THIS ARTICLE/PRESS RELEASE IS PAID FOR AND PRESENTED BY the Norwegian centre for E-health research - read more

An increasing amount of data about our health is being collected digitally. Researchers now recommend tightening security systems.

How secure are your health data?

The extent of cyberattacks on health institutions is increasing worldwide, including in Norway. How do we prepare for this when the collection of digital health data increases?

The widespread adoption of technologies such as electronic health records (EHRs) and new sources of health information, such as wearables and health apps, has led to the collection of large amounts of health-related data. At the same time, it has also led to major challenges regarding security and privacy of health data.

Data breaches will continue to increase in the future, not decrease. This is just something we all must come to terms with and tighten up our security systems. Today's modern healthcare is increasingly being digitized, and ICT is a more important part of its core business. This provides a basis for increased quality in patient care. At the same time, we are becoming more vulnerable to digital attacks, and the potential negative consequences of security breaches are getting bigger.

According to Kassaye Yitbarek Yigzaw, the health service should have a risk-based cyber security strategy.

Four researchers at the Norwegian Centre for E-Health Research have in collaboration with other colleagues written a chapter in the recently published book 'Roadmap to successful Digital Health Ecosystem'. The book is intended to serve as a roadmap to a successful digital ecosystem in the health care system.

The book chapter reviews the common health data security and privacy challenges including an overview of the concerns and types of cybersecurity threats that healthcare institutions face. The chapter also highlights the latest scientific work related to cybersecurity solutions for protecting health data used for patient care and secondary purposes.

"The main message from the book chapter is that cybersecurity incidents can happen to health institutions of all types and sizes and its impact includes social and economic loss as well as a decrease in quality of patient care that can be life threatening," says senior researcher Kassaye Yitbarek Yigzaw at the Norwegian Centre for E-health Research.

Growing problem

Studies show that the extent of cyber-attacks on health institutions worldwide has increased in recent years, also in Norway. The health services can be interesting targets for both computer crime, industrial espionage and state intelligence, with the intention of stealing, altering, obstructing or influencing data or functions. Examples of such data are systematised, sensitive health data found in registers and medical records.

Stolen health information can be used as a means of pressure to achieve a goal or be valuable for research and development. Such data breaches will have consequences for hospital operations, even if the hospitals have contingency routines and carry out emergency preparedness exercises where the loss of ICT is one of the scenarios.

In January 2018, The South-Eastern Norway Regional Health Authority (Helse Sør-Øst) were exposed to cyber-attacks that could have been used to steal or compromise patient information. In August 2020 Innlandet Hospital Trust (Sykehuset Innlandet) were subjected to a data breach. There are also many examples from abroad:

  • The "WannaCry attack" in 2017, where the health sector in the UK was among those worst affected. Computer systems at about 40 UK hospitals and private clinics were infected with a ransomware virus.
  • 400 hospitals and health care institutions in the United States with 90,000 employees were hit in 2020 by a cyber-attack which resulted in having to switch off all ICT equipment for a period.
  • In 2020, the Düsseldorf University Hospital in Germany was hit by a ransomware attack. It took over a month before the hospital was back in normal function. A woman died as a result of the attack.

We are vulnerable

Johan Gustav Bellika

It is important to think about the robustness of the health service. Norway now has many health institutions with the same IT provider. If such a provider is attacked, many institutions will be without IT support.

Some health institutions will have problems providing health services after only two hours without IT support. Imagine the effect if many institutions are affected at the same time. Then we will have the same situation as experienced in Ireland in 2021 where 80 per cent of all hospitals in the country lost their IT support.

"To me it is scary to think about how vulnerable our health service is as a result of the large collection of health institutions that have migrated to using cloud-based health IT systems, and which is now vulnerable to the ongoing cyber war," says professor Johan Gustav Bellika at the Norwegian Centre for E-health Research.

Risk management strategy

It is a national goal that the access to health data should be available for quality improvement, health monitoring, and control management and research. However, preserving privacy of patient information is required for maintaining trust between patients and healthcare professionals.

Health institutions, as part of a digital health ecosystem, should therefore implement risk management strategies to properly manage their risk. Risk management is an ongoing process of identifying, assessing, and responding to risk.

"Risk-based cybersecurity strategy is a systematic approach to prioritise the cyber risks that matter to an organisation and use cybersecurity solutions that are cost effective," Yigzaw says.

Risk is a measure that combines the probability and impact of an undesired event. In risk analysis, risk is estimated by computing the product of the probability that the event will occur and the consequence of the event: risk (x) = probability (x) • consequence (x).

A 5-step cybersecurity roadmap

The chapter in the book reviews the most common security and privacy challenges that apply to health data in order to provide an overview of the concerns and types of security threats facing the health care system.

The researchers also write about how to follow laws and guidelines for the protection of health data. Both in terms of access to patient data for patient care and data used for secondary purposes such as research and quality improvement.

Threats to online security against healthcare institutions and patient safety are real. Therefore, cybersecurity must be a priority, and the health service must make the investments needed to protect patients and their health data. The chapter describes a step-by-step roadmap for network security. This is an important tool for healthcare institutions that seek to manage cyber risk.

Researchers' advice to the health services:

1. Create a cybersecurity roadmap to understand institution's current security posture and indicate which security results that must be achieved.

2. Conducting a risk assessment to determine the probability of a security breach and what impact the incident may have on the institution.

3. Create a target profile that describes the institution's desired cybersecurity outcome. In addition to user awareness and training, institutions can be equipped with recent advances in access control, cryptography, de-identification, and privacy-preserving distributed data mining, to develop a profile appropriate for their risk appetite.

4. Healthcare institutions must analyse the gaps between the current status and target cybersecurity profiles, which helps create a prioritised cybersecurity action plan to address gaps based on its business and legal requirements, risk tolerances, and available resources.

5. Implementation of action plan. Proper monitoring is important to detect anomalous behaviour or activities that are potential attempts of a security breach. Once an attack is detected, it is critical to implement appropriate actions regarding the cybersecurity incident and recover to normal operations in a timely manner to reduce the impact of a cybersecurity incident.

Reference:

Chapter 14 - Health data security and privacy: Challenges and solutions for the future. Yigzaw et al. https://doi.org/10.1016/B978-0-12-823413-6.00014-8

Powered by Labrador CMS