As healthcare companies face a complex web of EU and US regulations, understanding and adhering to these standards is crucial for maintaining trust and operational continuity. Regulations such as the EU’s Medical Device Regulation (MDR), the Network Information Security (NIS) directive, and upcoming legislation like the Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA) demand meticulous compliance and robust cybersecurity measures.
Specifically, MDR requires stringent oversight of software used within medical devices, demanding thorough documentation and regular updates to ensure safety and performance. Meterian simplifies these tasks by automating the detection of vulnerabilities and outdated components in software, facilitating compliance through comprehensive Software Bill of Materials (SBOMs). These SBOMs provide a detailed inventory of all software components, crucial for MDR compliance, and help healthcare organisations maintain the integrity and security of their medical devices. By streamlining these processes, Meterian not only aids in meeting regulatory requirements but also enhances operational efficiency and reduces the risk of non-compliance penalties.
Meterian stands as a pivotal ally for healthcare companies navigating these regulatory landscapes. By offering tools that facilitate compliance with these stringent regulations, Meterian ensures that healthcare providers can focus more on patient care and less on the nuances of cybersecurity compliance.
The conversation around SBOMs and compliance is growing, and Meterian is leading these discussions with healthcare companies, showcasing how automation and detailed compliance reporting can ease the burden on healthcare providers. Whether it’s a startup or a seasoned enterprise, Meterian’s scalable solutions fit diverse budgets and operational scales, making comprehensive cybersecurity accessible to all healthcare entities.
By partnering with Meterian, healthcare companies not only ensure compliance with current regulations but also prepare for future legislative changes. Meterian’s proactive approach helps companies anticipate and adapt to the regulatory landscape, ensuring that they are always one step ahead in their cybersecurity measures.
Are you ready to elevate your healthcare organisation’s compliance and cybersecurity strategy?
Partner with Meterian today to ensure that your technology infrastructure meets the stringent demands of regulations like the NIS Directive and MDR. Don’t wait until a cybersecurity incident occurs – take proactive steps to safeguard your patient data and systems.
Visit our website or contact us to learn how Meterian can help your healthcare organisation stay secure, compliant, and resilient in an ever-evolving digital landscape.
Alas, with the growth of innovation in this sector, there also comes the risk of cyber attacks. The healthcare sector in particular seems to be a major target for cyber criminals. Why is this? What is the financial impact? And most importantly what can be done?
Why do cyber criminals target the healthcare sector?
There are many reasons why the healthcare sector is a target:
One of the main reasons has to do with the financial worth of the masses of patient information hospitals store. With the introduction of GDPR (May 2018) it has never been so crucial for hospitals and businesses to keep patient data secure.
Medical devices tend to be easy entry points for cyber attackers. Due to these devices only being used for medical practices, cyber security is not within the design of the product. Although these devices will not store patient data, hackers can launch an attack on the server which holds important information. For example, a vulnerability was discovered in the work of insulin pumps of Johnson & Johnson. This vulnerability could have allowed attackers to get control of the device via Wi-Fi and provoke an overdose of insulin in the patient’s blood.
Medical staff are accessing data remotely on different devices and networks, which provides another entry point for attackers. The problem is that if one device is hacked, this might leave the rest of the organisation vulnerable.
Despite the healthcare sector progressively innovating its practices, staff are still reluctant to disrupt working practices with the introduction of new technology. This creates weaknesses in the healthcare organisation’s IT systems because it produces outdated software that allows entry points for cyber criminals.
The result of costly budgets, lack of resources and time constraints make it hard for healthcare staff to be fully educated in cybersecurity practices.
The vast amount of devices used in a hospital makes it hard for IT specialists to protect the entire hardware network against attacks.
A very serious reason why the healthcare sector is targeted is also to do with international espionage. For example:
John Riggi, a former ex-FBI cyber specialist: Hospitals are “being targeted by hostile nation-states for theft of intellectual property related to medical research, innovations, cancer studies, population health studies, research of medicine and clinical trials, and also potentially for conversion for military use such as biological weapons”
They might target hospitals to acquire the medical details of business leaders, politicians or military figures. An example is seen when the Singaporean government health database was hacked in 2018. Prime Minister Lee Hsien Loong was amongst the 1.5 million whose personal data was stolen from the database.
Another problem is if hackers target hospitals near military installations this could give sensitive records of military personnel and worse, insight into where troops might be deployed.
Popular cyber attacks within the healthcare sector
The most popular attacks to the healthcare sector have shown to be:
Ransomware attacks
Ransomware is a type of malware that will infect systems and files, making them inaccessible until someone pays a ransom. For the healthcare system, this slows down processes and often forces hospitals to turn to pen and paper. A recent example of this was seen last November with the ransomware attack on French hospitals in Rouen. More worryingly, the 2017 Healthcare Cybersecurity Report suggested ransomware attacks on the healthcare sector will quadruple by 2020 and ransom-takers are using more sophisticated tactics to hack into systems, as 350 different variants of ransomware were observed in 2018 compared to 241 in previous years.
Often these attacks will affect machines through: phishing emails with malicious attachments, a user clicking on a malicious link, or viewing an advertisement containing malware. But an entry point that is often disregarded is ransomware via an outdated component or software. For example Hollywood Presbyterian Hospital in California suffered a ransomware attack due to an outdated JBoss server software. The attacker uploaded malware to the out-of-date server without any interaction with a victim. This resulted in delayed patient care and the hospital had to pay $17,000 to recover access to files and the network. What was interesting was that the attackers had used an open source tool, JexBoss, to search the internet for a vulnerable JBoss server and networks which had been infected. Organisations that handle healthcare data have to make sure to update their systems as the majority of healthcare ransomware attacks are malware related.
What is a JBoss Server? This is an open source application server program used for developing and deploying enterprise java applications, services and web portals. JBoss released its last version (7.1.1) in 2012, as it then switched its name to Wildfly in its next release. So if you are running an application server with the name JBoss, it is out of date and has been for a very long time.
Data breaches
Data breaches can occur for many different types of reasons, from credential stealing malware to insider threats to lost devices. The reason why data breaches are so common within the healthcare sector is because Personal Health Information (PHI) is more valuable on the black market than financial or Personally Identifiable Information (PII).
This shows the value of patient data financially. However, PHI can be valuable also to target victims with fraud scams by taking advantage of their medical conditions. Cyber criminals have also been known to use stolen patient data to access prescriptions for their own use or resale.
With the enforcement of GDPR since May 2018, securing patient and medical records has never been so important.
Insider threats have shown to stem from a lack of cybersecurity training amongst staff or employees maliciously giving away access codes or them purposefully selling PHI or PII for profit. For example, Anthem a Medical Insurance company learned in 2017 that an employee had been misusing and stealing Medicaid member data — up to 18,000 of PHI — as early as July 2016. This demonstrates the cautiousness there needs to be within the staffing of the healthcare sector to ensure people are not misusing PHI.
Business email compromise
Business email compromise is when hackers use spoof emails to compromise an account by tricking the employee to transfer money to a fake account. Normally, the fraudsters pretend to be a person of authority within the company to seem as if they might be asking a legitimate request. This has been successful because fraudsters tend to do a lot of research on their targets and will make sure to convincingly impersonate the individual whilst only sending the email to select few people.
Although many security executives think that their programs are providing sufficient protection, these programs might not be securing the actual patient or member data. There needs to be an understanding between compliance-driven strategy which is when programs do not stand up to the test of the attackers and security-driven strategy when programs are designed to deal with attackers and the threats they create. This means a refocus on the actual risks of the healthcare infrastructure:
Where is the patient data?
Where does it live?
How is it stored?
How is it protected?
Are these protections sufficient?
Therefore when new technologies are in place there can also be a focus on:
If the technologies are fully supported
If the technologies are deployed across the organisation’s entire enterprise
That the technologies have no limited capacities
That the technologies are never unmonitored
Both patient care and business continuity are important to healthcare organisations. As hospitals and caregivers rely on technology to deliver greater gains for more timely care and more efficient business processes, they must ensure their systems are secure and stable for everyday operations. This requires a cyber resilient approach that addresses people and processes, as well as the technology used. Read Meterian’s blog post on how your organization can become more cyber resilient.
