Healthcare organisations are undoubtedly facing new challenges to provide and maintain reliable services in a fast-evolving technological environment. Today, most of the activities, processes and business are ICT supported and data driven; consequently, data and information have become highly critical assets in the organisation, requiring a high level of both privacy and security protection. Protecting these critical assets against security risks is further strained by the increase in connected systems and devices, and the need to exchange data outside the organisational boundaries, nationally and across borders. In fact, securing information and patient data is one of the biggest challenges the healthcare sector faces, inside and outside the organisation, when exchanging data electronically, between organisations (hospitals and other health units) or allowing access to data for research and other secondary uses.
Devices, system components and networks are becoming autonomous, ubiquitous and interconnected. As healthcare becomes more connected, the large volumes of data, stored and maintained in healthcare organisations, that are critical to patients and healthcare and financing systems, gets increasingly exposed to cybersecurity risks for the organisations and patients alike. Risk is further increased by the fact that, unlike credit card information, health data cannot be changed once stolen. As a result, health data are considered fifty times more valuable than financial information on the black market and therefore among the most targeted kind of data (1). As a matter of fact, it has been noticed that data breaches are becoming more and more frequent in the healthcare sector. Threats to smart hospitals are not limited to malicious actions in terms of their root cause; human errors and system failures as well as third-party failures also play an important role.
Consequently, from a cybersecurity perspective, the definition of the challenge in healthcare organisations is two-fold: their environment is rapidly changing, becoming more connected internally, within the healthcare system and with other sectors; as the attack surface increases with the introduction of connected devices, the attack potential grows exponentially. Their potential for response is however hampered by outdated and complex legacy IT systems, nevertheless critical for the organisations, that are vulnerable to cyberattacks and failures, as well as a significant lack of awareness and training of professionals on cybersecurity issues and risks. These attacks, besides causing financial loss and reputational damage, diminish the trust of patients in the treatment and storage of their health information stored in digital infrastructure, which is a challenge for the organisation’s digital innovation efforts.
Information and data, within the healthcare context, are amongst the most valued assets, both for its legitimate and illegitimate use. Having access to the right information at the right time can help save lives, in a significant way, and increase the effectiveness of healthcare services and procedures, as well as reduce healthcare costs. When misused, it can cause serious harm, whether in the form of personal data theft, cyberattacks using ransomware and other modern ways to monetise on its malicious use or even worse: targeted attacks using falsified healthcare data, hijacking of medical devices and other similar techniques may be used to induce significant harm or even death.
A multifaceted response is therefore necessary starting from the adoption of strategies that can effectively tackle identified vulnerabilities, prepare and engage the workforce and inform their technology acquisition policies. People, processes and technology are the three pillars of more resilient and secure healthcare delivery and availability of health information with increased user confidence in digital technologies.
1. PROTEGO – Why addressing cyber risks in healthcare is needed