Four steps to robust clinical cybersecurity
Australia’s healthcare system has been plagued by cyber attacks in the last few years.
In April 2021, a cyber attack on Uniting Care Queensland left four hospitals and several aged-care homes without any access to patient records. Just one month prior, a cyber attack on Eastern Health forced four hospitals in Melbourne to take their IT systems offline and postpone elective surgeries.
Hospitals in particular are attractive targets for attackers due to the critical nature of their operations and the opportunity to cause massive disruption. A major contributing factor to the success of these attacks is poor cyber hygiene.
The lack of a strong security culture and need for increased security training in Australia’s healthcare system is well-documented. For example, in 2019 Victoria’s Auditor-General sought to prove a point by successfully hacking and accessing sensitive patient data in some of the state’s biggest hospitals using basic hacking tools. The audit revealed that several hospitals made basic cybersecurity errors, such as using default account names and passwords set by manufacturers that can be easily located online.
Just as hospitals maintain robust physical hygiene practices like frequent handwashing to prevent the spread of disease, cybersecurity should be treated no differently. To prevent cyber attacks, healthcare providers must pay careful attention to their cyber hygiene or find themselves facing unexpected, costly and potentially life-threatening consequences.
Clinical cyber hygiene
Clinical cyber hygiene refers to an organisation’s ability to discover, assess and manage cybersecurity risks on an ongoing basis. Essentially, it details the methods and mechanisms organisations use to maintain the privacy and integrity of their clinical networks and prevent the spread of cyber attacks.
It also shows how well an organisation recognises recognises and manages cybersecurity risks. Having a robust approach to cyber hygiene not only improves the efficiency of clinical operations, it also ultimately improves patient safety and privacy. It ensures that the personal information of patients is protected from compromise and maintains an organisation’s ability to deliver critical care in the event of an attack. With the healthcare sector reporting the highest number of ransomware attacks in Australia by a significant margin, it’s time for all healthcare organisations to improve their approach to clinical cyber hygiene.
Here are four best practices we’ve seen healthcare providers leverage to their advantage.
1. Profile all devices on the clinical network
Do you maintain current, detailed information about every single device on your network? If not, how can you protect them? Healthcare organisations need to be able to identify 100% of the devices hosted on their networks, and beyond that they must have a digital fingerprint of each one including the manufacturer, model, OS, hardware, app versions, location, network status, security posture and utilisation patterns. As new devices are introduced to the network, it is essential to maintain a detailed and accurate database of all connected assets. This will drastically improve the efficiency of both security audits and patching should any vulnerabilities be discovered.
2. Give each device a multi-factor risk score
Risk scoring is a continually evolving process that helps organisations identify their most vulnerable assets or devices on the network. Risk scores shouldn’t just be calculated based on the risk of compromise, they must also factor in potential impacts on patient safety and clinical operations. For example, if two devices have roughly the same risk of being compromised, but one of these could result in the exfiltration of sensitive patient data, that would be assigned a far higher risk score. Organisations with robust cyber hygiene continuously re-evaluate risk scores and adjust them as necessary.
3. Take a methodical and cross-functional approach to risk management
It is essential to have a clear methodology in your risk management program, as just one weak link can undo all your hard work. For example, a risk management program that covers all internal healthcare facilities and devices, but doesn’t factor in clinical partners, leaves a significant gap. Furthermore, having a clear methodology is imperative for performance tracking — it’s impossible to measure improvements or identify problems if there is no established benchmark. Given the highly mobile nature of medical devices, and the continuing fragmentation of care delivery, risk management must encompass all operations.
4. Use device monitoring insights to inform procurement
Ongoing device monitoring (location, use, etc) enables healthcare providers to identify vulnerabilities in different devices and establish patterns. Those responsible for procuring medical devices can draw upon this information during the decision-making process to ensure they purchase the most appropriate and secure devices, which will reduce the overall risk of compromise.
As the saying goes, you get nothing for nothing. While it takes time and dedication to improve cyber hygiene, the effort is very much worth it. As the healthcare sector continues to be a prime target for threat actors, the actions (or inaction) of healthcare providers will have greater implications for patient safety than ever before.