New EU rules for medical equipment will be introduced next year, but they won’t be enough to protect healthcare institutions against all cyber risks. Here are eight steps that lay the basis for strong cybersecurity.
To tackle cyber risks in healthcare, the European Union will introduce a tightened system of rules for medical equipment in 2020. The Medical Devices Regulation will assure purchasers for healthcare institutions that any new equipment meets strict cyber security requirements, and reduce the chance of hackers breaking into pacemakers, MRIs or other medical devices connected to networks.
Healthcare institutions cannot afford to rely solely on this regulation, however. There’s much more required to ensure that healthcare institutions have adequate cybersecurity. I know the necessary measures can be complex, but this list of recommendations and steps can provide guidance in strengthening much-needed defences against healthcare cyber risk.
1. Recognise that cyber risk is a real risk. I still see that institutions sometimes don’t take hacking risks too seriously. One reason for this might be that the decision-makers at healthcare institutions are often medically trained senior managers who know little about cybersecurity. But you need the buy-in of top management to achieve adequate cybersecurity.
2. Map out which cyber-sensitive ‘assets’ you have. Many institutions have insufficient insight into the networks, buildings and equipment they have and which of those are vulnerable to digital intruders. This is understandable, because the infrastructure of such institutions is generally created step by step. Also, each institution has its own history. To make the inventory you need, I recommend making a distinction between: 1) buildings and their core systems, such as power supply, heating and waste processing; 2) medical equipment, from MRIs to cardio apparatus; and 3) supporting data systems, such as patient records, which are often stored in the cloud and are subject to privacy regulations.
3. Perform an audit of the systems connected to networks. Many purchased medical systems are ‘plug and play’: they work almost immediately and often get hooked up to a network without much thought for the possible risks. But how is access to each of those systems arranged? Who determines who gets which access rights? Before a system is connected, it’s important to determine how the connection will be secure. This also means you must define the requirements that your equipment and networks must meet, tailored to the needs of the institution.
4. Choose to be ‘secure by design’. This means incorporating the cyber security of equipment and systems as a criterion into every step of decision-making, from the start of the purchasing process to the end of their life-cycle.
5. Ensure segmentation of your infrastructure. The more your networks are segmented, the harder it is to digitally take over your whole institution. If a hacker invades one network segment, he cannot simply push through to another. Segmentation therefore considerably reduces cyber risks.
6. Build a structure for monitoring your networks and responding to incidents. To do this, put together a team of people who have the required mix of knowledge and skills.
7. Perform regular test hacks, together with external partners, to identify the vulnerabilities of your systems. At the same time, make sure you have a good reporting mechanism in place so that management is up to date on any vulnerabilities and incidents and can respond to them.
8. Build a corporate culture that focuses on cyber security at all levels. Awareness programs about cyber risk, including privacy protection, deserve a place in the HR and training programs of healthcare institutions.
By completing these steps you will, in my opinion, achieve a decent basic level of safety.