Cybersecurity: How to lower the risk

There will never be a bullet-proof protection against cyberattacks on hospitals. But here are some ideas that might help lower the risk or minimise the damage.

To pay or not to pay: This should not be the question. But when a hospital is cyberattacked, a CIO or CEO might face exactly this dilemma. And like it or not, but these situations have increased in frequency over recent years.

No wonder, said Julio Vivero of the European Cybersecurity Organisation (ESCO): The trend towards eHealth services in an ageing society, the implementation of delocalised, patient-centric digital ecosystems, the increase in healthcare big data analytics, the availability of AI algorithms, and the ongoing digitisation of medical devices all offer new avenues of attack for cyberterrorists or digital blackmailers.

In an interactive workshop on day 2 of this year’s HIMSS & Health 2.0 Europe Conference in Helsinki, representatives of healthcare institutions, cybersecurity experts, and patient representatives discussed about possible ways to alleviate the threat.

Participants agreed that dealing with cybersecurity always has to be a shared responsibility between users, healthcare organisation, supplier, and integrator. This was true for cyberattack prevention as well as for crisis management in case of an attack.

Recommendations collected by the workshop participants for crisis management included having a template ready that clarifies how to communicate and who is responsible for communication in case of an attack. Crisis management will also be facilitated if cybersecurity incidents are included in hospital calamity plans.

To that end, individual departments should be given the lead in assessing the impact of possible cybersecurity incidents on department-specific processes. This was emphasised by Dr. Saif Abed, cybersecurity expert at Abed Graham: “We absolutely need a careful clinical, and not just technological, risk assessment.”

When it comes to prevention, workshop participants very much stressed the importance of ‘security by design’. For example, replacing password identification by facial or voice recognition could allow for a more usable and less error-prone access management and thus increase security.

A majority was also in favour of reasonable auditing and security certification schemes. Finally, cybersecurity incident prevention is also a matter of improving basic knowledge about risks and typical mistakes among staff. Among the recommendations brought forward was to make cybersecurity training part of employee contracts and thus mandatory.

Source: Read Full Article