How to ensure cybersecurity within healthcare

Jalal Bouhdada, founder and CEO for Applied Risk, provides eight steps for strong cybersecurity.

To tackle cyber risks in healthcare, the European Union will introduce a tightened system of rules for medical equipment in 2020. The Medical Device Regulation will assure purchasers for healthcare institutions that any new equipment meets strict cybersecurity requirements, and reduces the chance of hackers breaking into pacemakers, MRIs or other medical devices connected to networks.

Healthcare institutions cannot afford to rely solely on this regulation, however. There’s much more required to ensure that healthcare institutions have adequate cybersecurity. I know the necessary measures can be complex, but this list of recommendations and steps can provide guidance in strengthening much-needed defences against healthcare cyber risk.

1. Recognise that cyber risk is a real risk

I still see that institutions sometimes don’t take hacking risks too seriously. One reason for this might be that the decision-makers at healthcare institutions are often medically trained senior managers who know little about cybersecurity. But you need the buy-in of top management to achieve adequate cybersecurity.

2. Map out which cyber-sensitive ‘assets’ you have

Many institutions have insufficient insight into the networks, buildings and equipment they have and which of those are vulnerable to digital intruders. This is understandable, because the infrastructure of such institutions is generally created step by step. Also, each institution has its own history. To make the inventory you need, I recommend making a distinction between:

1. Buildings and their core systems, such as power supply, heating and waste processing
2. Medical equipment, from MRIs to cardio apparatus
3. Supporting data systems, such as patient records, which are often stored in the cloud and are subject to privacy regulations

3. Perform an audit of the systems connected to networks

Many purchased medical systems are ‘plug and play’: They work almost immediately and often get hooked up to a network without much thought for the possible risks. But how is access to each of those systems arranged? Who determines who gets which access rights? Before a system is connected, it’s important to determine how the connection will be secure. This also means you must define the requirements that your equipment and networks must meet, tailored to the needs of the institution.

4. Choose to be ‘secure by design’

This means incorporating the cybersecurity of equipment and systems as a criterion into every step of decision-making, from the start of the purchasing process to the end of their life-cycle.

5. Ensure segmentation of your infrastructure

The more your networks are segmented, the harder it is to digitally take over your whole institution. If a hacker invades one network segment, he cannot simply push through to another. Segmentation therefore considerably reduces cyber risks.

6. Build a structure for monitoring your networks and responding to incidents

To do this, put together a team of people who have the required mix of knowledge and skills.

7. Perform regular test hacks, together with external partners, to identify the vulnerabilities of your systems

At the same time, make sure you have a good reporting mechanism in place so that management is up to date on any vulnerabilities and incidents and can respond to them.

8. Build a corporate culture that focuses on cybersecurity at all levels

Awareness programs about cyber risk, including privacy protection, deserve a place in the human resources and training programmes of healthcare institutions. By completing these steps you will, in my opinion, achieve a decent basic level of safety.