Sham (Relyens group), Risk Manager specialist in the healthcare and social-healthcare sector, has presented the 'White Paper on Healthcare Cyber Vulnerabilities', in which it analyzes the current state of cyber-risk for healthcare institutions in Spain and France. The main highlight of this study is the fact that cybersecurity is already a determining aspect for the continuity of care and, therefore, for patient safety.
How are cyberattacks received by the healthcare sector?
In 2020 there has been a significant increase in cyber-attacks directed against the healthcare sector, with serious consequences such as: the total or partial cessation of its activity, economic losses, bad reputation, in addition to a serious danger for patients. More than 500 institutions notified incidents or vulnerability reports, which increased by 48% over the previous year, according to the Spanish National Institute of Cybersecurity (INCIBE), the result of the forced telematization of healthcare, derived from the advance of COVID-19 in our country.
The study shows that the areas susceptible to attacks in healthcare and social healthcare centers are constantly expanding due to the number of communication interfaces and connected medical devices in use, including devices for treatment and diagnosis, such as those known as IoT-Internet of Things and IoMT-Internet of Medical Things, which are also connected to the network and provide functionalities for the management and operation of healthcare centers. This increased attack surface is compounded by poor network segmentation, weak access controls and dependence on obsolete systems, according to the experts' analysis.
In this way, cybercriminals take advantage of all these weaknesses in the systems to hack or steal personal or protected medical information, of great value in the market, which could alter, interrupt or paralyze medical activity. This has serious consequences for patient safety, or even the economy of the institution, with significant financial and reputational losses.
In Spain, Sham refers to cases such as a cyber-attack in the Community of Madrid, which blocked the IT support of a hospital and returned the staff to the offline management of any procedure.
The study also explains that medical devices are the element most vulnerable to a cyberattack, despite their importance in safeguarding lives and carrying out other healthcare treatments. The basic reason is the lack of cybersecurity implemented in these devices since their design and the difficulty in updating them. Being equipment with a long period of use, in many occasions, their design did not contemplate the current paradigm of connectivity in the healthcare sector. In addition, upgrades cannot always be performed with the necessary frequency, as tests and certifications by the manufacturer are required. It is worth noting that in 2019 alone, 2.4% of the injury claims covered by Sham were already linked to these devices.
What is cyber risk for a healthcare institution and how to manage it?
Cyber risk does not only include incidents arising from cyber-attacks. This is exposed by data such as those published by INCIBE, showing that non-malicious cyber risks account for 57% of the incidents reported in 2019. These are computer failures in prescription and dispensing programs that result in errors in medical prescriptions and medication dispensing, loss of internet access, or communication cut-off. These are just some of the situations that can lead to isolation from other healthcare centers or from their healthcare environment, as well as making it impossible to access services and data required on a daily basis by healthcare professionals, such as computerized medical records, laboratory results, or those related to radiological platforms, among others.
On the other hand, in terms of cybercrime, there has been an increase in healthcare incidents in Spain and France, which mainly consist of four types: malware, ramsomware, denial-of-service attacks and malicious eavesdropping.
As experts point out, during the first confinement, many apparently innocuous information messages about COVID-19 turned out to be in fact computer viruses with fake e-mails from the health authorities, or even false alerts about the evolution of the pandemic. An aspect that even the French Digital Health Agency (ANS) has analyzed, publishing a study conducted by US researchers, which showed that 86,000 of the more than 1.2 million domain names linked to the keyword COVID-19, would be malicious.
How to be effective in the face of a cyber attack
- Preparedness: The necessary processes and means must be established to react in the event of a cyber attack. Improvisation is no friend of efficiency.
- Protection: A risk analysis must enable the organization to define and establish the necessary measures to protect itself against a cyber-attack. Security processes and tools must be implemented and kept operational in a system of continuous improvement.
- Detection: The organization must have an early detection system for attacks and a team prepared for response. The integration of solutions and an expert team is fundamental in this phase.
- The response: Once the attack has been detected, it is time to implement the plans defined for incident control. Collaboration with expert entities and training of the teams in the response plans will be key to an effective response.
- Recovery: Once the attack is under control, it is time to restore data and systems back to normal operating levels as soon as possible.
- Lessons learned: Once the incident has been resolved, it is essential to analyze what happened in order to see points of improvement needed to avoid an incident or improve the response in the future.
Modelo «phygital»
No obstante, agentes y corredores insisten que necesitan más para ampliar información sobre asegurados y clientes potenciales para poder hacer ventas más eficaces. En el estudio señalan que las APIs (interfaz de programación de aplicaciones) y los análisis basados en la IA pueden ayudar a los agentes y corredores a comprender las preferencias de los clientes, responder a sus preguntas y ofrecer productos adecuados en función de los acontecimientos especiales de los asegurados. En este sentido, los autores del estudio apuntan que el futuro está en un modelo «phygital» basado en una mezcla de presencia física e interacción digital.
Media: Insurance letter 05/21/21