The revision of the EU Directive on enhancing cyber security for critical infrastructures (NIS 2) has put the issue of IT security in many healthcare facilities even more centre stage. This is because they are considered particularly worthy of protection. Ingo Schulenberg, Head of Sales – Special Operations OT & IT Security at Axians IT-Security, has four tips on how companies in the healthcare sector can equip themselves against cyber attacks in compliance with NIS 2.

Confidentiality, integrity and availability of data are of central importance in the healthcare sector. This is because entire healthcare processes and diagnoses, including treatment plans, are documented here. As every security breach harbours the risk of medication plans being manipulated or information falling into the hands of third parties, cyber security is essential. The sensitive data is an extremely desirable target for criminals, as the recent attack on a hospital in Soest showed. The challenge facing the industry: advancing digitalisation means that medical devices are increasingly networked and data is increasingly stored and transmitted electronically. This increases the potential attack surface for cyber criminals. Legislators are addressing this development with NIS2 by increasing the cybersecurity requirements for companies. Ingo Schulenberg, Head of Sales – Special Operations OT & IT Security at Axians IT-Security, gives four tips on how healthcare organisations affected by the directive should proceed

Tip 1: Cyber security assessment as a secure basis for a security strategy

The equipment in hospitals has often grown over time and is increasingly interconnected. To efficiently increase IT security, an assessment of existing security measures is an ideal starting point. Experts check the security of the installed environment, identify vulnerabilities on existing devices and what security requirements there are for new devices. It is also crucial to determine which areas of the organisation need to communicate with each other. In healthcare facilities in particular, there are often important machines and devices that should not all be docked onto the same network, for example. In a cyber security assessment, organisations work out which assets are particularly critical and worth protecting in order to prioritise them in their security strategy and secure them appropriately. During the security assessment, experienced ICT service providers such as Axians can help to correctly assess the security level of the IT infrastructure and then derive a holistic security strategy.

Tip 2: Raise employee awareness through regular cyber security training

The biggest security risk in the healthcare sector, as in other industries, is the human element. They remain a favourite target for hackers. Well-crafted phishing attacks can be used by cyber criminals to trick employees into handing over login details or downloading malware from the internet. Misguided helpfulness – for example, when employees connect USB sticks to their work PC in order to find out the owner – also often leads to major damage. Charging personal mobile phones on medical devices with a USB port also poses a potential risk to healthcare facilities through compromised devices. Companies should prevent this by training all employees so that they can develop a better sense of security risks. This is important because employees in healthcare facilities often work under time pressure and have a high workload. Regular security training and awareness training are therefore essential to avoid falling victim to targeted phishing attacks in the stressful daily routine.

Tip 3: Implement cyber security best practices

In order to establish effective cyber security, organisations should start by implementing technical basics. In the healthcare sector, this includes network segmentation with internal firewalls. Network segmentation makes it possible to separate medical devices from the main network. This is because machines and devices often have older operating systems whose vulnerabilities cannot be patched, otherwise they would lose their licence. If recertification is not an option, these devices can be blocked in secure network segments and communication with these devices can be regulated and monitored via IPS. The basic protection can then be continuously expanded according to the modular principle in line with the budget. In view of the increasingly complex threat landscape, prevention measures need to be continuously tightened up.

Tip 4: Expand the basics with SOC and ISMS

Threats must be identified around the clock and in real time in order to be able to react immediately in the event of an emergency. For this reason, it is advisable for healthcare institutions such as hospitals to set up a Security Operations Centre (SOC). The SOC is where all the threads of cyber security come together – this is where the hospital’s IT security infrastructure is monitored around the clock by specialists using the latest technology, attacks are identified promptly and defence measures are initiated. The experience gained in the process enables the defence strategy to be constantly adapted. Healthcare organisations do not have to operate a SOC themselves, but can be supported by a managed service provider.
In addition to the security basics, it is advisable to establish an Information Security Management System (ISMS). This is not a physical system, but rather a procedure defined by guidelines that permanently defines, controls, monitors, maintains and continuously improves information security in a company. An ISMS is customised and implemented for a company.

Increasing security step by step

Successfully protecting companies and institutions in the healthcare sector against cyber attacks requires more than just investing in hardware and software. The aim should be a comprehensive cyber security strategy that can be implemented step by step. For example, organisations can start by conducting security audits and then build on this to introduce technical solutions such as internal and external firewalls, intrusion prevention, network segmentation, ISMS and SOCs. At the same time, awareness training to sensitise employees pays off. As long as organisations follow these best practices, they will continuously increase the security of their systems and therefore patient data. Collaboration with external partners and the use of managed services can help to avoid placing an additional burden on IT departments in healthcare facilities.