“A few years ago a supermarket chain was attacked by hackers through remote air conditioning management systems. Even a casino was attacked through the system that controlled the feeding of fish in the aquarium: if hackers manage to exploit these unpredictable entrance doors, it is obvious that health – with its thousands of digital accesses – is also a target. reachable and easily vulnerable for hacking purposes. ”Thus Claudio Telmon, member of the Steering Committee of the Italian Information Security Society (Clusit), during the session dedicated to cybersecurity in healthcare, within the XXII conference of the Italian Association of Clinical Engineers (Aiic), ongoing in Riccione until tomorrow.
The cybersecurity frontier is one of the great challenges of digitalized healthcare and is at the center of the debate of the Aiic event. In recent months – a note recalls – attacks by cyber criminals on health data management centers have become more frequent. Lazio and Veneto have recently paid the price, with blocked health data, ransom requests and task forces organized to guarantee services and normal administrative procedures.
Why are these phenomena more and more frequent in healthcare? “The increasingly widespread technologies in this area are the explanation for these attacks: medical devices are vulnerable because the IT part of a medical device is often not treated and protected with the same attention as other IT systems. Wearable and implantable devices are very accessible in how they transmit dataFor example, insulin pumps are reachable through the upgrade supply chain, just as the bluetooth of a pacemaker is also extremely vulnerable. The telemonitoring and telemedicine structures and all those systems based on connectivity that pass through cloud solutions are also to be considered. These are easily accessible elements for those with criminal intentions ”.
Was Luca Giobelli, Zero Veneto Company, to report the experience lived in the development of responses to attacks to an Ulss attacked by hackers: immediately a central task force was set up to identify roles and level of maturity of cyber security, deficiencies and possible security services to implement. In the medium term, investments were made in the control and implementation of priority actions, while in the long term a plan was presented based on the definition of an organizational and operational model with training and awareness courses.
There training it therefore plays a central role in developing precise responses to hacker attacks. Element underlined also in the vision of Lee Kim, Senior principal cybersecurity and privacy of the Himms research organization, who underlined the importance of continuously updating operators, who must be prepared to recognize an attack and to share its possible consequences with colleagues. Hence the importance “of a governance culture based on safety, because every organization must pay attention to procedures and management”.
Stephen Grimes, Senior Advisor at the University of Connecticut for teaching clinical engineers and past president of the American Association of Clinical Engineering (Acce) has relaunched the theme ofhigh professional competence: “We have a number of challenges in the sector and we know that no country can solve the problem alone: perhaps an international agency could be a strong response to this emergency. In my view, all healthcare professionals should have basic information in cybersecurity: from the nurse to the clinical engineer. The creation of vast and adequate skills is therefore necessary because the consequences of cybersecurity in healthcare are different and by now very heavy “.
In addition to training, however, there is an impulse to be given to rules and tools to guarantee safety and to spread it also in the context of technology producers, and here Europe is in trouble. On this issue Fabio Cubeddu of Confindustria medical devices he recalled that even within the recent European regulations there is no clarity: “Currently the manufacturer must refer to the new Eudamed database and to the Post marketing surveillance to ensure safety, but these are two references that are not yet fully operational” .
Manufacturing companies are now required to analyze the risks and severity of impact of a cyber attack on the device for the entire life phase of the device, right from its design. But in the face of evident regulatory uncertainty, the market does not know how to behave today. “Faced with the many problems, we expect decisive and clear-cut central choices”, he argued Maurizio Rizzetto, Aiic contact person for Cybersecurity.
“Training, skills, professionalism make the difference – he underlined – but we also need an institutional reference area to follow a common line and to share experiences. Clinical engineers are ready to take action, together with all the other professionals of sector, to ensure maximum security in the management of networks and devices, but it is necessary to have a common front and have a shared line of action, otherwise – as we have already recorded – hackers will continue to enter through the least predictable and manned doors of technological systems and digital, “he concluded.
