Security and healthcare: patchwork?
Hacks cause economic damage, stress and sometimes even emotional distress. But there is certainly one sector where ICT failures and disruptions can cause real injury: healthcare. There, ICT dependence is high and the impact of cyber attacks can be correspondingly high.
The healthcare IT landscape is complex and still much on-premises, knows Paul Smit, CTO and co-founder of security company ForeNova Technologies. He worked as a nurse for about seven years late last century and then went into tech, specifically security. “In corona time I was briefly active in healthcare again, because of a call to all former healthcare workers for reinforcement of overflow units of intensive care units,” he says.
No time for ‘something more’
It is not only ICUs in corona time and healthcare itself that are heavily burdened; ICT and security in healthcare are also under pressure. Smit argues that the workload is simply too much for people and that there is no time for anything in addition, which can also apply to ICT security. For some organizations, IT – and thus security – is something ‘that comes with the territory’. This is also what director Wim Hafkamp of Z-CERT, ICT security organization for the Dutch healthcare sector, tells us.
ICT security is seen as supplementary, a chore, so it does not always get the attention or resources it needs. Smit speaks of “small teams, with big challenges.” Or just general teams, who then “add” security. Smit does not yet see the insight that this approach is passé in healthcare practice.
Clear target
Hafkamp says a lot of it is about basic security, which is not always in order. Being compliant is not the same as being secure, he stresses. “I sometimes have to explain that.” There can also be the notion that healthcare facilities are not a target for cybercriminals. However, this notion is increasingly disproved by hard practice.
Ransomware also infects hospitals, despite healthcare exceptions that some cybercrime gangs have in their policies. DDoS attacks on hospitals are also at play, where perpetrators may be motivated by, for example, the Russian war in Ukraine. But organizations in the healthcare sector are also more often in the sights of cybercriminals for other reasons.
Hafkamp says awareness about being targeted is changing rapidly now. But whether that also leads to action? The director of Z-CERT says the increasing digital threat (from ransomware, among other things) to healthcare is very diverse, because healthcare itself is quite diverse. Nevertheless, there is greater awareness in healthcare and intrinsic motivation, he assures. ICT security is no longer a mandatory issue, but something that organizations want from within themselves.
Very big, very broad
At the same time, Hafkamp points out, there are still places and organizations where security is lacking. “Healthcare is very large, very broad,” he says, “with a big distinction to be made between ‘cure’ and ‘care’. Plus within that then there are distinctions between primary and secondary care.” The differences between general practitioners, dentists, home care, elder care and hospitals, for example, also create differences in security. Both in terms of awareness and approach.
In ‘care’ there is still much to do, says Hafkamp. This is in contrast to ‘cure,’ where many larger organizations have a good awareness of cybersecurity and engage in monitoring, for example. “In medium-sized organizations it is less so.” However, there is awareness there regarding privacy, Hafkamp adds.
Keeping up (and paying for it)
Smit sees great benefits in managed IT security in healthcare. According to him, organizations still manage to take the first steps themselves, such as setting up endpoints, but monitoring and following up on security notifications do not succeed. If the organization cannot keep track of that, there is not really good security.
Using external IT suppliers can help with IT security, but it can also create dependencies and even vulnerabilities. After all, an external party must have its security in order. Plus: checking this is yet another extra task for the customer. “Yes, you are never rid of it, as a board you are and remain responsible,” Smit emphasizes. “Everything stands or falls with security policy.”
A healthcare-wide security operations center (SOC) could, in theory, be a godsend. Smit knows that Z-CERT has issued a tender for broad monitoring, but participation is optional for healthcare institutions. “You have to make it very cheap for hospitals. Or free,” argues the CTO of ForeNova. But he also acknowledges, “Nothing goes for nothing.”
Moreover, a SOC “only” covers part of the security problem. Taking measures really lies with the institutions themselves. And that can be quite expensive. Besides rising costs for IT itself, the general shortage of IT professionals also plays a role.
On the one hand, healthcare organizations have to deal with more expensive IT, and on the other with scarce (and therefore more expensive) IT professionals. Smit sees this problem at play; that people can earn twice as much elsewhere. “It should be a vocation,” he says of working in healthcare and in security before that. “Unfortunately, more than 80 percent think otherwise.”
Being stronger together
“Money is not everything, even in security,” Hafkamp knows. “It’s also about vision.” It is important to lean on the knowledge and experience of others, the director of Z-CERT points out. That network organization makes connections between organizations and people in healthcare. Such as with a large chat platform for healthcare CISOs (chief information security officers) who can go there with problems and questions. It is a non-commercial and private chat platform where participants can communicate with each other in confidence. “For very practical issues, but also for policy matters.”
Addressing and improving security therefore does not need expensive consultants, according to Hafkamp. At least not for every organization again, because knowledge can be shared. Hafkamp acknowledges that this is a pull approach and explains that Z-CERT also indirectly tries to do push.
But imposing security measures is not up to that healthcare security organization. That’s what standards and regulators are for, he says. Moreover, the healthcare sector is facing more legislation and regulations. For example, all hospitals must meet legal standards for information security this year, the Healthcare and Youth Inspectorate (IGJ) admonished late last year.
Recognize your risk
Meanwhile, Hafkamp points out, security is also becoming more and more prevalent among suppliers of healthcare applications and systems. Companies like Philips and Siemens include ICT security not only in their products, but also in the associated management services. This, in turn, brings customers into better security.
After all, suppliers not only look at their own products, Hafkamp explains. They also consider how things stand in which environment. Some IT suppliers try harder than others. One point of concern here is the complexity of the healthcare supply chain, says the director of Z-CERT. The problem of the weakest link is just around the corner, which may be smaller organizations that lack knowledge and expertise in the field of ICT (security) themselves.
“Recognize your risk,” Hafkamp emphasizes. “Latent security awareness is there, but in practice too little can still be done about it. You do need to have a professional in-house who translates that latent knowledge. Otherwise it remains latent.” Through trial and error, organizations may become wiser, but that can then be a case of closing the well after the horse has bolted.
Original article link:https://www.agconnect.nl/artikel/security-en-zorg-pappen-en-nathouden