Hospitals are becoming an increasingly tempting target for cyber criminals. The size of hospital networks, the vital importance of PCs on those networks remaining operational -- and the way in which a large proportion of healthcare-related computer systems are left running on unsupported operating systems -- means that securing hospitals against cyberattacks is increasingly complicated.
It's something hackers are taking advantage of, either to distribute ransomware or attempting to steal sensitive personal data about patients.
Now, in an effort to counter the growing threat cyber criminals pose to hospitals – especially as medical networks become more reliant on the Internet of Things and connected devices – ENISA, the European Union agency for cybersecurity, has issued advice on improving cyber defence for hospitals.
While the list is aimed at healthcare, most of the recommendations are more widely applicable.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
"Protecting patients and ensuring the resilience of our hospitals are a key part of the agency's work to make Europe's health sector cyber secure," said Juhan Lepassaa, executive director of ENISA.
The Procurement Guidelines For Cybersecurity in Hospitals paper recommends ten good practices for making the health sector more resilient to cyberattacks.
1. Involve the IT department in procurement
It sounds simple, but involving the IT department in procurement from the very start ensures that cybersecurity is considered on every step of the technology procurement journey, as recommendations can be made as to how new technology fits in with the existing network and what additional security measures might be needed.
2. Implement a vulnerability identification and management process
It's an imperfect world and there are products out there which contain vulnerabilities, known or as of yet undiscovered. Having a strategy in place to manage vulnerabilities throughout the entire lifecycle of a device can help the security team keep control of potential security worries.
3. Develop a policy for hardware and software updates
Security researchers often uncover new vulnerabilities in devices and operating systems. However, medical networks have historically been poor at ensuring patches are applied – and this was one of the reasons WannaCry ransomware impacted the NHS so badly. The paper recommends IT departments determine the most suitable timing to apply the patches in every segment of the network, as well as determine workarounds for machines that can't be patched, such as segmentation.
4. Enhance security controls for wireless communication
Access to hospital networks should be limited with tight controls, meaning that the number of devices connected should be monitored and known, so as to identify any unexpected or unwanted devices attempting to gain access. The paper recommends that non-authorised personnel shouldn't have access to the Wi-Fi and that network passwords should be strong.
5. Establish testing policies
Hospitals acquiring new computing products should establish a minimum set of security tests to be performed on new devices added to the networks – including penetration testing once it's added to the network, to take into account how hackers could attempt to abuse it.
6. Establish business continuity plans
Business continuity plans should be established whenever the failure of a system may disrupt the hospital's core services – which in this instance is patient care – and the role of the supplier in such cases must be well-defined.
7. Take into account interoperability issues
The ability of machines to transfer information and data is key to hospitals being able to operate properly – but this could be compromised in the event of a cyberattack or downtime. The hospital should have backup plans should this operation be compromised.
8. Enable testing of all components
Systems should be regularly tested to ensure they're offering good security, combining ease of use while also being secure – for example, the IT department should ensure that users haven't changed complex passwords to more simple ones. All of this should be examined during testing.
9. Allow auditing and logging
Keeping logs about testing and activity on the network ensures that, in the event of a compromise, it's easier to trace what happened and how attackers got access to the system, as well as evaluating what information has been compromised. "Keeping the logs secure is one of the most important tasks of security," says the paper.
10. Encrypt sensitive personal data at rest and in transit
To ensure compliance with with the General Data Protection Regulation, and to ensure the safety of both patients and staff, sensitive information should be encrypted, so that if outsiders do get access to the systems, it's likely to be useless to them.
By following this advice, healthcare organisations can ensure that networks, staff and patients are as well protected from cyberattacks as possible.
MORE ON CYBERSECURITY