Smart Hospitals: Security and Resilience for Smart Health Service and Infrastructures
The European Union Agency for Network and Information Security (ENISA) has released a new report to help IT and security officers of healthcare organisations implement IoT devices securely and protect smart hospitals from a variety of threats.
Interconnected health care systems
Devices, system components and networks are becoming autonomous, ubiquitous and interconnected. When this technological advancement applies to the healthcare sectors, one of the most traditional critical sectors, the results are remarkable. Connected medical devices transform the way the healthcare industry works, both within hospitals and between different actors of the healthcare industry. Risks include possible harm to patient safety or loss of personal health information and may not only be caused by malicious actions but also by human errors, system or third-party failures and natural phenomena. As the attack surface increases with the introduction of connected devices, the attack potential grows exponentially.
Smart Hospital Environment
The overarching goal of smart hospitals is to deliver optimal patient care by making the most of advanced ICT. The availability of all relevant information when required; access to internal and external expertise when needed; and efficient and effective surgical/diagnosis processes that facilitates achieving this goal with low error rate and cost effectively. What makes a hospital smart is, therefore, the availability and use of meaningfully interconnected systems and devices that lead to overall smartness. While legacy systems may indeed be an integral part of end-to-end smart processes, the emphasis of this study will be on new technologies, and particularly IoT components.
Serious vulnerabilities that comes with IoT
In general, security must be comprehensive; otherwise, attackers simply exploit the weakest link. There are, however, several serious vulnerabilities that come with the use of IoT in healthcare that are difficult to address. A key problem of smart hospitals is that personal health information is considered even more valuable than financial information by criminals.
Some vulnerabilities mentioned in the report are:
- IoT devices, including networked medical devices, are highly interconnected and some devices even have the ability to automatically connect to other devices.
- The communication between smart devices and legacy systems can also create gaps and give space for malicious attackers to gain illegal access to systems and data.
- Access control is very important in the smart hospital environment as a lack of authorisation policy can cause unauthorised users to gain access through an end device to a critical system. Issues may be related to authentication or authorisation of staff that handles medical devices.
Hospitals will be the next major target for cyber security incidents, just because the lack of protection mechanism is becoming evident. Taking security seriously and addressing security during product design and development are essential for manufacturers of critical systems and devices, particularly if they are applied in the healthcare context.Following the “security by design” paradigm, which means that a product is designed to be secure from scratch, and the “secure development” paradigm, which focuses mostly on the adoption of secure coding good practices, or implementing the “privacy by default” concept, which requires that the default settings of a product must protect the privacy of individuals, is advisable.
The report is meant for hospital executives and IT and security professionals, but could also be a good read for executives and professionals of manufacturers of connected devices for healthcare, healthcare consultants, as well as policy makers from EU member states. Download the report of ENISA here.