Digital health: the future is through cybersecurity

Online the outcomes of the second meeting on the National Cybersecurity Strategy – Digital Health and Cybersecurity Impacts. Appointment next Wednesday, July 20 at 4 p.m., for the third meeting – Public-Private Information Sharing.

The second event in the series of webinars that Cyber 4.0, in collaboration with ACN, is devoting to delving into some of the important aspects of the National Cybersecurity Strategy was held on Wednesday, July 13.

The seminar focused on the topic of digital health and cybersecurity impacts, providing an overview of the main cyber criticalities of health infrastructure and devices, highlighting areas of greatest exposure, and facilitating a discussion of possible approaches to consolidating prevention and law enforcement activities.

In addition to the opening remarks by the National Cybersecurity Agency, experts from the research community and the private sector spoke, sharing their views on the current situation and priorities for action and offering important insights into organizational and technical solutions to be adopted/developed, both at the system and individual organization level. These were the main insights that emerged during the seminar:

• The health care system has accelerated sharply on the adoption of digital technologies, partly driven by the new patient care modalities that have become necessary in response to and/or because of the spread of the pandemic;
• The delicacy of health data makes it necessary to develop a careful consideration of systems of protection and management of the digital infrastructure of the health sector, also in view of the fact that it is not included to date in the scope of the National Cybersecurity Perimeter, and therefore there is no mandatory scrutiny of adopted technologies by the CVCN and related laboratories.
• Also because of the above, the National Cybersecurity Strategy is designed to have the healthcare sector as one of the main areas of implementation.
• The pandemic clearly showed the criticality of health services and also the need to ensure the operation of essential services in potentially unknown emergency situations. Moreover, it has become evident how cybersecurity in health care has expanded from a problem of privacy and confidentiality of sensitive data to a substantive criticality of a strategically important sector, such as in the context of vaccine development.
• The territorial distribution, the multiplicity of facilities, the heterogeneity of management models and the responsibilities borne by different local entities make the health sector a particularly complex system when considering introducing a shared logic and management standards for cybersecurity aspects.
• Mission 6 of the NRP is dedicated to the digital transition of the health system, with data-intensive projects such as the electronic health record. All planned initiatives will necessarily include a focus on the protection and management aspects of such data, in accordance with compliance requirements.
• Further development opportunities for a secure digital transition of the health sector will be provided by the relevant EU-funded programs, managed for the cybersecurity part by the European Cybersecurity Competence Center in Bucharest, and conveyed at the national level by the National Coordination Center to be launched under the auspices of the National Cybersecurity Agency;

The Cyber Peace Institute launched a global information-gathering initiative two years ago on more than 440 attacks brought against healthcare facilities in more than 40 countries, including Italy. Observations from these first two years of analysis highlight that:

• • The health care sector has become one of the most frequently attacked targets over time, mainly because of the high value of data and the low defenses available to date;
  • Ransomware against hospital facilities remains the largely prevalent mode of attack (over 86 percent of cases);
  • There has been a shift in the geography of attacks, initially more focused on the American continent and now much more numerous in Europe;
  • Law enforcement action was most effective in 2022, with the arrest of operators of notorious ransomware gangs, also made possible by one of the rare cases of international cooperation between the U.S. and Russia;
  • The geopolitical shock brought on by Russia’s invasion of Ukraine redirected the actions of many ransom operators toward targets other than the health sector, and therefore the first period of the war saw a reduction in the intensity of attacks on hospitals and clinics;
  • Many criminal actors have also refocused their actions from destructive ransomware attacks to cyber extortion on stolen data (examples in this direction: CoomingProject, Lapsus$, and Karakurt)

At the Italian level, a snapshot of the current state highlights numerous risk factors in the healthcare sector that refer to both technological and process aspects:

• • Use of weak authentication, insecure passwords, and absence of multi-factor systems, along with improper management of administrative privileges
  • Exposure of services that are not needed, or can be exploited for DDoS attacks
  • Weak policies for remote access and governance of software updates to be structured
  • Not only is patient data exposed, but often employee data is also not managed properly and can represent additional vulnerabilities for access to critical infrastructure and instrumentation
  • The need to ensure the confidentiality of medical data
  • The protection of remote connectivity, for telemedicine and mobile device use

The solutions that currently represent good protection practices and that in an uneven way are still being studied by health care facilities concern

• • Digital identity management from a Zero Trust perspective and with multi-factor authentication and administration privilege management
  • Advanced data protection systems through DLP and data encryption tools
  • Offline backup systems
  • Secure management of medical devices through end-point protection systems (where possible), network segmentation, asset inventory, IPS, IDS
  • Side-channel attacks do not exploit software vulnerabilities, but intercept the communication channel with the device (on which data is often unencrypted) and have proven effective in carrying out data theft, identity theft, inducing technological failures (e.g., pacemaker, insulin pump, etc.).Cyber 4.0 and Tor Vergata University have partnered to establish an observatory on cyber and physical vulnerabilities of medical devices, with the dual goals of creating a repository of vulnerabilities and attacks demonstrated in the literature and defining a mechanism for structured information sharing among industry players (hospitals, testing laboratories, medical device manufacturers, ASLs and other industry organizations), borrowed from the MISP model.Advanced incident detection and management systems with dedicated SOCs and IRTsThe integration of IT security with the protection of medical devices, hospital networks of operational technologies and IoT sensors
  • The need to move beyond legacy systems and accelerate cloud adoption, including to meet the demand for access to eHealth servicesThe challenges in the industry for cybersecurity providers include
  • Maintaining regulatory compliance

• Further area of focus is then the vulnerabilities, both physical and cyber, of next-generation medical devices, which increase the digital surface area to be protected. Wearable devices, but also minimally invasive implants, prosthetics, and sensors, now constitute a Body Area Network of connected objects that enable monitoring and other actions to be performed remotely, but as such are exposed to potential attacks, both cyber and physical. Unlike industrial IoT devices, medical devices can have a direct impact on a patient’s life and handle extremely sensitive data.

• Side-channel attacks do not exploit software vulnerabilities, but intercept the communication channel with the device (on which the data is often unencrypted) and have proven effective in carrying out data theft, identity theft, inducing technological failures (e.g., pacemaker, insulin pump, etc.).

• Cyber 4.0 and Tor Vergata University have partnered to establish an observatory on cyber and physical vulnerabilities in medical devices, with the dual goals of creating a repository of vulnerabilities and attacks demonstrated in the literature and defining a structured information-sharing mechanism among industry players (hospitals, testing laboratories, medical device manufacturers, ASLs and other industry organizations), borrowed from the MISP model.

The solutions that currently represent good protection practices and that in an uneven way are still being studied by health care facilities concern

• • Digital identity management from a Zero Trust perspective and with multi-factor authentication and administration privilege management
  • Advanced data protection systems through DLP and data encryption tools
  • Offline backup systems
  • Secure management of medical devices through end-point protection systems (where possible), network segmentation, asset inventory, IPS, IDS
  • Advanced incident detection and management systems with dedicated SOCs and IRTs

Webinar presentations are available:

Andrea Margheri, ACN Cybersecurity Specialist, Opportunities for cybersecurity enhancement of the healthcare sector

Lorenzo Bracciale, Co-doctoral course Digital Health Univ. Tor Vergata, Cyber threat information sharing scenarios for digital health

Francesco Lestini, Laboratory of Pervasive Electromagnetism Univ. Tor Vergata CYBER AND PHYSICAL VULNERABILITIES OF MEDICAL DEVICES – OBSERVATORY

Elio Di Sandro, Offering Director Cybertech Group Digital Health in Security

Nicola Polito, HMS IT Fincantieri Group

Francesca Bosco, Senior Advisor CyberPeace Institute Tracking Cyberattacks against the Healthcare Sector

 

A recording of the event is also available by clicking here