How to improve cyber security and privacy in hospitals
Deloitte survey shows vulnerabilities that need to be fixed
New healthcare technologies offer many innovative solutions. Embracing these solutions means that hospitals should pay closer attention to the cyber security of medical devices. Many opportunities exist to reduce vulnerabilities and improve equipment security.
Jeroen Slobbe - 8 june 2016
New technologies definitely make our lives easier, but also increase the risk of hacking important data. For instance, weaknesses in medical device security attracted media attention in 2015 when hacker conferences exposed vulnerabilities in devices such as EEG scanners. Last month, Deloitte published a new survey of medical device security in hospitals in 9 countries, claiming that improvements are still needed at an operational level. All the more reason for Deloitte to generate as much attention for the report as possible – with the general public, the medical world, and the cyber security industry.
It all started in April last year, when Deloitte did a similar survey in the Netherlands. This year, we decided to extend our research to 9 countries, including the Netherlands, and 24 hospitals. We found that the awareness in the Dutch hospitals around cyber security had definitely grown since our last interviews. However, there is still room for improvement, both in Dutch hospitals as in those in Switzerland, Israel, Germany, Luxemburg, Czech Republic, Italy, South Africa and Greece.
First of all, there is a widespread use of standard passwords. A couple of years ago, hacker Scott Erven published a list of 200 standard passwords that were used by hospitals all over the world. This was confirmed by our research – over half of the hospitals surveyed used standard passwords (i.e. factory settings) to secure their equipment. This makes them vulnerable to hacks. If such a device is connected directly to the hospital network, hackers can easily access all the data on the device and even use it as a stepping stone to intrude the network.
Malware and privacy legislation
The second outcome that struck us, was that 3 of the 24 hospitals were invaded by malware during the previous year, which could have disturbed the operational processes. In one case, patients had to be transferred to another hospital. Thirdly, almost half of the hospitals did not know whether their equipment would comply with forthcoming privacy legislation (e.g. the EU General Data Protection Regulation). This might have severe consequences for patient privacy.
No reason to blind panic
So should we be worried? Not if we take a few necessary steps. After all, not using these medical devices is a much bigger risk to patient health than using equipment that contains vulnerabilities – which can be avoided. For instance, malware won’t spread so easily if hospitals use separate smaller networks instead of connecting all devices onto one particular network. Also, the traditional firewall is still useful, and hospitals should monitor all ingoing and outgoing network traffic. Monitoring will make it easier to block suspicious traffic and be resilient towards hacks or other attacks.
Steps to be taken
There are more steps to be taken. Privacy and security should be factored into the design of new healthcare technology innovations from the start. Cybersecurity hygiene is another important aspect. Every member of the IT department and the medical technology department, as well the medical staff, should be very careful with USB sticks and other devices, since these can contain viruses that might spread throughout the entire hospital network. Another crucial point is making a designated individual responsible for the security of ICT and medical technology, based on an explicit policy for protecting these devices.
Improving our quality of life
Also, awareness of the risks should always be on the agenda. Awareness trainings are a very good start, but need to be repeated regularly, and be supported by continuous attention throughout the organization. Hiring professional hackers to track vulnerabilities, and a regular risk analysis, are important as well. Several suppliers of medical devices have MDS2 forms (Medical Device Security Manufacturer Disclosure Statement) that summarize the cyber security risks of the device. Using these forms is a quick win. Taking all these steps will definitely improve medical device security in hospitals – which in turn will improve personal health and our quality of life.
For more information, please contact us below or read the report.