Digital has become central for the health sector. It applies to all activities, from patient admissions to prescription management to monitoring the physical environment. In this context, cybersecurity risks have also become widespread. Conducting a security audit enables to concretely assess risks for each institution or company of the health sector.
Here is an overview of the cybersecurity challenges that we frequently encounter and that can be points of attention during a pentest. While data protection is a major issue, other risks related to hardware and IT infrastructure are also recurring points of concern.
Data Protection
Legal Considerations
Health data are particularly sensitive personal data. It is covered by enhanced protection, particularly in legal terms.
Legislation varies from country to country:
- in France, there is for example an obligation to store data by HDS (Hébergeur De Santé) certified hosts, so that the hosting is adapted to the level of criticality of the data.
- in the European Union, there is for instance the GDPR, which covers all personal data, including health data. It strengthens the rights of the persons concerned by the processing of their data (relevance and proportionality, limited storage…), and confirms an interdiction principle of processing health data due to their sensitivity (article 9). It also sets out the obligation to report security incidents, which implies protecting and carefully monitoring what happens to the information system.
- in the US, one example is the Health Insurance Portability and Accountability Act, HIPAA. It provides a framework for the protection of personally identifiable health data. This includes ensuring the confidentiality, integrity and availability of data, and identifying and taking reasonable steps to protect against threats, misuse and data leakage (source).
Technical Considerations
Data protection involves protecting both the confidentiality and the integrity of sensitive data.
Data confidentiality is an aspect to be taken into account throughout the ‘journey’ of producing and collecting health data. This involves many contexts, for example:
- Online services: portals for analysis results, shared medical records, online medical software, etc.
- Connected devices: remote monitoring systems, connected wristbands, connected pill dispensers, etc.
- Hospital information systems: software and servers used internally for patient management, internal organisation and information storage.
Data integrity also affects many contexts, depending on the impact in case of destroyed or corrupted data.
Many types of vulnerabilities allow access to data processed by web applications (online services), connected devices, or internal infrastructure of companies or healthcare institutions. From a technical point of view, there is a very wide variety of vulnerabilities, which can be applied to different business contexts.
During a security audit, technical choices and security measures implemented will be ‘fire tested’ to check whether it is possible to access, modify or destroy data in case of a cyberattack.
Connected Material
IoT
Connected devices represent a real cybersecurity challenge. The most worrying threats are unauthorised third-party control of objects and data leaks.
The variety of technologies used, and therefore the number of possible points of attack, are a weak point: cyberattacks can exploit vulnerabilities related to electronic components, firmware, configuration problems, flaws in web interfaces or mobile applications…
Web interfaces and mobile applications are often the most vulnerable entry points, however, in some cases, it is possible to extract data directly via the electronic components of the object.
For a manufacturer of connected devices, the Security by design approach is essential. A security audit (IoT Pentest) will then allow testing the product security.
For a company or healthcare institution using connected objects designed by third parties, the configuration of the objects and the security of the networks to which the objects will be connected are essential. A number of hacking incidents are in fact linked to the possibility of exploiting local network vulnerabilities.
Conventional Material Connected to the Network
‘Conventional’ equipment connected to a local network can also lead to risks of external takeover or data leaks. This concerns printers/scanners, but also medical equipment such as X-ray machines, devices used for care…
For the company or healthcare institution using this type of equipment, security issues are also related to the security of the local network. Problems related to access partitioning represent a potentially critical threat.
A local network security audit allows verifying concretely existing possibilities for an attacker.
Continuity of the Information System
Risks Related to Ransomware
Ransomware attacks consist of paralysing a system in order to demand ransom from its victims. Cases of ransomware attacks on healthcare facilities have been publicised due to the direct impact on human lives.
The risks associated with this type of attack rely largely on the users of an information system: human behaviour is the gateway used by attackers to compromise the entire computer system.
To protect against this type of attack, there are though a number of levers that need to be activated: anti-malware protections, restrictions of user rights to the most indispensable tools, partitioning between different portions of the networks and between different networks (for example in hospitals: partitioning between the WiFi used by patients and the WiFi used by medical staff), backups, continuity and recovery plans, and, of course, staff awareness of the risks of phishing and malicious USB keys.
In the context of a security audit, it is possible to test the protections in place, the effectiveness of incident management as well as user behaviour, by simulating a realistic cyberattack. To assess the level of vulnerability to ransomware (or other malware) attacks, the security audit will include social engineering tests.
Denial of Services
Other types of attack can lead to the unavailability of an information system. There are different types of DoS (denial of service) or DDoS (distributed denial of service) attacks, which can target all types of structures.
From a technical point of view, protecting against this type of attack involves securing the configuration of the networks and services exposed on the networks. The security of the data centres (internal or external) is also a key factor, as is the effectiveness of the disaster recovery plan. As part of an information system security audit, it is possible to specifically test denial of service attacks.
Denial of service attacks can also target specific software or online services to make them unavailable. In this case, preventing these risks involves securing the software layer in addition to infrastructure security. Indeed, certain types of vulnerabilities specific to application development lead to vulnerability to DoS attacks.
Trust From Users and Third Parties
Preventing All Types of Cyber Attacks
Trust is a central notion for new technologies in the health field. As health is both an intimate subject and one with vital repercussions, risks concerning cybersecurity can trigger mistrust, rejection and even paranoia.
In this context, it is therefore essential to prevent any type of cyber security breach, in order to gain the trust of patients, doctors and society as a whole.
The trust of the medical profession and public funders is indeed essential for the development of digital tools for the health sector.
For example, the French government has set up the HOP’EN programme, which aims to finance the evolution of hospital information systems. This programme requires that institutions meet certain prerequisites to obtain grants. One of these prerequisites is precisely the security of the information system and requires a security audit to be carried out (source in French).
In the context of a security audit, this means first adopting a global approach to detecting risks, rather than focusing on a particular type of threat. Focusing on certain threats can be done in a second phase, depending on the priority risks identified.
Opening of the Systems to the Outside
Finally, the opening of information systems to the outside is a source of new threats. This is a particularly sensitive issue for healthcare institutions and professionals because of the nature of the risks.
Remote work became massively widespread in 2020 with the Covid-19 health crisis. This creates risks for all organisations that open remote access to their information system. Securing the entry doors to the information system and the different types of access is of particular importance, just as cyberattacks have increased sharply. At the same time, the use of online services such as teleconsultation and remote monitoring platforms has exploded, which means that healthcare professionals must choose reliable solutions and solution publishers must provide new security efforts. Recent successful cyberattacks – for example the ransomware attack against the German healthcare group Fresenius in May 2020 or the data theft of Doctolib in July 2020 – show that risks are well present.