Freely subscribe to our NEWSLETTER

Like many other organisations across all sectors, healthcare facilities have embraced digitisation to provide daily support to staff, for example by smoothing process and information sharing among healthcare professionals but also with the patients. Consequently, these facilities are populated with a tremendous number of IoTs, including devices that were traditionally not connected like IRMs for instance. Their life expectancy can sometimes be twenty or even thirty years, and their OS turn obsolete at some point. Moreover, these machines are poorly secured, if not at all, due to a lack of budget and an ignorance of the vulnerabilities and related threats.

Indeed, the expertise of the staff is medicine, not IT security, so the employees don’t realize the potential outcome of a poorly secured X-Ray machine, or a computer used by several people. Also, the priority of these organisations is always to care for patients over cybersecurity. That is why this comes last when budget is split among departments.

The situation has worsened with the pandemic since further digitisation of the activities has been fueled by Covid; with for example online booking for vaccine shots, remote medical appointments, vaccine pass with QR codes, to name a few. As cybercriminals always want a quick and certain ROI, the healthcare sector has become a key target for them because of its poor cyber-hygiene.

From ransomware to killware

According to Statista, healthcare industry ranked third as the main targets of ransomware attacks in 2021 (after government and education). But cybercriminals have now shifted to a different threat. Indeed, healthcare facilities have eventually improved their defense against ransomware, and are also getting better at recovering their encrypted data, thanks to better backups policies and to better awareness of the staff regarding good behaviours to adopt.

Consequently, cybercriminals have adapted their attacks and moved to a technique called “killware”. The latter is no longer about taking data hostage through encryption, like ransomware do, but about threatening to take over connected devices that could cause patients’ death if they are turned off. Such IoTs include for example respirators, IV infusion providing medicine, or even the system directing ambulances to the closest hospitals. Already taxed by Covid pressure, clinical and support staff face additional stress due to these malicious campaigns; and the IT teams are left with no choice but to pay the ransom in order to protect the patients.

Improving the security of healthcare facilities

The French government launched France Relance in August 2020, a 100 billion stimulus package whose goal includes a financial support to strategic industries in need of investment and modernization because of the pandemic. For the healthcare sector, this key investment could help overcome the vulnerabilities and give the weapons to face the current cyberthreat landscape. Also, the ANSSI is being more involved regionally to help spread optimal cybersecurity practice across the whole country

However, these public initiatives will only be successful if the sector eventually consider that the first step towards protection remains securing access and sensitive data, placing cybersecurity as a priority. By doing so, the IT teams will be able to mitigate breach attempts and to adapt more quickly to the evolving threat landscape. Concretely, several good practices and policies must be put in place within healthcare facilities.

First, IoTs must be isolated via a segmented server and machines should not be deployed on a desktop environment, so that a compromised device cannot impact the whole network. Second, IT teams have to be able to review easily who (humans and machines) can access what and why as well; meaning, if an access right is relevant and needed. Third, the least privileged model is recommended: a user should only have access to the data they really need to perform their tasks on a daily basis, no more, no less. Also, stored data should be classified based on their sensitivity and protected accordingly.

Since the digitisation has boomed in the healthcare sector, its organizations need to adapt their cybersecurity defense and strategy consequently. Indeed, they have deployed many IoTs, which are never 100 % secured, and the staff knowledge in terms of cyber-hygiene is not always on point. As the attacks now directly threatens the life of patients, cybersecurity must become as important as the daily care of patients. If adequate national programs and onsite improvements are underway, it will require a deep change of mindset to improve cybersecurity in healthcare in the long term and to successfully face the malicious campaigns.