Healthcare cyber security has never been so important as medical institutions face increasing pressures on all fronts and a review of traditional approaches to threats is way overdue, explains Dr Thiago Viana, Senior Lecturer in Computing at University of Gloucestershire.
The challenges facing healthcare organisations following the heights of the COVID-19 pandemic are many, including continually-increasing workloads for staff, not only in the medical professions but also in allied support roles for the teams of specialists dealing with IT and clinical informatics. These challenges clearly show that traditional healthcare models are in crucial need of overhaul to pave the way for new digital health innovations. This vital step will not only support clinicians in their efforts to improve every stage of patient care, it will also improve the lives of many other staff who are desperately struggling with their own workplace demands.
Cyber security and the clinical informatics approach
As a result of the clinical informatics approach, the use of new and different technologies in healthcare is growing rapidly, leading to a transformation in medical solutions across the world. Health technology innovations have long been used to support the diagnosis, monitoring and treatment of various medical conditions, but another and relatively emerging purpose is to protect the sector from cyber threats and attacks.
For healthcare organisations in particular, a recurrent cyber security challenge is linked to network security. Healthcare organisations are commonly vulnerable to cyber-attacks due to their many legacy systems, as well as having a number of hard-to-manage or unruly medical devices. These systems and devices bring inherent weaknesses to network architecture due to their larger attack surface.
This is usually the fault of organisations using a traditional network design approach, focusing predominantly on perimeter security. This divides the network into different perimeters and ‘trust’ levels, in effect walls that are meant to prevent external attackers from entering the internal environment which is split into ‘trusted’ and ‘distrustful’ zones. There is a flaw with this approach. It tends to leave perimeter zones vulnerable to attacks from the inside of the organisation.
The vulnerabilities of a traditional approach
A 2020 report from Protenus revealed the number of breached patient records from attacks inside of the network was over 3.8 million, up 26% in 2019 from the previous year. In more recent findings, the Protenus breach barometer report highlighted that over 50 million patient records were breached in 2022.
In essence, the traditional network perimeter-based design usually presents a ‘tough on the outside,’ ‘soft on the inside’ pattern. There are several access control mechanisms involved. Intrusion protection elements and firewall rules prevent external intruders from invading the inner network.
However, the inside’s more relaxed rules allow already connected ‘trusted’ devices to access critical services and areas. As a result, the traditional perimeter model is vulnerable to several attack forms that can easily breach a network by infecting a ‘trusted’ device access data without ever having to deal with the hard perimeter shell.
One example of this is the infamous WannaCry ransomware attack, which had a devastating impact on the NHS. This ransomware was able to spread across NHS devices due to an outdated operating system on legacy devices in the internal area of the network perimeter. Once again, the use of a traditional network design created a hard on the outside, soft on the inside environment in which ransomware could flourish.
Fixing the challenges with ‘zero trust’
To fix these challenges, a new and growing approach to network security is needed in several different areas, including the healthcare setting, to ensure that the default position is always 'zero trust'.
This is the model of the future for network design, particularly in developing effective cyber security systems. Zero trust-based approaches remove the inherent belief in security from the network and treats all devices and areas as hostile by nature and prone to attack. The National Cyber Security Centre (NCSC) provides a list of 10 principles related to zero trust as follows:
- Know your architecture including users, devices, and services
- Create a single strong user identity
- Create a strong device identity
- Authenticate everywhere
- Know the health of your devices and services
- Focus your monitoring on devices and services
- Set policies according to value of the service or data
- Control access to your services and data
- Don’t trust the network, including the local network
- Choose services designed for zero trust.
Be part of something bigger, join the Chartered Institute for IT.
The above negates the soft on the inside dilemma and demands that all devices and network users are constantly verified and monitored. The zero trust concept covers not only the ‘trust’ relationships between devices, but also encompasses the all-important people element and the decisions they make. As an example of the effectiveness of zero trust in healthcare, the WannaCry ransomware attack could have been prevented by keeping outdated and vulnerable systems away from the wider network by using micro-segmentation, a common zero trust practice.
While it’s impossible to fully protect an organisation against every cyber threat, this example clearly demonstrates that zero trust practices can prevent attackers from exploiting such dangerous attack vectors in healthcare settings. With this in mind, zero trust frameworks for healthcare organisations need to be designed with additional care and attention.
Increased security without decreased usability
The diversity of medical devices in these environments can include machines such as MRI scanners which, due to their age, might be employing vulnerable operating systems. In addition, frameworks have to be designed in a way that doesn’t hinder a device’s function. For example, blocking legitimate communication between medical devices could result in the interruption of patient care or delay essential health treatments.
Further research and work in the area of zero trust and healthcare network security is needed to develop new and strong solutions in an ever-growing and challenging critical infrastructure environment.
The University of Gloucestershire’s role
The University of Gloucestershire’s latest research in this area is already proving beneficial, and a zero trust framework has been developed to support healthcare organisations transitioning from perimeter-based to more secure models.
Additionally, because of the urgency and importance of this subject, our MSc by Research in Health Technologies is developing graduates from specialist subjects, ranging from computing, cyber security and games technologies, through to engineering, nursing, psychology and healthcare, to focus their expertise and careers on building zero trust cyber security architecture.
There has never been a more important time to expand and share knowledge around new systems, the automation of clinical-related tasks, network management, artificial intelligence, data analytics and support for medical image processing. We are excited to be pushing the boundaries in all of these areas.