Every October, the EU and US celebrate ‘Cyber Security Month’, a month-long awareness campaign to educate citizens about the importance and scope of cyber security and the measures everyone can – and should – take to ensure their protection and privacy online.

The crucial role of both strong IT infrastructure and good ‘cyber hygiene’ practices becomes even more apparent in the healthcare sector, which in recent years has become a dangerously common target for cyber attacks and data breaches, turning a matter of privacy and security into a threat to people’s physical safety.

Cyber security consists of all the technologies, processes and controls designed to protect devices, servers, systems, networks, programs and data from malicious attacks, which are typically aimed at: accessing, changing, or destroying sensitive information; extorting money from users; interrupting normal business processes. Cyber hygiene, on the other hand, refers to the practices and steps – ideally integrated in a daily routine – that users of computers and other devices can take to maintain system health and ultimately improve their security online.

The cyber space is not an easy place to secure, due to both intrinsic factors (such as the inevitable connections between digital and physical systems and the ability of malicious actors to operate from anywhere in the world) and new trends, in particular the ubiquity of personal electronic devices, the growing complexity of critical digital infrastructures (such as in healthcare, telecommunication, power supply and banking) and the ever-increasing integration between digital and physical systems (i.e. the Internet of Things).

To make things worse, technology is not the only player in keeping the cyber space secure – we have a big and often overlooked role to play, with human error (such as sharing sensitive passwords, falling pray to ‘phishing’, losing devices and neglecting system updates) in fact responsible for the great majority of cyber attacks (up to 90%).

In the healthcare sector, all of these threats become more pressing and the stakes much higher. For example, sensitive clinical information can be stolen (with a record 113+million EHRs stolen in 2015) and sold on the black market, while wireless medical devices can be broken in, directly affecting clinical care and patient safety. Last but not least, any breach to health IT infrastructure or medical device can be exploited to force the victim to pay ransom. A recent report by Kaspersky Lab indicates that over 1/4 of healthcare IT employees in Canada and US admit they are aware of ransomware cybersecurity attacks to their employer within the past year, 1/3 of which more than once. In 2019, for the first time two US healthcare providers have been forced out of business by ransomware attacks. 

As expected, the capability and greed of cyber criminals is not solely to blame for the concerning upward trend in healthcare cyber attacks; what might be more surprising is that such a sensitive and vulnerable sector has historically paid much less attention to cyber security and cyber hygiene than many other targeted industries.

The cyber security training of medical staff is typically inadequate and the funding limited, resulting in healthcare workers sharing login credentials, endemic use of legacy devices and outdated systems (including in the medical device sector), failure to meet data protection regulations, data thefts often going unnoticed or unreported and other incorrect behaviors that increase the cyber vulnerability of healthcare institutions and clinical practices. In fact, according to the 2019 HIMSS Cybersecurity Survey, healthcare workers either falling prey to online scams (30%) or neglecting cyber hygiene practices (16%) constitute the main cause of healthcare attacks in the US, along with direct action by cyber criminals (16%).

While such picture certainly doesn’t look promising, there is some hope for positive changes: new regulations about healthcare cyber hygiene and data protections are sprouting around the world (with the EU more proactive than the US so far), more capital is being invested in the training and technology required to improve healthcare cybersecurity, patients are increasingly aware of the privacy threats posed by healthcare IT, and cyber security training for all healthcare workers has been made mandatory in many countries. Easy steps all healthcare providers could take to minimize their vulnerability include carefully screening medical devices and IT infrastructure options before choosing a vendor, and then working closely with them over time to prioritize the cybersecurity issues to be addressed on either side, as well as consulting official cyber security recommendations and resources freely available online.

Kelyon, active in the field of health IT and SaMD (Software as Medical Device) development for over 10 years, has always recognized the importance of data protection and cyber security when it comes to health-related technology. All of our products are submitted to certification and CE marking according to the latest EU regulations, and we also offer our clients secure cloud hosting, continuous platform monitoring and support by the system administration team in case of malfunction or malicious attack.