„Today, the question is no longer whether an organization will be attacked by a hacker, but when the attack will occur. First and foremost, it is essential to be aware of this fact and to prepare a contingency plan to maintain operations even if, for example, a ransomware virus paralyses the system or any other cyber attack occurs,” explained Dr. Tamás Palicz, cybersecurity expert and Deputy Director of Strategy at the Health Services Management Training Centre (EMK).
Health information has always been sensitive data, and its vulnerability has increased with digitalization. Virtual space also expanded, with teleworking, telemedicine and telehealth bringing masses of data into cyberspace, while systems are not really equipped to protect it, and that can be abused. „At best, someone is simply testing the vulnerability of the systems or “just” wants to change their grade in Neptune. At the other extreme, entire hospital operations are paralyzed by a ransomware attack,” Dr. Tamás Palicz explained.
Systems became much more vulnerable
„The almost total digitalization of data has made systems much more vulnerable, as digital data and information is very easy to obtain and even use for industrial espionage. Protection is no longer simply a matter of cybersecurity, but of patient safety, as decisions about patients are based on these data. It is therefore safe to say that, just as handwashing was the in the focus of healthcare in times of Ignác Semmelweis, today’s healthcare must focus on data security,” the cybersecurity expert stressed.
From an information security point of view, the MedSol integrated medical IT system used at the university requires special protection due to the large amount of sensitive data stored there, pointed out László Csaba, Information Security Manager at Semmelweis University’s Directorate of Informatics, who has been responsible for this function since the post was created on 1 January, 2019.
Professionally, it is crucial to recognize the close link between data protection and information security. The GDPR regulation, which is in force since 2018, is about the protection of personal data, and information security is basically about the management system related to IT systems, which the university needs and cannot depend on one person, the information security officer pointed out.
„The EMK accumulated a lot of knowledge in the field of information security, so in the event of a data leak or other cyber security incident, we have regular consultations and the information security officer often gives presentations to different departments of the university to raise awareness of the risks. These can arise from seemingly insignificant activities, such as someone forwarding patient data or official correspondence from a private email address, which is not allowed in principle,” added Dr. Tamás Palicz.
Raising awareness of the risks
The goal is to prevent any incident, of course. In order to achieve that, the first step is to raise awareness of the risks, and just as important is the commitment of managers, without which information security can only be implemented in a fragile manner, said László Csató. Also, in case an undesirable event does occur, it is essential to analyze the process.
„Due to the nature of network operation, not only does this result in a computer getting infected and slowing down, but the interconnectivity can corrupt patient data, and the patient may be wheeled into the operating theatre without any data or incorrect information being displayed on the monitor. Entire hospital systems can be down for weeks due to the introduction of a ransomware virus,” the cybersecurity expert added, stressing that it is crucial to make system users – doctors, nurses, administrative staff – aware that it is not a question of whether a system will be attacked, but when it will happen, and that the organization must be prepared with a contingency plan to keep things running.
Anyone can be attacked at any time
There has already been an incident at one of the clinics where the intruding robots found a port accidentally left open during the development of a data storage system, recalled László Csaba.
„A significant proportion of attacks are random, robot-driven, which is why it is not a well-founded belief that in case a system is small and of minor importance, which does not store sensitive data, it is not vulnerable to such an event. Anyone can be at risk at any time,” stressed the information security officer.
Of course, behind the vulnerability-seeking robots, there is a human background as well, who pick up the robots’ signals and launch a targeted attack, explained László Csaba. „The attack can even come via phone or SMS; there are many ways to obtain information illegally, and all of those need to be addressed,” he highlighted. László Csaba’s position is the same as that of the National Cyber Security Center, i.e. there is no point in giving in to ransomware, as a very small percentage of those who pay get their data back.
The only real defence is to continuously back up data at the system level. Critical data circuits, backup and storage systems from which data can be restored must be defined and continuous testing is essential. Without this, it is possible that it turns out only in a real situation that there is a problem with the backup or that the data has already been infected with a virus. These systems need to be certified; the institution’s overall security rating is the result of their individual evaluation,” explained the university’s information security officer.
Medical devices – monitors, sensors, pumps and such – basically operate in a network, which represents a huge risk, therefore an expansion of the devices and network can only be done under the supervision and guidance of the Directorate of Informatics’ staff, which also ensures the completion of information security tasks. Recently, scientific research institutions, including universities, have become a prime target for obtaining early research results, so more attention should be given to protecting their security in the future.
According to the information security officer, the university’s security level has been classified and the necessary data have been sent to the National Cyber Security Center. This year, the deficiencies were assessed and reported to the authority. After the security classification, relevant measures will be taken; the first step for this was to make information security a professionally autonomous area within the Directorate of Informatics, in line with related good practices. The next stage is to draw up an action plan with deadlines and responsibilities, and then, once implemented, we can say that the university’s data is secure,” says the information security officer, who added that this is also a matter of management’s commitment, as well as human and financial resources.
New publication helps to get informed
Experts are keen to stress the importance of raising awareness on information and cyber security, in which the EMK, in cooperation with the Directorate of Informatics, is playing a major role. Its team of experts is working on international and Hungarian projects to develop security aspects of health data and systems. They also organized a cybersecurity course for IT professionals in the health and energy sectors with the participation of the EMK, in the framework of the ECHO project. In addition to that, in spring, a Healthcare Cyber Security Review was launched in cooperation with the National Cyber Security Center. The bi-weekly newsletter, available by subscription, will inform lay users of healthcare systems about the latest incidents and developments, and in autumn, a campaign on the subject is planned in connection with the October Cyber Security Month,” said Dr. Tamás Palicz.
There is no 100% protection against incidents, but being aware of the risks, a proper and tested emergency scenario, and a quick notification of abnormalities to the person in charge of the area, the information security officer, all support the minimization of damage and the quick elimination of errors. In case of a problem, the goal is not to punish or find those responsible, but to explore, analyze, then quickly restore and maintain functionality, therefore no one should try to “fix” the consequences of a detected attack or damage caused by a virus, but notify professionals immediately,” the university’s experts emphasized.
Anita Szepesi
Translation: Viktória Kiss
Photo: Bálint Barta – Semmelweis University, envato.com
