Smart heroes and even smarter villains
The global market for smart hospitals is estimated to reach £83.5bn by 2026.
A smart hospital optimises, redesigns, and builds clinical processes, management systems and infrastructure with an underlying digitised networking infrastructure of interconnected assets, primarily based on IoT.
This enables better patient care, operational efficiency, and flexibility, with an important feature being they reduce costs by maximising efficiency.
The availability and use of meaningfully interconnected systems and devices, leading to an overall smartness, make a hospital smart.
Put simply, smart hospitals are complex ecosystems utilising legacy systems and next-gen smart devices.
Although most technology is constantly evolving, hospital infrastructure is often left behind and must catch up. The capabilities of smart hospitals can enhance the quality of care provided in the form of data, access, and insight.
The problem is, as hospitals become more connected, there is greater opportunity for them to be attacked. Hospitals are already at high risk of attack because of the sensitivity of the data and systems they possess. Therefore, hospitals must ensure it’s a priority to have strong cyber defences, so they aren’t at risk of attack.
What exactly are we protecting?
Hospitals have lots of assets that are essential to their operation and therefore need protecting, these include:
- Remote care systems
- Networked medical devices – mobile devices, wearables, stationary devices
- Identification systems – tags, bracelets, badges
- Networking equipment
- Mobile client devices
- Interconnected clinical information systems – blood bank system, pharmacy information
- Data – research data, tracking logos, patient data
- Buildings and facilities
What are we protecting hospitals from?
There are many threats to hospitals, including natural phenomena and human error, but the focus here is on cybercriminals and the devasting effects they can have.
Malicious actions are deliberate acts by a person or an organisation. Major threats include:
Malware can infect many end devices, from medical devices to computers, resulting in a large attack surface. Malware comes in the form of ransomware, worms, viruses, trojans and botnets to name a few.
Hijacking can be performed at network or device level, where medical devices can be hijacked to create backdoors in hospital networks.
Medical device tampering happens when devices are reprogrammed and reconfigured by changing settings, or the device is deactivated.
Social engineering attacks, include phishing or baiting which take advantage of human weakness. Phishing emails are one of the common ways for cybercriminals to target healthcare employees. They are innovative, devising new ways to bypass anti-phishing technologies. Cybercriminals are relying on employees being too tired or busy to notice what is happening, using pressuring tactics such as urgent requests and consequences for non-compliance.
Normally, healthcare workers don’t put data at risk intentionally but working long hours in a fast-paced, pressure bearing environment makes them more prone to falling victim of such attacks. This makes it essential to have the correct technology in place to detect suspicious activity that employees might miss.
Device and data theft means not having all the interconnected devices in place can lead to wrong data collection or analysis and therefore wrong decision making.
Skimming is a specific type of attack, relying on eavesdropping on high frequency RFID tokens. RFID tags are used widely within smart hospitals, on tags and sensors. Protection from this kind of attack relies on hardware investment.
Denial-of-service attacks have the potential to make a system or service unavailable completely, potentially disrupting a patient care process. An attack of this sort could result in an unavailability of patient data.
How to protect hospitals
Smart hospitals require a sustained team effort where hospital staff work together to quickly detect potential threats so relevant solutions can be identified and implemented. Generally, security must be comprehensive and security measures need to be implemented as good practices. This ensures clinical processes, care quality and patient experience remain uncompromised, allowing the hospital to reap optimal operational efficiency and keep costs minimised.
Other vulnerabilities include an increasing level of dependence on IoT devices, which are not known for being particularly robust, users having little or no insight into the internal functioning of a device, or there is no clear way to alert a user when a security problem arises. Also, the use of personal devices can great vulnerability and therefore its important for procedures regarding such devices to be strengthened.
The consequences
Data breaches cost an average of £6.9m per incident, as well as distress for the individuals involved. For patients, this includes identity theft and fraud and disclosure of personal and medical records. Furthermore, security incidents involving malware and ransomware also cause operation disruption, which in the most serious of cases, is loss of life. Millions can also be wasted if certain machinery cannot be brought back online, such as MRI scanners.
Further to this, these security incidents damage customer relationships, and the reputation of the hospital. These consequences demonstrate the importance of effective prevention. With greater emphasis on the governance of cyber security, risk assessments, security measures and specific IT security requirements for IoT components in hospitals, this could be achieved.