the healthcare system are overworked and understaffed, which is why they placed cybersecurity on the back burner for the time being,” says Dameff.

Although this is not really just a matter of giving something less priority, since cybersecurity was not an important topic for medical staff even before the coronavirus crisis. Dameff is speaking from experience here, since he is an emergency medicine physician at the university’s hospital and is therefore well familiar with both sides. Moreover, he asked his colleagues at other clinics about the importance of cybersecurity at their facilities. According the Dameff, the answers ranged from “Cybersecurity? What’s that?” to “Yes, I’ve heard of that before. I have a folder in the closet with a few instructions that I haven’t read yet.” Furthermore, he notes that in many clinics, there is a maximum of two employees who are familiar with the topic of cybersecurity, while at some facilities nobody is responsible for it.

Just as complex as a city

Dameff regards this is dangerous, not just because of the current pandemic. “Clinics today are just like little cities that have their own power supply, comprehensive IT and thousands of employees and patients, all of which is highly complex.” And this is now being combined with the increasing interconnectedness of medical devices and sensors.

 

While this poses great challenges not only for the clinics, it also places demands on the manufacturers of medical devices. This is illustrated by an anecdote from Mirko Ross, CEO and Founder of asvin.io, a solution provider that advises companies on IoT security matters. Following one of his lectures, he was approached by an audience member who complained that the manufacturer of his brain pacemaker no longer provided updates. This in turn gave rise to his concerns about the pacemaker being susceptible to external programming and therefore manipulation. Ross wanted to know how old the pacemaker was. “It was implanted last year,” answered the audience member. Mirko Ross regards this as a typical situation: “Medical devices are quite often already obsolete when they are ‘newly’ launched on the market.” 

Long development cycles

“While that’s catastrophic, it’s not surprising,” warns Christian Dameff. He explains that the development of medical technology devices frequently takes five to ten years and the certification is an incredibly time-consuming part of this process. During this phase, some manufacturers suspend software development, or they do not supply security patches after market introduction. In addition, these devices are becoming increasingly connected and function as a door lacking a lock without security measures aimed at combating cybercriminals. Dameff even regards the healthcare system as “too connected” – not because he rejects digitalization and networking, but rather due to the fact that many facilities and the medical technology industry are not prepared to handle this. However, Dameff appreciates where manufacturers are coming from. Under some circumstances, changes to a medical product, for example the software, can entail comprehensive modifications to the overall architecture, thus requiring complex recertification. This is precisely what some manufacturers attempt to avoid, as such expenses cannot always be passed on to the user. 

Thus, the underlying question is how can the long life cycles in medical technology be reconciled with cybersecurity? Siemens Healthineers is consistently adopting the approach “Security by Design and Default”. Cybersecurity is therefore not a function that is introduced to the product at a later point in time, but rather a feature that has been an integral part of the concept from the very beginning and is a key quality attribute. And what about the numerous old devices found in clinics, practices and ambulances? “Simply suspending software development is not an option, since networking and development are constantly progressing,” says Carlos Arglebe, Chief Cybersecurity Officer at Siemens Healthineers. Siemens Healthineers therefore relies on controlled change. This means even many of the older devices on the installed base receive patches and updates which have been thoroughly tested. To this end, Siemens Healthineers offers its customers comprehensive service packages to ensure the security management of all the equipment in clinics or individual devices in practices throughout their entire life cycle. Furthermore, developers’ mindset has also changed: “When it comes to cybersecurity, we are increasingly moving away from a mainly technology-based approach, instead placing the focus on people – both on the patients and staff,” says Arglebe. “After all, cybersecurity serves as the fire wall for patient safety and data protection.”

When it comes to cybersecurity, we are increasingly moving away from a mainly technology-based approach, instead placing the focus on people – both on the patients and staff.

Attackers manipulate research data

Cybercriminals have also reoriented themselves in recent months. Their efforts are usually aimed at earning fast cash. By encrypting and blocking a clinic’s IT services, they try to extort ransom money, which they likely succeed in doing more often than the public is even aware of. COVID-19 gave rise to a new threat for the healthcare industry, namely the theft of intellectual property, particularly information that could help manufacture vaccines. Moreover, there is one threat that has not received enough attention: Attackers could also try to manipulate data from scientific studies. Knowledge thereof would undermine public confidence in vaccinations or political decisions. But that’s not all: “Even scientists would perhaps no longer be able to trust their own data,” fears Christian Dameff.

After the crisis is before the crisis

Vaccinations against COVID-19 are currently well underway and there is good reason to believe that the pandemic will become less threatening over the course of the year. Will this cause cybercriminals to lose interest as well? That is unlikely, because the healthcare system will remain a lucrative target even in the absence of the pandemic and still attract attackers thanks to promising chances of success and high ransom payments. In addition, we need to be aware of the fact that COVID-19 is not the only danger lurking out there. There will always be crises, such as a collapsing infrastructure as the result of an earthquake or a tsunami. Or situations like those arising every now and then in Germany – unearthing an unexploded bomb from World War II right next to a hospital, thus causing evacuation of the building. Dameff comments: “When it comes to the healthcare system, we must improve the way crises are addressed and cybersecurity is a fundamental part of this.”  

Subscribe to our Newsletter

Stay up to date at all times: everything you need to know about electrification, automation, and digitalization.