Cybersecurity: an EU health challenge in the post-Covid era
In September 2020, during the pandemic, the German press reported the first death due to a cyber attack on the Hospital of Düsseldorf University, which caused great disturbance such as postponement of surgeries, and scheduled medical examinations or chemotherapies. Cybercriminals by using malicious software, so called ransomware, invaded 30 servers of the hospital, crushed the system and forced the staff to turn away patients treated in emergency. A female patient was sent to Wuppertal 35 km away and eventually died due to treatment delay. Nearly a year earlier, Campbell County Health, a medical group in Wyoming USA, with 20 clinics across the state, had also been target for cybercriminals.
According to FBI statistics (https://thehill.com/policy/cybersecurity/493198-fbi-sees-spike-in-cyber-crime-reports-during-coronavirus-pandemic) since March 2020 in the USA there has been a 400% “alarming rate of cyber attacks aimed at major corporations, governments, and critical infrastructures.” The World Health Organization (WHO) and the Department of Health and Human Services (HHS) were the most common targets for the attackers interested in “gaining knowledge” about the research conducted on Covid-19.
Europol’s latest security report on Internet Organized Crime Threat Assessment (IOCTA 2020) points out that the degree of sophistication of cybercrime has recently changed significantly, mainly due to the pandemic caused by COVID-19 (https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020). According to the report ransomware remains at the center of concern, while advanced forms of malware have been widely used. The report explains, that due to the rise of social engineering to access reliable information and data during the COVID-19 pandemic, phishing attempts are exploiting the social vulnerability that is constantly rising. The increase of phishing attempts equally highlights the compromise of business emails causing further concern. Cloud migration and digital file conversion for the facilitation of sharing has been central to this malicious activity.
The acceleration of progress marks the rise in cyber attacks
The acceleration of progress in health care shaped by the beginning of the 4th Industrial Revolution, not only fundamentally changed the way we live, work, and connect to each other, but also marked the rise in cyber attacks especially on healthcare organizations. For example, the impact of phishing attacks aiming to collect user credentials as well as ransomware attacks seeking to encrypt the data of hospitals can be huge in critical infrastructures like healthcare, both from a societal (e.g. stolen health records, interruptions of emergency services) and financial (e.g. ransomware payments, production losses due to outages) perspective.
“Due to the fast introduction of technology advancements, vulnerabilities are constantly being identified and new threats are emerging. Cyber-attacks on health facilities are designed to prevent their employees from accessing critical care systems. As a side effect of the recent increased trend in telework and telemedicine due to the pandemic, breaches on operating systems in the cloud are expected to rise” says Mr. Dimitrios G. Katehakis, Head of the Center for eHealth Applications and Services at the Institute of Computer Science, Foundation for Research and Technology-Hellas (FORTH) in Heraklion, Crete (https://www.ics.forth.gr/), adding that in Greece there have been occasional and limited cyber attacks on health care providers, such as the last one in the hospital of Chania, Crete in 2017.
Many of cybersecurity challenges in health industry are linked to vulnerabilities existing before the pandemic. According to Mr. Katehakis the health sector is a vulnerable target for cyber attackers because medical devices are usually manufactured without or with weak protection, professionals are not adequately trained in the risks, the sector is highly fragmented, there are many and frequent exchanges of multifaceted data, a large number of technologically outdated IT systems still operate, different technological solutions coexist, while at the same time there is no uniform data protection culture.
“Panacea” a people-centric cybersecurity in healthcare
Numerous cybersecurity studies support the fact that the “Achilles heel” of IT is the users. Healthcare professionals focus on the medical practice and the patients, not giving the needed attention to issues relevant to health IT safety and privacy. “It is common between users to share the same password for accessing medical information systems. Although various information and awareness campaigns have been carried out, it is difficult to change the established culture. It needs time and the right approach. Time may be hard to find, but the right approach is possible!”, comments Dr. Vangelis Sakkalis, Research Director at the Institute of Computer Science, Foundation for Research and Technology-Hellas (FORTH) in Heraklion, Crete, Greece.
Cybersecurity in healthcare is a complex issue. While there are constant attempts to upgrade old IT legacy systems and to renew connected medical devices and to procure the best new IT technologies, a similar approach in defining risks of the IT systems is not common. “Cybersecurity starts for the definition of the current risks present in a healthcare system, structural risks and most of all human risks. Humans working in the healthcare sector are not IT oriented and mostly consider the great advantages furnished by digital systems as a waste of time and a drawback on their efficiency in treating patients. This leads to a risk-oriented behavior with very little wisdom in security measures. Security must start and rely on the correct behavior of healthcare workers. And this behavior must be proactive and not reactive and neglected. On the other hand cybersecurity must not be agony and an obstacle towards the performance of healthcare procedures”, adds Prof. Sabina Magalini, at the Rome Catholic University School of Medicine (UCSC) and Senior Surgeon of the Emergency and Trauma Surgery Unit at the Fondazione Policlinico Universitario Gemelli (FPG), who is the coordinator of the big European project dedicated to cybersecurity in hospitals, named Panacea (https://www.panacearesearch.eu). The project is part of the European Framework Program for Research and Innovation “Horizon 2020” which started in 2019, has been financed with five million euros, involves 15 bodies between Universities, Institutions and European companies from 7 EU members and will end in 2021.
According to Dr. Sakkalis tackling cyber threats (internal and external) requires not just advanced cyber security solutions but also driving a human-centric approach, training and educating medical staff and patients on best-practice behavior, both of which are critical to building resilience in critical infrastructures. “PANACEA acts on different levels, from healthcare tailored risk assessment, easy and manageable tools for information sharing and identification of secure by design medical devices, to secure and simple measures for healthcare worker identity management. Solutions to cybersecurity in healthcare are many, PANACEA offers a portfolio of possible integrated alternatives”, concludes Prof. Magalini.
Cybersecurity in EU
In order to help IT professionals in healthcare security to establish and maintain cloud security while selecting and deploying appropriate technical and organizational measures the European Union Agency for Cybersecurity (ENISA) released Guidelines for Cloud Security for Healthcare Services on January 18 2021 (https://www.enisa.europa.eu/publications/cloud-security-for-healthcare-services). In April 21 2021 the EU launched a new body, to be based in Bucharest, Romania, which will in particular channel cybersecurity-related funding from Horizon Europe and the Digital Europe Programme. This ‘European Cybersecurity Industrial, Technology and Research Competence Centre’ will work together with a network of national coordination centers designated by member states linking the main European stakeholders, including industry, academic and research organizations and other relevant civil society associations, to form a cybersecurity competence community, in order to enhance and spread cybersecurity expertise across the EU.