Comment: Securing medical devices and networks in the era of ransomware

Sara Jost, global healthcare industry lead at BlackBerry, explores how to secure medical devices and networks in the era of ransomware

Security is no longer just about keeping data safe Ė itís about protecting our health, safety and wellbeing.

There are numerous cloud and on-premise services available, but itís important to choose a trusted system that will not only back-up the data but also encrypt it, allowing secure access from a variety of endpoints

Research from Beazley found that the healthcare sector experienced the highest increase in ransomware demands, jumping 133% during the first six months of 2017.

During that time, the high-profile WannaCry ransomware hijacked the NHS.

When the attack occurred and doctors and nurses tried to access patient files, a pop-up appeared notifying them that the data was under ransom and that they needed to pay a fee in order to access the records again.

This had catastrophic outcomes as emergency trauma treatments, transplants and other life-saving medical procedures needed to be staggered or diverted to other facilities.

Patients quickly lost faith. Not only that, but the hospitals could also encounter costly regulatory penalties.

So, what should be done to protect data and medical practices in this market?

Update and back-up

The need to make software updates available and easy to install is now more important than ever.

The IT team should be mindful that medical practitioners are not security professionals, so the need for education is vital

The next WannaCry could easily leverage vulnerabilities across mobile, or even IoT, platforms, some of which donít even have software updates available.

While some manufacturers are building their own update systems, many are already starting to leverage third-party systems for secure software updates.

The other key lesson is the need to back-up critical data in a safe location.

There are numerous cloud and on-premise services available, but itís important to choose a trusted system that will not only back-up the data but also encrypt it, allowing secure access from a variety of endpoints.

When implementing the back-up solution, the IT team should also ensure it includes a feature that provides a link to the backed-up Electronic Medical Records.

The solution should also send mass notifications of steps to follow, so clinical staff can quickly and safely retrieve the data. This will prevent a sudden inundation of help-desk calls and also reduce panic.

Education is key

The IT team should be mindful that medical practitioners are not security professionals, so the need for education is vital.

It should also be explained how they can identify and avoid phishing scams to ensure sensitive patient data is not compromised.

To prevent medical files from falling into the wrong hands, the IT team should implement a secure file sharing solution so practitioners can send records in and outside the organisation safely and securely

Alongside employee training, it is also important to implement a tool that protects all data within the organisation.

A solution is offered via a containerisation tool, which is an authenticated, encrypted area of a userís device that can be used to insulate sensitive corporate information away from the personal side of the device.

This means that even if a criminal cracks a stolen device, they wonít gain access to the content, credentials and configuration details. The container can also prevent cutting and pasting of information to unsecured emails, SMS, or IMs to further avoid phishing scams.

Secure file sharing

There have been a number of cases when medical practitioners have not had access to secure file-sharing solutions, so they have had to resort to using insecure data transfer tools to share patient records Ė most recently it was reported that doctors are using Snapchat to send patient scans to each other.

These insecure methods are risky and could result in data being stolen or compromised.

To prevent medical files from falling into the wrong hands, the IT team should implement a secure file sharing solution so practitioners can send records in and outside the organisation safely and securely.

Using the companyís approved secure-file sharing solution will encrypt medical records, as well as ensure users can access their documents anytime and anywhere. With tools like this, it better protects the data and guarantees the information is within the userís control.

Legal requirements

In order for healthcare professionals to ensure the best patient care possible there are some legal precautions that can be taken when protecting patients.

Cybersecurity requirements can be written into the procurement policies to force device, IT hardware, and software makers to build security into everything they sell. It is important that any installed applications are user friendly; otherwise, staff will turn to less-secure shadow IT workarounds like personal messaging apps and cloud storage.

IT teams within the healthcare sector should remember that technology is available to make data theft within the organisation more difficult

IT teams within the healthcare sector should remember that technology is available to make data theft within the organisation more difficult. They should recognise the importance of regularly updating their IT system and introduce employee training courses and security guidelines to ensure that staff are fully aware of the risks involved, as well as the preventative tactics.

IT professionals should also deploy multiple layers of cyber threat protection and secure their networks. Failure to do so and they run the risk of being a victim of the next big cyber attack, ultimately experiencing data loss and even more of a concern Ė potential loss of life.

While these impactful cyber attacks are unfortunate, it should serve as a much-needed wake-up call to the healthcare sector.

Protecting patients doesnít stop the moment they leave the medical centre. Health practitioners are under an obligation to keep their patientís records completely safe and secure.

Companies