Malware Most Common Smart Hospital Data Security Threat

By Elizabeth Snell – HealthIT Security

The European Union Agency for Network and Information Security reviewed top smart hospital data security threats, mitigation techniques, and good practices.

Malware is the most common type of potential attack scenario for smart hospitals that poses a data security threat, according to a recent study from the European Union Agency for Network and Information Security (ENISA).

Smart hospitals have become more prevalent as Internet of Things (IoT) components support core functions of a hospital, ENISA stated in its study.

Information security is a key issue for these organizations, and malicious actions, human errors, system and third-party failures, and natural phenomena should all be considered as a potential threat. When healthcare organisations look to collaborate with third-party providers for medicare credentialing and other essential services, it is very important to keep information security and associated risks in mind. Both parties must keep the confidentiality of patient information at the helm of operational processes and data handling by implementing strong cybersecurity measures.

“The risks that result from these threats and corresponding vulnerabilities are typically mitigated by a combination of organisational and technical security measures taken by smart hospitals which comprise good practices,” the report’s authors wrote. “With respect to organisational measures, compliance with standards, staff training and awareness raising, a sound security organisation, and the use of guidelines and good practices are particularly relevant.”

ENISA investigated the current status of Smart Hospitals and related information security issues, focusing on deployments in the EU for the study.

Respondents included hospital representatives, industry representatives, and policy makers.

Along with malware, those surveyed said that device tampering, social engineering, denial of service attacks, and theft, were also top attack scenarios for smart hospitals.

Traditional hospitals may also be vulnerable to these types of attacks, researchers noted. However, the consequences can be much more severe in connected organizations.

“Protection becomes difficult because, with the high number of networked devices, many potential points of attack are emerging,” the report states. “The consequences become more severe because information systems and devices are more intensely connected within hospitals and across organisational boundaries.”

Respondents also rated threat categories according to their likelihood of occurrence on a scale from 1 (low likelihood) to 5 (high likelihood). Human errors were the most likely to occur, according to the survey, while a natural phenomena was given the lowest likelihood of taking place.

“With respect to human errors, user errors, non-compliance with policies and procedures and loss of hardware, for instance, were perceived as posing considerable risk to smart hospitals,” the researchers explained.

However, malicious actions, which include threats from malware, social engineering, hacking, denial of service and device tampering, were considered particularly critical for smart hospitals by a larger group of respondents than human errors.

Specifically, 77 percent of respondents said that malicious actions were a critical threat, while 70 percent said human errors were the top threat. Just over half of those surveyed – 53 percent – listed system failures as a critical threat.

ENISA recommended that hospitals establish effective enterprise governance for cybersecurity, and also provide specific IT security requirements for IoT components in the hospital. Conducting a risk assessment and vulnerability assessment was also recommended, which can be essentially necessary for US organizations under HIPAA regulations.

Industry representatives should perform the following measures to enhance smart hospital data security:

• Incorporate security into existing quality assurance systems
• Involve third parties (healthcare organisations) in testing activities
• Consider applying medical device regulation to critical infrastructure components
• Support the adaptation of information security standards to healthcare

Additionally, healthcare organizations that provide special services, such as for disabled people, can explore a free NDIS registration guide online and employ software to make progress notes, track patients, and provide care services through an app with quality security integration. This can ensure the complete safety of sensitive data with regard to patients as well as hospital administration.

Several of the healthcare security recommendations are also already being considered for US-based healthcare organizations.

For example, the National Health Information Sharing and Analysis Center (NH-ISAC), the Medical Device Innovation, Safety and Security Consortium (MDISS), and the U.S. Food and Drug Administration (FDA) Center for Devices and Radiological Health (CDRH) recently signed a memorandum of understanding to help organizations identify, mitigate, and prevent medical device cybersecurity threats.

The Information Sharing and Analysis Organization Standards Organization (ISAO SO) also released several documents in October 2016 on cybersecurity information sharing guidance, which focused on cybersecurity risks, incidents, and best practices. In terms of healthcare cybersecurity information sharing, one document discussed privacy and security aspects of cybersecurity risk.

“At a minimum, privacy considerations should include the individual members of an organization, the privacy of any individuals whose data may be included in cyber threat indicators to the extent provided by law, and a full range of other constituencies, customers, and individuals,” the document stated. “To adequately protect privacy while accomplishing the goals of an ISAO, it is important for the ISAO to provide guidance to members, participants, and ISAO staff that will be helpful in striking a balance between allowable sharing of cyber threat information and protecting privacy.”