Cybersecurity in the Healthcare Industry: An overview

Cybersecurity in the Healthcare Industry


The relevance of Cybersecurity for Healthcare

In today’s digital world, cybersecurity and protection of information
are critical to the seamless functioning of healthcare organizations.

Almost all healthcare organizations use information / communication technology systems on a daily basis, such as:

In addition, thousands of medical and non-medical devices that make up the Internet of Things must also be protected. These include:

Risks and threats

Which communication channelsshould be considered and
what are their risks and threats?

1. Email

Email is an important tool of communication in healthcare facilities. Information of all types is processed, created, received, sent, and managed in email systems. Email inbox storage capacities are increasing as individuals store all kinds of valuable information there (e.g., their intellectual property, financial data, patient information, etc.). 

2. Phishing

Phishing is one of the biggest threats and a significant number of security incidents are caused by phishing. Phishing emails are extremely effective because they usually target the recipient directly and ask them to take an action, which tempts them to disclose confidential information, click on malicious links or open a malicious attachment.

This can result in the computer being infected with malware without you taking note. It can even spread to other computers via computer systems. Therefore, regular employee trainings on security awareness are the key to preventing successful phishing.

3. Physical Security

Unauthorized physical access to a computer or other devices should be avoided at all costs. There are many physical techniques that can be used to hack a device. Physical abuse of a device can undermine technical controls that are normally in place to protect information. Physically securing a device is therefore important to protect its functioning, its proper configuration, and its data.

An example would be that you leave your laptop unattended while traveling or working in a foreign location. The laptop could get stolen or lost. Another example is a malicious maid attack, in which a device is modified, so that the cybercriminal can access it at a later time (and regardless of location) without you taking note. This is done, for example, by installing a keylogger to record sensitive information, such as login credentials.

4. Outdated systems

Outdated systems can be applications, operating systems, or other systems. The main challenge for healthcare cybersecurity is that many organizations have a significant inventory of outdated systems. The disadvantage of so-called legacy systems is that they are usually no longer supported by the manufacturer and therefore security patches and other updates are not available.

The reason for the high number of legacy systems in organizations may be that they are too expensive to upgrade or because an upgrade is no longer available. Operating system vendors may also be phasing out their systems, and healthcare organizations may then not have sufficient budget to upgrade their systems to the currently supported versions.

In general, medical devices have older operating systems. Legacy systems are often also used to support legacy applications for which there is no replacement.

Healthcare stakeholders

In order to be able to look at risks exhaustively,
it makes sense to consider all interested parties of the health care system.

1. Patients

Patients need to know how to communicate securely with their healthcare providers. When communications occur virtually, whether through a telehealth platform, E-visits, secure messaging or other methods, they need to understand privacy and security policies and how to keep data confidential and secure.

2. Staff members

Employees also need to understand the healthcare facility’s privacy and security policies. Regular security awareness trainings are essential for healthcare cybersecurity to ensure employees are aware of the threats and know …

Essentially, employees can and must be the eyes and ears of the cybersecurity team. This allows the cybersecurity team to better understand what is working well and what is not, so they can better protect the information technology infrastructure.

3. Management Level

More and more healthcare organizations have a Chief Information Security Officer (CISO) who makes decisions about the cybersecurity program. CISOs typically work on strategy, while cybersecurity team members, who report to the CISO, implement the strategy as directed by the CISO. The CISO is a senior executive who is typically at the same level as other executive-level leaders, e.g., the chief financial officer, chief information officer, etc.

4. Suppliers/Market Suppliers

A large hospital experienced a serious cyberattack on the heating, cooling, and air conditioning (HVAC) systems provided by a supplier. Stolen credentials from the HVAC supplier were used to penetrate the hospital’s systems. Essentially, this was a supply chain attack, as the cyber attackers compromised the HVAC supplier to attack the hospital in the next step. Thus, the hospital’s information systems were compromised via the stolen supplier credentials.

Some large healthcare organizations have fairly robust cybersecurity programs. However, many of these organizations also depend on tens of thousands of providers. To the extent that these vendors have lax or inferior security policies, this can pose a problem for the healthcare organization. In other words, stolen vendor credentials or compromised vendor accounts can lead to compromise of the healthcare organization, i.e. through phishing. A vendor may have elevated rights to a healthcare organization’s IT environment. Compromised credentials may therefore result in increased access to a healthcare organization’s IT resources by an unauthorized third party (a cyberattacker).

Understanding the threats

Once the affected parties and systems have been identified and the associated risks have
been considered, it is important to address the identified threats.

1. Ransomware and other Malware

Ransomware is a major threat to the confidentiality, integrity, and availability of information. When a computer or device is infected with ransomware, the files and other data are usually encrypted, access is denied, and a ransom is demanded to return the data to the user. Thus, the data is held hostage by the cyber criminals. However, paying the ransom is not a guarantee that the data will be recovered. In some cases, the ransom is paid, but the data is never recovered despite promises.

In addition to ransomware, there are many other types of malware that pose a threat to healthcare organizations. These include credential stealers, where usernames, passwords and other tokens are stolen by cybercriminals, and wipers, where entire hard drives can be wiped and the data is not recoverable.

2. Phishing

Phishing is usually the source of significant security incidents. Phishing is particularly effective because it targets individual users and can trick them into revealing confidential information, clicking on a malicious link, or opening a malicious attachment.

Phishing emails are the most common form of phishing, although phishing can also occur via websites, social media, text messages, voice calls and so on. The characteristics of phishing emails include

General phishing emails are emails that are not sent to specific recipients and do not contain customized content. Basically, general phishing emails are “one size fits all”.

Spear Phishing E-Mail and Whaling

Alternatively, an online criminal may send a spear phishing email to a specific employee or to a specific department within a company. Unlike general phishing emails, spear phishing emails are tailored to specific recipients. Because spear phishing emails are targeted, they tend to be more effective than general phishing emails. In other words, spear phishing emails have a higher click-through/response rate (CTR) than general phishing emails.

Just like spear phishing, whaling emails are also tailored to the recipient. Whaling occurs when an online criminal targets a “big fish” (i.e., an executive such as the CEO, CFO, CIO, etc.). For example, an online criminal may send an email to a chief financial officer to convince him or her to transfer money to an account controlled by the online criminal. As with other types of phishing, the goal of whaling is to deceive the target but to not arouse suspicion.

There are other forms of phishing, such as SMS phishing (also called SMiShing). In this case, the online fraudster makes up a deceptive message to the target person via SMS.

Best practices for Healthcare Cybersecurity

The actions that should be implemented in the healthcare sector concern the company
as a whole, since department/unit area must contribute.

1. Risk evaluation

Risk evaluations are the foundation of any healthcare cybersecurity program. Before taking action to address a risk, the risk must first be assessed. The risk is assessed based on factors such as probability of occurrence, impact on the organization, and prioritization of the risk. Risk assessments should be conducted or reviewed on a regular basis, but at least once a year.

2. Security Checks

In the best case, every healthcare organization should have basic and advanced security controls in place. This ensures that there is a defense in depth, meaning that if one control fails, another takes its place.
For example, a virus may enter through an organization’s firewall but be blocked by an antivirus program. However, not all security incidents can be prevented. This is where blocking and fighting come into play. Healthcare cybersecurity requires a solid incident response plan so that security incidents that do occur can either be blocked or addressed in a prompt and timely manner.

  • Antivirus program
  • Backup and Restore Files
  • Data Loss Protection
  • E-Mail-Gateway
  • Encryption for archived files
  • Encryption in “sleeping mode”
  • Encryption during data transfer
  • Firewall
  • Incident Response Plan
  • Intrusion detection & prevention systems
  • Mobile device management
  • Policies and procedures
  • Secure data disposal
  • Security awareness training
  • Vulnerability-Management-Training / Patch-Management-Program
  • Web-Gateway
  • Anti-Theft-Devices
  • Business continuity and distaster recovery Plan
  • Digital forensics
  • Multi-Factor-Authentification
  • Network segmentation
  • Penetration testing
  • Threat intelligence sharing (also called information sharing)
  • Vulnerability Scanning

Regulatory and legal framework

Regulatory and legal framework

EU regulations, EU guidelines, national laws

The European Union’s NIS Directive (The Directive on security of network and information systems) is known as EU-Directive 2016/1148 “on security measures to ensure a high common level of security of network and information systems in the Union”.

This directive explicitly mentions “healthcare facilities (including hospitals and private clinics)” in Annex II. The Federal Republic of Germany has transposed it into national law via the BSI Act and made it mandatory with the KRITIS Ordinance.

Furthermore, operators must ensure data protection. IT security is a necessary but not a sufficient prerequisite for this. The General Data Protection Regulation forms the basis (GDPR).

National laws and regulations in Germany

In addition, there are national regulations such as the BSI Act as well as other requirements of the German Federal Office for Information Security (BSI) that are specifically directed at the healthcare sector.

As part of the National Strategy for Critical Infrastructure Protection (CRITIS-Strategy) the IT-Security Act was also enacted, which explicitly includes the healthcare sector.

Since January 1, 2022, hospitals have been required to take appropriate organizational and technical precautions in accordance with the state of the art to prevent malfunctions in the availability, integrity and confidentiality as well as the other security objectives of their information technology systems, components or processes that are relevant to the functionality of the respective hospital and the security of the patient information processed. This is specified in the “Social Code (SGB) Fifth Volume (V) – Statutory Health Insurance – (Article 1 of the Act of December 20, 1988, BGBl. I p. 2477)”.

This act specifies that hospitals that are NOT part of the critical infrastructure must comply with the information security laws.

NORM X - on the fast track to B3S Information Security Standard

We have developed our software-based NORM X solution for the Healthcare Industry. It is based on the ISO 27001 standard and the industry-specific security standard (B3S) for healthcare in hospitals. We want to provide targeted and optimized support for our customers.