Hervé Debar, Télécom SudParis – Institut Mines-Télécom
WannaCry was the first case of a cyberattack that had a major effect on hospitals. The increasing digitization of hospitals (like all areas of society) offers significant opportunities for reducing the cost of health care while making the care provided more effective. However, with digitization comes cybersecurity challenges and these threats must be taken into account in implementing e-health solutions.The hospital: a highly digitized environment
The medical world — and especially hospitals — is a highly digitized environment. This reality first began with management tasks (human resources, room management, planning, etc.) and over the past few years it has grown to include medical equipment (radiology, imaging). Two significant developments have occurred:
- An increasing number of objects are used in hospitals to collect data or administer medication. This is what is referred to as the Internet of Medical Things (IoMT). The nature of these often-inexpensive objects represents a break with the professional management of conventional medical platforms.
- More and more of these objects are used outside the hospital, by individuals who are not properly trained to use them. Some of these uncontrolled devices, such as our smartphones, can enter the hospital and interact with medical processes.
From a technical perspective, we are undeniably becoming increasingly dependent on a high-quality digital infrastructure to provide us with quality medical care. This directly affects not just the care provided but also all the related processes (planning, insurance, reimbursement of fees, logistics, etc.). It is particularly difficult to ensure security in these areas, since the conventional development and management technology in information systems is also vulnerable to these attacks. Furthermore, technological advances are based on the increased ability to share, analyze and disseminate information. The number of vulnerabilities is therefore likely to remain high.
From an economic perspective, the rise in healthcare costs is unavoidable. Increased operational efficiency, made possible by computerization, is one of the measures used to prevent costs from rising too high. It is therefore imperative to keep the impacts of cyberattacks in hospital environments to a minimum.
From a legal perspective, the implementation of European personal data protection regulations (GDPR) and the cybersecurity for operators of critical infrastructures (NIS) are imposing new obligations for everyone.
Hospitals are the perfect example of the use of extremely sensitive data demanding confidentiality, integrity (accuracy) and availability (access) to provide care and ensure medical records are properly managed. A medical record is a summary of sensitive, correlated information with separate subsets with varying levels of interest.
A poorly protected environment
Over the past few years there have been cyberattacks that have affected hospital operations. We should note that in many cases, hospitals are just one of the targets of these attacks, since many other organizations are also impacted.
Wannacry is a computer worm that exploits a breakdown in Windows protocol that allows printers and files to be shared. This protocol is used by medical imaging equipment to transfer an image file from a scanner to computers and is used by doctors who meet with patients to make a diagnosis. When imaging equipment is infected by Wannacry through this network protocol, it becomes inoperable, preventing operations and hence endangering patients’ lives.
More generally, much of the medical equipment relies on aging operating systems and old protocol. It is therefore crucial that manufacturers of this equipment become aware of this issue.
The effectiveness of a medical procedure increasingly relies on the ability to connect various tools used by medical staff for the purpose of transferring data (images, prescriptions, etc.) and interacting. Therefore, it is not possible to consider isolating these pieces of equipment. More rigorous access controls must therefore be implemented (which is generally a challenge for organizations, as demonstrated in the study by Deloitte called “Future of Cyber”).
An attack on pacemakers
In addition to the Wannacry incident, it is also necessary to reflect on the communications between medical objects and information systems. Several examples have recently demonstrated the vulnerability of medical objects.
Implants, such as insulin pumps and pacemakers, are vulnerable to computer attacks. Communications between these objects are neither encrypted nor authenticated, meaning that they could be listened to for the purpose of extracting sensitive data. This also means they can receive commands allowing them to be controlled, creating all types of imaginable consequences through changes in their operations.
Other routine medical equipment, like infusion pumps, are also vulnerable to attacks.
New attacks in sight
So far, the attacks that have been revealed have had two main consequences. The first is a denial of service, or the inability to use medical equipment when it is needed and all the potential consequences this entails. Since it is difficult to prevent denial of service attacks, measures must be taken to limit their effects.
The second result is the leak of potentially sensitive information. This leak of information involves the risk of data being added to other databases, for example as data sources for the validation of creditworthiness, used by banks in their decisions to grant or refuse bank loans. This would represent a major setback in protecting our personal data.
We do not have any clear examples of data being falsified, which could be the next step taken by attackers. Data falsification could lead to erroneous prescriptions and therefore to drug diversion. This diversion would allow the author of the crime to receive an immediate profit, which fits with current trends.
What are the solutions?
The first solutions that come to mind are technological ones. Such new solutions do indeed exist which could improve computer security in medical environments.
- blockchain. This technology can significantly improve data protection by separating the data according to purpose (medical, clerical, insurance, etc.) and by protecting each piece of data individually. It can also log access to manage emergency situations. Current technology is too energy-intensive and must be changed to become more acceptable.
- Virtualization and cloudification. Outsourcing computer services professionalizes the management of an organization’s digital activities. The scarcity of human resources trained in cybersecurity makes it necessary to rely on external means. The development of cloud services, particularly the concept of a sovereign cloud, must be done in a way that complies with current regulations, particularly the famous GDPR.
- By Design. Manufacturers of medical objects, software and platforms must take cybersecurity into account during the design phase for their equipment as well as integrating it into the life cycle. This is a major revolution that cannot be carried out in a day. It is therefore necessary to continue protecting older equipment whose initial cost justifies its continued use for decades to come. This is also a revolution for the IT world, which now counts the life span of its software and services in terms of months. While awareness in the area is growing in the industrial world, it must also increase in the medical world.
All these new forms of technology, and others not mentioned here, will never be effective unless the human factor is first taken into account in the hospital, among caregivers, but also patients and visitors. This remains the key to a successful digital transformation of the hospital.
Medical objects must be adapted to their users, generally patients. Besides gadgets like connected watches, better solutions must be found for all objects to make them simpler and easier to use. Confidence in these objects is fundamental and cybersecurity incidents that could restrict their use must be avoided at all costs.
Finally, the role of medical professionals is absolutely fundamental. They must accept the presence of computer technology and recognize that it can make their work easier on a daily basis rather than representing a hindrance. Medical staff must take an interest in cybersecurity issues, receive training in this area and urge suppliers to develop tools adapted to their needs.
Hervé Debar, Head of the Telecoms Networks and Services Department at Télécom SudParis – Institut Mines-Télécom, Université Paris-Saclay
The original version of this article (in French) has been published on The Conversation.
See all articles by Hervé Debar on I’MTech