IT Security in Healthcare

Concerns with IT security in healthcare are always prevalent. As of February 2016, we know that IT infrastructures of many clinics do not withstand a simple virus attack. Medical devices also have been hacked. FDA enforces a systematic approach to cybersecurity.

Threats to IT security are not limited to healthcare. Yet there are some particularities to consider:

• Human lives are threatened
  In contrast to attacks on private individuals' or many corporate infrastructures, attacks on IT infrastructures in healthcare (e.g. of clinics) pose a threat to humans, more precisely to patients. If a clinic's IT breaks down, just as happened recently, no more patients can be admitted, and surgeries have to be postponed. If medical ventilators of an intensive care unit are targeted, patients can die within minutes.
• Specific regulations must be complied with
  Threatening IT security in healthcare also means threatening the protection of highly confidential personal data on health.
   For this reason (but not for this reason alone), specific regulations for operators of healthcare facilities and for medical device manufacturers exist, which you can read more about in the following section.
• Many clinics operate unprofessionally
  There are only a few other sectors outside the healthcare sector that invest so little money in IT security. In line with the motto "you get what you pay for", many IT departments of clinics are understaffed and poorly trained. IT security is further undermined by adventurous IT infrastructures and the high extend of partly uncoordinated outsourcing to all kinds of actors (service providers for printers, firewalls, PCs and hotline, manufacturers of IT systems and medical devices).
• Manufacturers act irresponsibly
  Manufacturers, too, are responsible for insufficient IT security. Among the reasons are:
• "Historically grown" system and software architectures.
• Poor understanding of the menace to IT security cause by total integration of IT and medical engineering.
• Lack of will to systematically analyze and manage IT security as part of risk management.
• Lack of willingness to assume responsibility not only for their own product, but also for the product in the context of a clinic network.

a) Requirements for Manufacturers

In contrast to the USA, the European judicial area knows only a few specific standards for addressing IT security of medical devices. Among them are:

1. Under MDR Annex I, 17.2, the MDR explicitly requires software development to be "state-of-the-art". This includes IT security. Now, manufacturers must define requirements regarding measures by operators about IT security. The MDR even internalizes the demand for data protection.
2. In its latest version, ISO 13485:2016 was amended to include protection of confidential data as well as the establishment and review of requirements for associated medical devices
3. IEC 60601-1 demands risks in consequence of a "lack of data security, particularly vulnerability to tampering, unintended interaction with other programs and viruses" to be managed.
4. IEC 62304: After the Amendment I (2016) of IEC 62304, the standard now provides for software requirements to include IT security requirements.
5. ISO 14971: Risk management (e.g. in conformity with ISO 14971) has always addressed all risks, implying even risks caused by insufficient IT security. Cyber attacks are included.
6. The FDA imposes precise requirements published in four (!) Guidance Documents on Cyber Security. In the documents, the FDA also refers to AAMI 57 on IT security risk management pursuant to ISO 14971. The FDA further acknowledges UL 2900-2-1 as a standard for IT security.

b) Requirements for Operators

In addition, there are national provisions such as the BSI Act and further demands by the German Federal Office for Information Security (BSI) regarding healthcare. In the course of the national critical infrastructure protection strategy (KRITIS strategy), the IT Security Act, too, was put into effect, which explicitly addresses healthcare.

Due to increasing cross-linkages, medical device manufacturers increasingly become operators. Therefore, the MPBetreibV comes into effect, which requires secure operation.

IEC 80001 is a standard describing risk management regarding the operation of IT systems in the healthcare sector. Data and system security (IT security) is one of the three explicit protection targets. In this context, especially IEC 80001-2-8 („Application guidance — Guidance on standards for establishing the security capabilities identified in IEC 80001-2-2“) is relevant.

Furthermore, operators must guarantee data security. IT security is a necessary but not sufficient prerequisite.

c) Sector-independent Requirements

The following laws, too, are directly related to IT security:

• EU General Data Protection Regulation
• Law on Control and Transparency in Business (KonTraG)
• Criminal Code: Sec. 202b Data Interception, Sec. 263a Computer Fraud, Sec. 303a Data Alteration and Sec. 303b Computer Sabotage

A contribution by Doccheck offers an overview of IT security problems in healthcare. AAMI reports that the RansomWare attacks in May 2017 were also a wake-up call for the FDA, which calls attention to the vulnerability of IT systems in healthcare.

a) Negligence by Medical Device Manufacturers

Obviously ignoring requirements of risk management and of the FDA Cybersecurity Guidance, new menaces caused by medical devices disregarding elemental security standards are recurring.

• As repeatedly reported by heise.de [1; 2] and hextech.com, infusion pumps by Hospira exhibit a fatal Telnet hole.
• Thousands of medical devices are vulnerable to attacks via the internet, as consistently reported by heise.de and golem.de [3], [4].
• Manufacturers' sloppiness when writing and updating firmware is an increasing problem [6].

b) Cyber Attacks on Health Insurance Providers

In several blogs, I have expressed my concern that it is only a matter of time until hospitals and chains of clinics are blackmailed by data thieves, too. Unfortunately, I forgot one major participant of the healthcare system open to blackmail: health insurance providers. This has happened now, as reported by Süddeutsche and Spiegel [7], [8].

c) Cyber Attacks on Hospitals

IT security in healthcare is increasingly exposed to threats since hackers have realized the value of data [9].

Often, hospitals are not the targeted victims of cyber attacks. Rather, their badly maintained IT infrastructure with outdated and unpatched operating systems are as helpless as an open barn door in the face of attackers.

• In February 2016, computer virus Locky crippled several clinics in North Rhine-Westphalia. For example, rp-online, WAZ and heise.de reported on this. One commentator wrote that not two, but 48 (!) clinics were affected. An expert from Kaspersky confirmed those weaknesses (article published in KH-IT Journal).
• Those attacks are not limited to Germany. According to Inquisitr, a hospital in California had to pay millions in ransom.
• In May 2017, hospitals are again targeted, especially the UK healthcare system NHS [10, 11] This time, the virus is called "Wanna Cry".

Years ago, the Miami Medical Centre in Queensland, Australia was affected. Hackers from eastern Europe had encrypted patient data within the KIS. As reported by ABC, the clinic had to pay ransom to re-access the data. It hardly surprises me that this "business concept" is gaining popularity. I don't know if the fear of this was an additional motivation for laying down IEC 80001 and for defining data and system security as a protection target. It was for sure a good idea.

For a long time, cyber attacks were limited to other industries such as the entertainment or automotive industry. Manager-Magazin provides an overview of the largest-scale cyber attacks.

d) Impairments of IT security by the NSA

Not only conspiracy theorists are discussing which opportunities caused by impaired IT security in healthcare can be and are pursued by the NSA. You can find more on this in an article on IT security, too (independent of the healthcare sector).

The NSA is even perceived to be co-responsible for the WannaCry attack: the NSA has identified the security flaw in Windows and has used it for intelligence activities. The security flaw has not even been reported to Microsoft after the spying tools had been reported.