How to support nurses in cybercrime prevention

Phil Howe, CTO of Core to Cloud and Richard Staynings, cybersecurity strategist at Cylera

The UK’s use of medical IoT is growing, with 75 per cent of all medical devices now connected to the internet. But despite the numerous benefits of these connected devices, it leads to inherent security vulnerabilities that are difficult to patch and secure. Since the healthcare sector stores large volumes of confidential data together with a network of connected medical devices, it makes healthcare organisations a prime target for cyber criminals.
    
Medical devices used in hospitals include everything from infusion pumps that administer life-saving drugs, to radiological cancer treatment systems in the treatment of tumours. It has been reported by the Interim CIO at NHSX that 21 million items of malicious activity get blocked every month within the NHS. As the largest employer in the UK, the NHS is a target due to the sheer value of its medical data. At present, 30 per cent of the world’s data is generated through the healthcare sector, and this is due to increase to 36 per cent by 2025.
    
40 per cent of the 777 compromised email incidents managed last year by the National Cyber Security Centre were aimed at the public sector. The level of security under which these medical devices should be placed should not be underestimated. In the past, even simple healthcare functions such as the scheduling of medications has been affected by ransomware. The issue of cybersecurity for medical devices is not isolated merely to patient confidentiality but can affect the ability and availability of the NHS services that are critical to ensuring patient safety.
    
This calls for an urgent need of investment into cybersecurity training for nurses so they can help protect these critical devices used within hospitals. Through regular training for medical teams, nurses will be able to spot the vital signs and detect when a cyberattack is occurring, and how to mitigate any risks to patient safety.

Managing IoT medical devices to minimise threats
The need here is to address cybersecurity through the product lifecycle in a preventative and proactive way, as well as incorporate an approach to cybersecurity that puts high quality IT at the centre of a healthcare organisation’s infrastructure.
    
A risk-based approach that begins with the identification of at-risk IT assets, followed by management of trade-offs between risks and benefits, as well as different types of risks. The training of healthcare personnel is emphasised, alongside implementation of strategies that deal with vulnerability and device patch management, the controlled and restrictive granting of administrative privileges, and the development of incident response and business continuity plans.
    
Configuration management and change management are what the Information Technology Infrastructure Library (ITIL) describes as a systematic approach to handling all medical device changes in a standardised method. Proper management of these changes not only avoids unnecessary service downtime but is critical during a cyberattack. An incident response plan can be a version of change management. Similarly, strict audit logs and monitoring of data records are critical for IT functions to quickly recognise attacks and prevent a breach before it even occurs.
    
To minimise cyber threats and vulnerabilities, healthcare establishments are also encouraged to install intelligent cybersecurity systems which easily integrate and add value to existing healthcare infrastructure. With single dashboard views, such systems monitor and flag anomalies thanks to a streamlined approach to IoT cybersecurity. IoT and medical device cybersecurity and intelligence, has never been more critical to delivering patient care because together they provide better visibility into inventory and cyber hygiene.  
    
For healthcare organisations, this means better security of these medical devices and better management and use of these critical assets. The result is a significant increase in patient satisfaction, safety, operational resiliency, and revenue.  

How to support nurses in cybercrime prevention
Train nurses to understand the correct processes to connect medical devices safely and help prevent simple errors such as these devices connecting to the public Wi-Fi.
    
Understand the clinical benefits of the data held within the tools monitoring the IOT systems.
    
Know what to look for and understand when a device is deviating from normal functionality or requires reporting to IT Services for inspection.  
    
Clean up. IT hygiene should be maintained and implemented well across all IT and medical systems which are connected to the internet. IT hygiene requirements should be flexible.
    
Disable insecure protocols and services that are not needed. Organisations should have medical IoT security testing strategies to prevent data leakage and secure access controls.
    
Use encryption for automatic classification, access reviews, and real-time loss monitoring to gain a high level of data protection.
    
Train staff. Nurses, doctors, caregivers should participate in training sessions and learn the best methods to handle security risks within the healthcare organisation they work.
    
Establish safe coding guidelines and embrace dev-sec-ops and email security for all development programs.
    
Focus on managing threats, risks, incidents, and vulnerabilities instead of focusing only on regulatory compliance.
    
Implement an efficient partner risk management program to help keep data secure and protect against interconnected evolving digital health ecosystems.
    
Plan. Much like everyone has their role and place within a fire drill, so too should there be an action plan in the event of a cyberattack. Without an appropriate cybersecurity incident plan and software backup solution, some of the possible irreversible implications for healthcare organisations are: loss of patient data; impact to patient care and safety; and brand reputation put at risk.
    
To offer relevant and effective training, health facilities should frequently assess and identify gaps in knowledge among staff.
    
It is important for end users to realise the risks involved and how their actions within the healthcare setting could have an impact. For example, healthcare personnel should be aware that storing data on their mobile devices can pose privacy and data-integrity risks. Additionally, the use of connected devices or removable storage devices can increase the risk of malware execution.  
    
Nurses and other medical personnel should have a concrete understanding of the threats involved in the use of these medical devices, for example, what is a ransomware attack, what are the effects, and how is the attack initiated? Therefore, training programs should be implemented to explore how to handle unrecognised e-mails and avoid phishing tactics, while encouraging basic digital-hygiene practices, such as using strong passwords, and not clicking on unknown links.
    
The nurses are on the front line with these devices and therefore play an essential role in cybercrime prevention. They are the eyes and ears of patient safety, constantly managing and monitoring vital medical and other healthcare IoT devices, used to diagnose, monitor, manage, and treat patients. These systems are often connected directly to the patient on one side and to hospital networks on the other.
    
Also, medical devices often can’t be isolated as a stand-alone piece of equipment. If a malicious email or a website affects one device, the threat could directly affect the entire fleet of medical devices that that are connected to the same server.
    
The issue, here, lies with the devices themselves. Many of these devices have very long lifespans of eight to 15 years, which means healthcare departments could have medical devices that are potentially 21 years of age, with outdated software, but are now being plugged into hospital networks and providing life-sustaining, or diagnostic services to patients.
    
Medical devices are CE Marked which ensures they are compliant to meet EU legislation for health, safety, and environmental requirements.
    
This often means that: critical updates and patches are delayed as they need to be thoroughly tested to make sure they do not interfere with the function of that device; vendors will not allow the typical security found on a PC to be used on the device; and a medical device can easily be twice the age of a PC so often is the weak line and with the least protection.
    
Crisis Simulation Training for healthcare organisations and nurses is recommended to show the impact of these attacks and how the decisions of those on the frontline can affect how much damage can occur from a cyber-attack.
    
Through regular training and diligence for healthcare personnel, alongside effective medical device monitoring and good coverage of IT security, healthcare organisations like the NHS can improve their ability to detect potential weak points and threats across the network and ensure better patient safety.