More and more devices in doctor’s offices and hospitals are connected to networks. Diagnoses and therapies are now stored digitally at hospitals, laboratory reports are transmitted over the internet and hospitals and health insurance companies communicate digitally. As these systems process highly sensitive patient data, they must meet extremely high security requirements. This has not always worked in practice with incidents occurring on an annual basis (1). The cost of ransomware attacks – which have recently increased sharply in the health sector – are extremely high. In February 2016, blackmailers demanded USD 5.77 million from a hospital in California. Intel Security lists 24 targeted attacks on companies in the health sector, mostly with ransomware, in their latest “McAfee Labs Threats Report” for the first half of 2016 alone. According to Intel, the reasons for the rise of IT attacks on hospitals include outdated IT systems, medical devices with weak or nonexistent protection, third party services and the immediate need of hospitals to access information and data.
IT Security Act also applies to the health sector
Beyond the usual security measures for the protection of personal data, extra attention must be paid to securing remote access effectively. If remote access to the LAN or a diagnostic device is not secured via VPN and strong authentication, the doctor’s office or hospital operator runs the risk of breaching the law and losing the confidence of patients. Cyber attackers are increasingly targeting insufficiently protected employee devices and they are not interested whether they are attacking an automotive manufacturer or a doctor’s office. Attackers exploit any open networks and any unpatched vulnerabilities, they do not necessarily focus on individual organizations. Although doctor’s offices and hospitals have long been equipped with computer systems, IT security has often been seen as a peripheral subject in administration. But as more and more devices are connected to networks which can be accessed remotely, it is critical that the same high standards of security and protection are implemented in the health sector as in industry sectors. The new IT Security Act in Germany also applies to the health sector and should come into force in 2017. By then it really will be high time to evaluate existing security measures and upgrade them if necessary.
Implement basic protection. Review remote access critically.
The same principles apply to doctor’s offices and hospitals as they do for any other company. Confidentiality, integrity and availability must be aligned with the business objectives and implemented through technical and organizational measures. These include adequate protection against malicious software, rights management, encryption of sensitive data, and regular backups. Preventing access to shared drives without a login is also an essential measure, especially when the router could be accessed from outside the LAN. Remote access should also be logged and only be accessible through a VPN. Even if remote access is only used by the manufacturer to access a device, the customer still needs to know that there is such a connection, who is using it and when. This is even more important for IP access via the customer’s router through port redirection or dynamic DNS entry. Using a VPN does not present any specific technical challenges for the health sector. Medical devices are frequently controlled by standard PC technology. This means that a standard commercially available VPN client can be installed on the device.
Act before the law changes
When IT security legislation in Germany is updated and published next year, a rush of activity can be expected in many sectors. To avoid acting at the last minute – and to increase security levels significantly by securing remote access – companies in the health sector should already be taking a critical look at whether their externally accessible networks are adequately protected