Dr Peter Leitner and Stela Shiroka, at INTERSPREAD GmbH, detail cybersecurity in hospitals and care centres and their thoughts on the need for increased awareness and enhanced training capabilities in Europe
The advanced use of digital technologies in the healthcare field is leading to an increase of cyberattacks, data breaches and IT-driven security risks, making it an immediate requirement for the field to dedicate more resources to raising awareness and implementing protection measures. As such, we need to move towards increased awareness and enhanced training capabilities in Europe.
Challenges and needs
The increased interconnectivity of medical devices and the proliferation of medical data has made the healthcare industry a very lucrative business for cybercriminals. Several reports indicate that healthcare is on top of all industries being mostly affected by cyberattacks.
The most common form of incidents includes stealing patients’ personal and medical records and encrypting them for ransom money to prevent medical staff from accessing patient information. Capable terrorists could also be able to render active medical devices deadly.
Still, the amount of funding and efforts allocated to cybersecurity in healthcare is very low, especially considering the costs arising for response and recovery from a potential attack.
An analysis of past attacks shows that more than 80% of them could have been prevented if better protection mechanisms had been in place. Modern approaches, strategies and tools are, thus, necessary to make professionals aware of the risks and to support the organisations in implementing stronger protection measures. Training IT and management staff and raising awareness of the risks to all healthcare professionals is a key prerequisite thereof.
Approaches and tools
To tackle current cybersecurity challenges in hospitals and care centres, training and awareness raising is an essential endeavour for achieving a common understanding of cyberthreats and security risks at all hierarchical levels. A few of the required approaches to tackle existing challenges include:
1. Awareness and empowerment
Each employee of a healthcare organisation is a potential target but also an important “sensor” in the context of cybersecurity. As such, awareness of cyberthreats and security risks is one of the most important factors to avoid human errors such as misdelivery of personal information, the general improper data management or destruction of vital data. Each organisation has to raise awareness to all its staff on cybersecurity, so it is not only considered as an “IT-only-problem”. Elaborated cybersecurity plans need to be established, that assign everyone a certain role and display the importance for everyone.
2. Guidelines and handbooks
Comprehensive guidelines shall provide structured rules and policies on data handling, threat identification, risk minimisation etc. Handbooks have to be written and adapted to fit the demands of the different target groups within a healthcare organisation considering their technical experience and skills. Effective cybersecurity management needs to identify individual users’ challenges and increase the usability of guidelines and handbooks.
3. Training and workshops
Storytelling based training is an essential mean to overcome vulnerabilities in the system and to prepare staff for different scenarios. Training courses have to be tailor-made for each organisational unit. Besides training on the usage of software, hardware and the handling of devices, the safe sharing and handling of data and the consequences of wrong behaviours shall be an essential part of a modern cybersecurity training curriculum.
4. Showcases and practices
Showcases of common threats in each context of cybersecurity in healthcare can provide a better understanding of threats and individual risks. Gathering information on good and bad practices on effective cybersecurity management is, thus, a crucial element of staff awareness. Learning and monitoring of related industries in the health sector are essential to advance the protection of both critical environments and patients’ data.
5. Assessments and checklists
Continuous assessments of all cybersecurity strategies, measures and systems are crucial and must be on the agenda of the management of all healthcare organisations. A combination of internal assessments driven by the IT departments and cybersecurity professionals, as well as repeated assessments by external experts are recommended. To simplify the continuous monitoring of human and technical cybersecurity systems, the use of structured checklists is inevitable.
6. Solutions and software
Hardware and software solutions are crucial for each healthcare organisation. Widespread antivirus tools among all systems are only a first step. Modern healthcare infrastructures need threat assessment tools, network protocol analysers, intrusion prevention systems, etc. related to their individual organisation architecture, system specifications and repositories.
7. Advisors and catalogues
Intelligent digital advisors and smart solution catalogues are used to take quick decisions and find the right approach: a technical solution or professional service can deal with an accurate cyberthreat scenario. These smart assistants and advisors have to be backed by data and solution catalogues at a pan-European and international level to provide instant advice and foresight on upcoming trends in the field of cybersecurity.
Raising Awareness on Cybersecurity in Hospitals across Europe and Boosting Training Initiatives Driven by an Online Information Hub
The SecureHospitals.eu project seeks to raise awareness on cybersecurity risks and protection opportunities in the healthcare domain. Through various training and awareness raising approaches, the project seeks to boost the level of training in cybersecurity in Europe, improve the knowledge of staff and, in turn, contribute to decreased vulnerabilities against cyberthreats and increased patient trust and safety.
Knowledge aggregation and analysis
The project aggregates knowledge on existing cybersecurity practices across healthcare organisations, to analyse, elaborate and disseminate the information as a means of achieving common understanding among practitioners on best practices and strategies.
Awareness raising and community building
By disseminating the acquired knowledge and creating a community of practice which continuously exchanges views, provides insights and collaborates in training, while delivering preparedness and response strategies in the future, the project develops an Open Information and Awareness Hub to bring together all relevant stakeholders.
Training and capacity building activities
Aggregating the knowledge on the training gaps and needs of healthcare personnel, the project is creating training packages to be offered in the form of a Massive Open Online Course (MOOC), a summer school and several local workshops and webinars.
Programme: Horizon 2020
Type: Coordination & Support Action
Coordinator: INTERSPREAD GmbH
Duration: 26 months
This project has received funding from the European Union’s Horizon 2020 Coordination & Research and Innovation Action under Grant Agreement No. 826497.
Dr Peter Leitner
Head of Research & Innovation
*Please note: This is a commercial profile