The European Union Agency for Cybersecurity (ENISA) has released its first cyber threat landscape for the health sector.
The 34-page report concludes that vulnerabilities may be present in all types of medical devices that may affect patient safety – something that healthcare bodies may be reluctant to publicly admit. Are cyber attacks causing people to die? The report does not make a firm conclusion but notes that hospitals may be reluctant to admit that healthcare was jeopardised for cyber reasons, as this might entail liabilities and sanctions. Likewise, ENISA does point out its report is based on publicly disclosed incidents and that healthcare (like other sectors) has underreporting of incidents.
ENISA’s executive director Juhan Lepassaar, said: “A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way.
“The rise of the covid-19 pandemic showed us how we critically depend on health systems. What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”
Ransomware emerged as one of the primary threats in the health sector (54pc of incidents). This trend is seen as likely to continue, teh agency suggests. Only 27pc of surveyed organisations in the health sector have dedicated ransomware defence. Driven by financial gain, cybercriminals seek to extort from health bodies and patients alike, threatening to disclose data, personal or sensitive. Patient data, including electronic health records, were the most targeted assets (30pc). Nearly half of all incidents (46pc) aimed to steal or leak health data.
The report noted that the covid pandemic saw multiple instances of data leakage from coronavirus-related systems and testing laboratories in various EU countries. Insiders and poor security practices, including misconfigurations, were identified as primary causes of these leaks. Hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023.
You can download the document at https://www.enisa.europa.eu/publications/health-threat-landscape.
Comment
Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea, pointed to the report’s finding that IT and security professionals must be ready and prepared to deal with ransomware attacks and deploy strong cybersecurity defences and strategies that reduce the impact, and improve healthcare resiliency. He said: “If you are in the healthcare industry, you are typically at a higher risk from pathogen viruses such as COVID-19 or Influenza, but in the past few years digital viruses have become the new top threat. In healthcare, treating sick patients is essential, but unfortunately treating sick computers has also become a top priority due to ransomware attacks. Healthcare providers have become places to treat infected computers.
“Ransomware is such a catastrophic threat that it can inadvertently increase risk to loss of life if systems are down for a long period of time, which is why ransomware gangs target time sensitive systems that need a fast response to cyber-attacks. Professionals must become ransomware resilient, using a strong cyber awareness strategy, a ransomware ready backup and recovery plan, strong access controls with multi-factor authentication (MFA) and privileged access security.
“As with one’s health – treating the symptom can be a greater cost than preventing the illness.”
