Cybersecurity in Healthcare: Keeping Security Systems Healthy
With modern medical devices saving patient lives and novel systems streamlining the way we store and share information, the modern world is becoming increasingly digital. However, digital innovation is a double-edged sword – leaving us open and vulnerable to cybersecurity attacks. Hacks that target healthcare organizations are on the rise – and they are showing no signs of slowing down. From misleading websites and encryption blind spots to phishing attacks and ransomware, protecting healthcare data is challenging. But, when cyberattacks have the potential to cost billions of euros, diminish hospital efficiency, and ultimately, threaten patient safety – how do we protect a hospital’s reputation and keep patients safe?
With the COVID-19 pandemic unfolding across the world, healthcare has faced a particularly taxing year. Digital innovations that support the public health response to COVID-19 have been welcomed and used to great effect, helping with everything from rapid case identification and public communication to interrupting community transmission 1 . And even in a pandemic-free world, digital innovations have – and will continue to – revolutionize healthcare, supporting data integration, patient engagement, and clinical support.
However, increasing in line with the rise of digital technologies is the threat of ransomware and other cybersecurity attacks. What’s more, the COVID-19 pandemic has created the perfect environment for opportunistic hackers, with healthcare organizations witnessing a substantial increase in cyberattacks as a consequence 2 . In fact, during the COVID-19 the European Union Agency for Cybersecurity (ENISA) observed a 47% increase in cyberattacks on hospitals and healthcare networks 3 .
The challenges and consequences of cyberattacks
Healthcare consistently ranks as one of the most-attacked industries in terms of cybercrime but unlike many other industries, the impacts of healthcare cyberattacks go far beyond financial losses as they threaten the safety, efficiency, reputation, and economics of hospital organizations by compromising patient privacy, clinical outcomes and their financial resources (Figure 1). In healthcare, interrupted service delivery (e.g. access to patient records) is not just an inconvenience but a major factor that compromises the ability to deliver patient care and leaves patients themselves vulnerable to fraudulent activity. Trying to manage cybersecurity threats while maintaining high healthcare standards is an enormous task faced by hospital organizations. Moreover, as attacks become increasingly sophisticated, the consequences to all involved become more damaging.
For example, in 2019, researchers demonstrated how an attacker could use artificial intelligence (AI) to add or remove evidence of medical conditions from 3D medical scans 4 . Worryingly, the authors of the paper suggest that this type of attack could be harnessed to compromise patient safety, and even be used to commit murder. Although this specific type of attack has yet to be reported, a 2018 warning from the U.S. Food and Drug Administration (FDA) outlined the vulnerabilities in a particular type of implantable cardiac devices that permitted functionality to be remotely manipulated 5 .
One of the more recent, large-scale cyber threats was the 2017 WannaCry ransomware attack on the UK’s National Health Service. This resulted in the cancellation of nearly 20,000 appointments, the closure of emergency departments and the re-routing of emergency ambulances to more distant hospitals 6 . While it is difficult to assess the full impact of this particular incident, major disruptions to patient care is evident and an estimated cost of at least £92 million 6 .
Cybersecurity attacks can have enormous financial implications. Hackers may directly demand ransoms, shutting down access to hospitals until ransoms are paid. Equally, digital data protection is critical, and hospitals can amount millions in lost revenue due to substantial penalties under the EU GDPR security rules. From a patient’s perspective, identity theft or compromised personal and medical information can severely affect their personal lives, including insurance applications and job prospects for example. Protecting data is therefore key in maintaining a hospital’s reputation.
From misleading websites and encryption blind spots to phishing attacks and ransomware, the challenges to digital data security are endless and this is only going to become of greater concern as the world becomes increasingly digital. Already, many modern medical devices – including patient monitoring equipment, infusion pumps, and CT scanners – are connected to the network. With more connected technology, as well as the movement of information to virtual and cloud systems, comes novel vulnerabilities.
In our modern, evermore digital world, how do complex hospital organizations keep their data and patients safe?
Quality hospital IT infrastructure
Mitigating cybersecurity threats is contingent on quality IT infrastructure, which encompasses everything from hardware platforms and software applications to connected devices, operating systems, network connections and telecommunication tools. However, it is not enough to simply integrate quality IT security systems. They need to be continuously monitored and updated. In addition, connected devices can act as weak points in the security chain by which malware can spread. Advanced encryption software can help secure communication between connected devices and applications and services.
Medical solution providers such as Olympus not only offer quality hardware and software coupled with the most recent security features, but they provide automated security patches, virus updates, and daily reports through Windows Server Update Services to ensure future-proof protection. In addition, incompatibility between a Windows security patch and Olympus is very uncommon. However, to ensure compatibility, Olympus performs monthly testing of Windows security updates. Also, for the majority of communication between applications and services, Olympus employs a Windows Communication Foundation (WCF) framework that matches security certificates to ensure only authenticated devices are allowed into the system. In addition, all of these communication channels are SHA-2-encrypted.
The increasing danger posed by cyberattacks is partly due to the continued use of outdated software. While automatic updates and compatibility testing can help companies stay on top of security, suppliers that continue to work with hospital organizations post-sale are essential. Olympus provides ongoing testing and architectural reviews to ensure that products and systems remain secure, while continually working to proactively identify risks.
Privacy-conscious data sharing and storage in healthcare
As the amount of electronic information generated from healthcare processes (surgeries, surgical devices, medical devices, wearables etc.) increases and patient information becomes more digital, there is a mounting need for secure data storage. However, to support collaboration and patient care, data must be readily accessible to the right people. Therefore, one of the major challenges to hospital organizations is carefully balancing ease of access with privacy conscious data sharing and storage.
Sharing healthcare data easily and securely is dependent on choosing the right content management system. Moreover, the right platform can improve efficiency, easily integrate into existing systems and provide additional features - such as strong workflow attributes, an intuitive content editor, and cybersecurity on a healthcare level.
VaultStream from Olympus enables users to store, manage, edit, and share full HD clinical images and videos across departments. Centralizing your storage through a hospital-wide medical content management solution enhances the protection of your stored media – since it becomes easier to manage and keep security up-to-date. Moreover, VaultStream provides hospital-grade IT security supporting GDPR conformance by meeting the highest standards for information security and privacy.
This includes smart system integration technology, which guarantees data integrity throughout the communication of the recording device (nCare) and VaultStream. Additionally, in the event of a power loss or network crash, transfer automatically resumes from the point of failure once connectivity is re-established. Clinicians can be confident that all procedure videos will be available anywhere, anytime due to the automatic background video-recording feature embedded in the innovative EasyPost video production features.
Addressing who, when, and how users access data is integral to managing security. Access control ensures users are verified through authentication management and enables only appropriate and authorized access to healthcare data. When a user’s credentials are forwarded to the VaultStream server for authentication, they are transmitted through an encrypted channel to ensure they remain secure. Additionally, access control can be managed through tailored role-based access linked to individual user accounts.
Streamlining hospital workflows
Poor software integration can present a whole host of vulnerabilities for hackers to take advantage of. Therefore, efficiently integrating software should be a priority for hospital organizations when addressing cybersecurity concerns – to ensure that all components work together in harmony to preserve, or potentially enhance, productivity and functionality. However, the complexity of hospital organizations, regulatory requirements, and standardized information formats can make integration of new software difficult. ENDOBASE from Olympus is a software platform that streamlines and supports the entire endoscopy workflow, making the IT infrastructure and security more manageable. Moreover, ENDOBASE was designed to be integrated with existing systems, such as the hospital information system (HIS) or the image archive (PACS or Vendor Neutral Archive). In addition, ENDOBASE is designed to run securely on both a real or virtual server – simplifying security maintenance and backups.
VaultStream also allows for integration with the HIS, PACS and VNA systems. Managing procedure images and videos linked to patient data in one centralized library helps clinicians make quick and informed decisions while improving storage efficiency by saving only relevant footage in the HIS/PACS.
Usability of healthcare devices and software
While new software may boast impressive security features, it must also be easy to use. Not only does a usable system help healthcare professionals interact with software effectively, but it will also minimize unintentional errors that would otherwise compromise security.
Usability starts with a well-designed interface. Hytrack from Olympus can be used as an easy-to-use interface to ENDOBASE or other non-Olympus documentation systems. At any time, healthcare professionals can safely and securely track the reprocessing status of their endoscopes through an intuitive touch enabled and app-based interface. In turn, hospital organizations benefit from reduced administration time and maximized equipment uptime – all while meeting GDPR requirements.
Similarly, VaultStream incorporates an easy-to-use interface as well as a whole host of features that improve and simplify administration. For example, VaultStream EasyView allows clinicians to easily search for procedures, images and videos, capture still images, add labels and compare new and archived recordings side-by-side. It also includes a simple, yet powerful video editing application (EasyCut) that helps clinicians create high quality presentations for teaching, professional meetings, surgical documentation, and collaborations with colleagues.
Digital and connected technologies are on the rise and for good reason. However, moving further into a connected healthcare system must be carefully balanced with up-to-date security, privacy, and compliance with data protection regulations. At Olympus, security is central to product design with security mechanisms integrated into all devices and software. We work with customers post-sale to ensure high quality security is continually met – protecting hospital reputation, protecting finances, and helping to ensure optimal and uninterrupted patient care.
- 1.Digital technologies in the public-health response to COVID-19.
- 2.U.S. Department of Health and Human Services - Office for Civil Rights
- 3.Serious cyberattacks in Europe have doubled in the past year - CNN.
- 4.CT-GAN: Malicious Tampering of 3D Medical Imagery using Deep Learning
- 5.Security Bulletins - Conexus Telemetry and Monitoring Accessories | Medtronic.
- 6.Healthcare Challenges in the Era of Cybersecurity