Hospitals are becoming smarter than ever. But so are cybercriminals

As hospitals become more connected, their attack surface is in turn rapidly increasing, making them exposed to cyberattacks. Cybercriminals and nation-state actors are quickly taking advantage of their increased exposure. For this reason, strong cyber defenses should be key for modern hospitals to achieve cyber resilience. 

According to the Cost of a Data Breach Report 2020 published by IBM security and the Ponemon Institute, for the tenth year in a row, healthcare continued to incur the highest average breach costs at $7.13 million (10.5% more than in 2019). The healthcare industry ranked first on the average cost out of the 17 industries surveyed. The average time to identify and contain a breach in this industry was 329 days.

This data is disconcerting and gives us a clear picture of the level of exposure to cyber threats when it comes to organizations in the healthcare industry, including smart hospitals.

Level of exposure to cyber threats by industry
Image: Ponemon Institute

The cyber resilience of smart hospital's infrastructure should be a top priority due to the high level of penetration of technology in the healthcare industry. 

The term “Cyber resilience” refers to the capability of a hospital to ensure the availability and continuity of its services that heavily depend on ICT assets. Cyber resilience is more challenging to achieve for smart hospitals because of the proliferation of smart devices that could potentially be targeted by a large number of cyber threats.

Smart Hospital Objectives
Image: ENISA

The massive adoption of IoT devices in hospitals is the root cause of a technological revolution that has completely changed the workflows in modern infrastructure. Smart devices are becoming autonomous and interconnected, they are used for multiple purposes such as collecting information on patients’ vital signs or monitoring processes inside the hospitals.

Smart hospitals are complex ecosystems where legacy systems and next-gen smart devices coexist.

That’s why the most important thing to do when it comes to cybersecurity for these environments is to identify all the assets and determine which of them are critical. 

Critical assets are those systems for which any malfunction would have a significant impact on the operation of the overall infrastructure and patient care.

Interconnected clinical information systems and networked medical devices play a crucial role in smart hospitals. They are used to collect information from medical devices and other systems used in the hospitals and aggregate and analyze them.

Another critical component in smart hospitals is the networking infrastructure that allows information systems and medical devices to exchange data, and the operation of smart hospitals depends on their correct implementation. 

Remote care services are other essential components of modern hospitals, they represent an appendix of these infrastructure that are more exposed to cyber threats and have to be properly protected.  

What is the threat landscape in smart hospital security? 

Systems and processes inside smart hospitals could be targeted by multiple cyber threats that could have varying impacts on their operations.

Malware attacks are probably the most insidious cyber threats that can paralyze critical treatment operations or result in data breaches.

In the past year, multiple ransomware gangs hit healthcare organizations, including hospitals, causing serious problems and in some cases blocking internal operations, as well as the very first death due to ransomware.

Malware can rapidly spread within the network of a smart hospital infecting servers, computers, mobile devices and IoT devices. 

Medical devices such as blood gas analyzers or X-ray scanners could also be hijacked by attackers, especially if they’re unpatched and outdated. The attackers can compromise these systems to establish backdoors into the hospital network.

Social engineering attacks like phishing and baiting represent other dangerous threats for smart hospitals. Attackers exploit people to breach the defenses of the target organisation, and once they gain access to the organization, criminals can conduct multiple malicious activities, from data theft to sabotage.

Smart hospitals are also exposed to both distributed denial-of-service (DDoS) or denial-of-service (DoS) attacks that can render their assets and services unavailable, with a severe impact on operations.

What can cybercriminals do when they gain access to smart healthcare devices?

Threat actors could compromise smart healthcare devices for multiple reasons, mainly to access the information they manage or to make them unavailable. In the first scenario, patient data could be sold in the black market, where there is a growing demand for such kind of information.

Healthcare data could be used in multiple malicious activities, including scams and blackmailing.

In the second attack scenario, hackers could compromise medical systems with ransomware threatening the organizations to release stolen data if they do not pay the ransom. 

In other cases, attackers could bombard the online services of the hospitals with DDoS attacks, making them unavailable until the victims pay.

How to protect smart hospitals?

Experts from government agencies and organizations in the healthcare industry have provided best practices to protect the infrastructure of smart hospitals. These practices have to be adopted by any actor in the hospital supply chain. This means that every service provider must implement security measures to prevent cyberattacks. 

Administrators of these structures must identify the cyber risks, evaluate their impact and likelihood of occurrence, and implement the necessary countermeasures to mitigate them.

Security staff have to introduce controls and safeguards to mitigate exposure to cyber threats, both in terms of organisational and technical measures.

According to the report titled “Smart Hospitals Security and Resilience for Smart Health Service and Infrastructures” published by ENISA, organisational measures include policies, procedures, administrative tools (i.e. asset classification, risk analysis), methods, and measures to create and maintain awareness on cyber threats within the healthcare organizations. The behaviours of employees are formalized in policies and procedures that have to be shared with the personnel.

Unlike organisational measures, technical measures rely on ICT and use software, such as use of network and security technologies, including firewalls and intrusion detection systems.