Cyberattacks increasing; resilience in NZ healthcare urged.
No organisation is free from cyberattacks and cybersecurity in healthcare sector is a global concern as attacks are on the rise and they can have devastating consequences, according to leading cybersecurity company Fortinet.
“A cyberattack could result in loss of life or serious injury,” says Michael Murphy, acting operational technology leader, APAC, Fortinet.
Recently the operator of four hospitals in Melbourne, Australia was adversely impacted in an incident made possible by compromising cybersecurity.
“Fortinet’s 2023 global ransomware report shows attacks are increasing, but that shouldn’t be the only reason you invest in cybersecurity. Awareness of your industry sector is important - but instead you should focus on your own assets and how to protect them.”
It’s common for organisations to feel that they may not be highly desirable targets. However, Murphy believes that this assumption may be misguided and can lead to a false sense of security – and that it is a misconception that only sophisticated and highly advanced attacks will cause critical disruption to the healthcare sector. In many cases, simple, commodity-based malware is just as disruptive.
“It might be a misguided individual or group, for instance, who just want to see what they can do within the cyber realm. Threat actors [a person or organisation that causes digital harm] targeting a healthcare industry IT network often don’t understand what equipment they’re touching, so they won’t realise they’re turning off a life support machine.”
Most hospitals and other large healthcare providers have supported the public for decades; sometimes the systems and equipment can be as old as the paintwork. When the Waikato DHB was attacked, it was running Windows XP released in 2001 that had been unsupported for five years on some systems.
“Major assets that support critical medical systems can be incredibly difficult to update,” says Murphy, “as they require operational downtime that can lead to serious implications such as long patient wait times. As a result, it’s common to find legacy assets that are brittle to change.
“Historically, technologies used to support and preserve life within hospitals were not designed to connect to the public internet - so cybersecurity was not built-in by design. However, many assets are now connected to the internet for a range of different reasons, including real-time data collection, cloud-based storage and a shift to just-in-time maintenance to predict parts failures before they happen.
“This is important for monitoring and managing critical infrastructure – however it does present challenges when you need to retrofit security in networks and hardware where it has never been present.”
First steps
It starts with the adoption of a cyber risk programme. The core principles of a cyber risk programme aren’t as daunting as many might imagine, Murphy says – and it begins with knowing exactly what assets your organisation owns or leases: “Keep track of the assets, monitor their use and map them against potential vulnerabilities that could be exploited.
“The next question is whether you can identify when one of these assets has been compromised. For example, if an asset within your network begins to function in an abnormal manner, can you determine if it is due to human misconfiguration, physical power surge, or cyberattack? You need the ability to discern whether it is a disruption from an attack or if the asset failed for other reasons.”
With those two components in place, the health companies or organisations can come up with a plan to proactively protect those assets. This includes response plans – which must be tested – and ongoing assessments and improvements. Together, this information forms a cybersecurity blueprint.
Positive side effects
For most businesses, a cyberattack results in a shutdown that costs money. For the healthcare sector, the costs could be much higher.
However, the benefits go beyond protecting patients. Accurately listing and tracking assets can boost efficiency and lead to savings – for example, an organisation might be leasing four MRI machines but discover two of them are only in use 40 per cent of the time, so maybe only three are needed.
Murphy says clients often find they can save money through improved asset management and adopting more efficient hardware and technology. Testing disaster recovery scenarios can also lead to improvements, including relying less often on high-emissions diesel generators.
There’s another potential benefit – anticipating what Murphy says is likely regulation of the healthcare sector. Australia has had legislation in place since 2018, setting out compulsory cybersecurity and reporting rules for hospitals and other critical infrastructure. For instance, if there’s a breach, it must be reported to the Australian Government within 12 hours.
New Zealand has voluntary recommendations, but no current legislation to enforce them. Murphy believes the healthcare sector should anticipate future regulation and set up “good cyber-hygiene” now before it becomes a matter of urgency – whether from new regulations or an attack.
Murphy politely puts it like this: “New Zealand is in a fortunate position. Many countries have already begun this journey and New Zealand can leverage their insights and apply them to its own path.
“People are open to sharing their experiences, so if we can all collaborate and learn from each other, we can protect human lives.”
To find out more go to global.fortinet.com