The revision of the EU directive to increase cybersecurity for critical infrastructures (NIS2) has brought the issue of cybersecurity even more into focus in many healthcare facilities. Because they are considered particularly worthy of protection.
Confidentiality, integrity and availability of data are of central importance in the healthcare sector. This is where entire health processes and diagnoses, including therapy plans, are documented. Since every security gap carries the risk that medication plans will be manipulated or information will fall into the hands of third parties, cyber security is essential. The sensitive data is an extremely popular target for criminals, as the recent attack on a hospital in Soest showed. The challenge of the industry: Due to advancing digitalization, medical devices are now increasingly networked and data is increasingly being stored and transmitted electronically. This increases the potential attack surface for cybercriminals. The legislature is addressing this development through NIS2 by increasing the requirements for cybersecurity in companies. Ingoschulenberg, Head of Sales – Special Operations OT & IT Security at Axians IT-Security, gives four tips on how healthcare facilities affected by the directive should proceed.
Cybersecurity assessment
The equipment inventory in hospitals has often grown over time and is increasingly interconnected. In order to efficiently increase IT security, an assessment of the existing security precautions is an optimal starting point. Here, experts check the security of the installed environment, identify vulnerabilities on existing devices and what security requirements there are for new devices. It is also crucial to determine which areas in the company need to communicate with each other. Especially in healthcare facilities, there are often important machines and devices that, for example, should not all be docked on the same network. In the cyber security assessment, organizations work out which assets are particularly critical and worth protecting in order to prioritize them in their security strategy and secure them appropriately. During the security assessment, experienced ICT service providers such as Axians can help you correctly assess the security level of the IT infrastructure and then derive a holistic security strategy.
Cybersecurity training
The biggest safety risk in the healthcare industry, as in other industries, is people. It remains a popular target for hackers. With well-crafted phishing attacks, cybercriminals can trick employees into giving out login details or downloading malware from the Internet. Misguided willingness to help - for example, when employees connect USB sticks to their work PC to find out the owner - often leads to major damage. Charging private cell phones on medical devices with a USB port also poses a potential risk for healthcare facilities through compromised devices. Companies should prevent this by training all employees so that they can develop a better sense of security risks. This is important because employees in healthcare facilities often work under time pressure and have a high workload. In order not to fall victim to targeted phishing attacks in stressful everyday life, regular security training and awareness training are essential.
Cybersecurity best practices
In order to build effective cyber security, institutions should first start by implementing the technical basics. In the healthcare sector, this includes network segmentation with internal firewalls. Network segmentation makes it possible to separate medical devices from the main network. Machines and devices often have older operating systems whose vulnerabilities cannot be patched, otherwise they would lose their approval. If recertification is not an option, these devices can be locked in secure network segments and communication with these devices can be regulated and monitored via IPS. The basic protection can then be continually expanded according to the modular principle within budget. Because the threat landscape is becoming increasingly complex, preventative measures must be continually sharpened.
Expand the basics with SOC and ISMS
Threats must be identified around the clock and in real time in order to be able to react immediately in an emergency. For this reason, it is advisable for healthcare institutions such as hospitals to set up a Security Operations Center (SOC). All cyber security threads come together in the SOC - this is where the hospital's IT security infrastructure is monitored around the clock by specialists using the latest technology, attacks are identified promptly and defense is initiated. The experience gained makes it possible to permanently adapt the defense strategy. Healthcare facilities do not have to operate a SOC themselves, but can have support from a managed service provider.
In addition to the security basics, it is recommended to establish an information security management system (ISMS). This is not a physical system, but rather a procedure defined by guidelines that permanently defines, controls, controls, maintains and continuously improves information security in a company. An ISMS is implemented and implemented individually for a company.
Increase security gradually
In order to successfully protect companies and institutions in the healthcare sector against cyber attacks, it takes more than just investing in hardware and software. The goal should be a comprehensive cyber security strategy that can be implemented step by step. Organizations can first start by carrying out security audits and then, based on this, introduce technical solutions such as internal and external firewalls, intrusion prevention, network segmentation, ISMS and SOCs. At the same time, awareness training to raise employee awareness pays off. As long as companies follow these best practices, they continually increase the security of their systems and thus patient data. Collaborating with external partners and using managed services can help avoid placing additional strain on IT departments in healthcare facilities.
More at Axians.com
About Axians
The Axians group of companies in Germany is part of VINCI Energies' global brand network for ICT solutions. With a holistic ICT portfolio, the group supports companies, municipalities and public institutions, network operators and service providers in modernizing their digital infrastructures and solutions.
Matching articles on the topic