Digital has become central for the health sector. It applies to all activities, from patient admissions to prescription management to monitoring the physical environment. In this context, cybersecurity risks have also become widespread. Conducting a security audit enables to concretely assess risks for each institution or company of the health sector.
Here is an overview of the cybersecurity challenges that we frequently encounter and that can be points of attention during a pentest. While data protection is a major issue, other risks related to hardware and IT infrastructure are also recurring points of concern.
Health data are particularly sensitive personal data. It is covered by enhanced protection, particularly in legal terms.
Legislation varies from country to country:
Data protection involves protecting both the confidentiality and the integrity of sensitive data.
Data confidentiality is an aspect to be taken into account throughout the ‘journey’ of producing and collecting health data. This involves many contexts, for example:
Data integrity also affects many contexts, depending on the impact in case of destroyed or corrupted data.
Many types of vulnerabilities allow access to data processed by web applications (online services), connected devices, or internal infrastructure of companies or healthcare institutions. From a technical point of view, there is a very wide variety of vulnerabilities, which can be applied to different business contexts.
During a security audit, technical choices and security measures implemented will be ‘fire tested’ to check whether it is possible to access, modify or destroy data in case of a cyberattack.
Connected devices represent a real cybersecurity challenge. The most worrying threats are unauthorised third-party control of objects and data leaks.
The variety of technologies used, and therefore the number of possible points of attack, are a weak point: cyberattacks can exploit vulnerabilities related to electronic components, firmware, configuration problems, flaws in web interfaces or mobile applications…
Web interfaces and mobile applications are often the most vulnerable entry points, however, in some cases, it is possible to extract data directly via the electronic components of the object.
For a manufacturer of connected devices, the Security by design approach is essential. A security audit (IoT Pentest) will then allow testing the product security.
For a company or healthcare institution using connected objects designed by third parties, the configuration of the objects and the security of the networks to which the objects will be connected are essential. A number of hacking incidents are in fact linked to the possibility of exploiting local network vulnerabilities.
‘Conventional’ equipment connected to a local network can also lead to risks of external takeover or data leaks. This concerns printers/scanners, but also medical equipment such as X-ray machines, devices used for care…
For the company or healthcare institution using this type of equipment, security issues are also related to the security of the local network. Problems related to access partitioning represent a potentially critical threat.
A local network security audit allows verifying concretely existing possibilities for an attacker.
Ransomware attacks consist of paralysing a system in order to demand ransom from its victims. Cases of ransomware attacks on healthcare facilities have been publicised due to the direct impact on human lives.
The risks associated with this type of attack rely largely on the users of an information system: human behaviour is the gateway used by attackers to compromise the entire computer system.
To protect against this type of attack, there are though a number of levers that need to be activated: anti-malware protections, restrictions of user rights to the most indispensable tools, partitioning between different portions of the networks and between different networks (for example in hospitals: partitioning between the WiFi used by patients and the WiFi used by medical staff), backups, continuity and recovery plans, and, of course, staff awareness of the risks of phishing and malicious USB keys.
In the context of a security audit, it is possible to test the protections in place, the effectiveness of incident management as well as user behaviour, by simulating a realistic cyberattack. To assess the level of vulnerability to ransomware (or other malware) attacks, the security audit will include social engineering tests.
Other types of attack can lead to the unavailability of an information system. There are different types of DoS (denial of service) or DDoS (distributed denial of service) attacks, which can target all types of structures.
From a technical point of view, protecting against this type of attack involves securing the configuration of the networks and services exposed on the networks. The security of the data centres (internal or external) is also a key factor, as is the effectiveness of the disaster recovery plan. As part of an information system security audit, it is possible to specifically test denial of service attacks.
Denial of service attacks can also target specific software or online services to make them unavailable. In this case, preventing these risks involves securing the software layer in addition to infrastructure security. Indeed, certain types of vulnerabilities specific to application development lead to vulnerability to DoS attacks.
Trust is a central notion for new technologies in the health field. As health is both an intimate subject and one with vital repercussions, risks concerning cybersecurity can trigger mistrust, rejection and even paranoia.
In this context, it is therefore essential to prevent any type of cyber security breach, in order to gain the trust of patients, doctors and society as a whole.
The trust of the medical profession and public funders is indeed essential for the development of digital tools for the health sector.
For example, the French government has set up the HOP’EN programme, which aims to finance the evolution of hospital information systems. This programme requires that institutions meet certain prerequisites to obtain grants. One of these prerequisites is precisely the security of the information system and requires a security audit to be carried out (source in French).
In the context of a security audit, this means first adopting a global approach to detecting risks, rather than focusing on a particular type of threat. Focusing on certain threats can be done in a second phase, depending on the priority risks identified.
Finally, the opening of information systems to the outside is a source of new threats. This is a particularly sensitive issue for healthcare institutions and professionals because of the nature of the risks.
Remote work became massively widespread in 2020 with the Covid-19 health crisis. This creates risks for all organisations that open remote access to their information system. Securing the entry doors to the information system and the different types of access is of particular importance, just as cyberattacks have increased sharply. At the same time, the use of online services such as teleconsultation and remote monitoring platforms has exploded, which means that healthcare professionals must choose reliable solutions and solution publishers must provide new security efforts. Recent successful cyberattacks – for example the ransomware attack against the German healthcare group Fresenius in May 2020 or the data theft of Doctolib in July 2020 – show that risks are well present.
