Um, excuse me. Do you have clearance to patch that MRI scanner?
Healthcare regulations working against cybersecurity, claims expert
Israel Cyber Week Healthcare regulations oblige medical equipment vendors to focus on developing the next generation of technologies rather than addressing current cybersecurity issues, according to experts presenting at the eighth Israel Cyber Week.
Ophir Zilbiger, partner and head of the BDO Cybersecurity Center Israel consultancy, said healthcare represents serious privacy risks because of the sensitive data hospitals and clinics hold. Hospitals in general are struggling to balance investment in medical equipment with the needs of cybersecurity against a backdrop of limited budgets. Use of digital records is a "cornerstone" in modern healthcare provision but this also increases the risks, Zilbiger said.
"Traditional methods of risk assessment don't really work. In other industries IT can be tested up to a certain level before they are used. In banking, for example, you can accept a few glitches but when it comes to human life you cannot have that, of course, so there are very strict regulations in terms of change management, testing and quality assurance."
Brit healthcare system inks Windows 10 install pact with MicrosoftREAD MORE
Each cycle of testing of healthcare equipment is quite lengthy because it needs to meet the requirements of regulators, such as the FDA in the US. "This creates a problematic situation in cybersecurity because when a medical device has been tested and sold to a hospital, a vendor is focused on creating the future wave of whatever medical devices they are working on," Zilbiger said. "They are really not investing too much effort into upgrading the previously sold medical devices because of security reasons. They might fix something because of health issues very quickly but they're not really looking into improvements that need to be made to [existing] equipment because of cybersecurity.
"Hospitals, on the other hand, have their arms tied because they cannot change the settings on medical equipment."
The WannaCry outbreak hit hard at numerous NHS hospitals last year. Zilbiger told El Reg that the outbreak "raised awareness" of the importance of cybersecurity in general as well as "starting a conversation" with manufacturers.
Zilbiger added that Israel's hospitals and other healthcare institutions faced "hundreds of attacks" every week, mostly scanning attacks and reconnaissance.
Hospitals are using insurance to offset the growing problems posed by data breaches and ransomware attacks, the conference heard. Fraudulent insurance claims based on stolen medical data are another problem, especially in the US. Investors at the show said areas such as analytics for healthcare were hotspots for startups in the sector. Other healthcare startups are developing security technologies that can work without leaving an agent on devices.
Professor Isaac Ben-Israel, director of the ICRC – Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, told delegates that hospitals didn't feature on the list of 28 business deemed essential to the critical infrastructure of Israel when the country formulated its first cybersecurity strategy back in the 1990s. That list was made up with utilities, transport providers and some banks.
Hospitals are now considered part of the critical national infrastructure in Israel and ought to be given the same status elsewhere, the retired senior IDF commander turned academic argued. ®