The Health Ministry would not be able to adequately protect the country’s medical institutions against a cyberattack in the event that one should occur, a new report from State Comptroller Matanyahu Englman has warned.
In the last few years, the risk of medical institutions being targeted in a cyberattack has grown exponentially and if a medical facility were to be attacked there is a risk of extensive damage to the provision of essential medical services, both in routine times and during emergencies. There is also a risk of theft of personal medical information, which could lead to severe consequences.
The audit focused on the security of medical imaging devices in particular, citing the serious and far-reaching consequences that this form of hacking can achieve.
The report stated that the theft of medical imaging can lead to “invasion of a patient’s privacy, disclosure of their medical information, an incorrect medical diagnosis, financial extortion of the medical institution, or of the patients, threats, embezzlement and insurance fraud.”
The State Comptroller report is based on the responses of 25 medical institutions across Israel (although due to Clalit Medical Services grouping their eight institutions together, the audit refers to only 17 institutions throughout) to a questionnaire focused on the “protection and security of information in medical devices.”
The audit ran from January-November 2021, and even in mid-audit, in October 2021, hackers successfully broke into the servers of Hillel Yaffe Medical Center in Hadera, leading to a large-scale disruption at the hospital.
The audit found that of the 17 medical institutions, 13 did not conduct the necessary risk assessments on their medical equipment and the same number did not have a plan in place for a system recovery in the event of a hacking. Further, they did not have basic permission controls (username and password requirements) on ultrasound equipment, meaning that anybody could, in theory, access the equipment.
However, when it came to purchasing new equipment, a higher number of institutions took security into account. Only five of the 17 institutions did not include the level of data security in devices when purchasing, and did not condition the purchase of the device on the approval of a data security officer. In the case of some of these five institutions, the approval of a security officer is a required part of the purchasing procedure and it was ignored completely.
In protection of medical devices and the data stored within, one institution allows external technicians to perform maintenance on devices without the oversight of an institution employee, and two others have not insisted that their maintenance providers sign confidentiality agreements.
Of 17 institutions, 14 allow device manufacturers to connect to MRI and CT devices remotely, and of that number, one did not regulate the manner of remote connection, and two did not monitor remote connections at all.
To this end, the comptroller report recommended that external technicians performing maintenance work at the institution arrive only after coordinating their visit with the relevant officials; they also recommend that an institution employee should accompany maintenance workers at all times.
“The medical institutions must keep a full record of all the information necessary prior to the removal of the medical devices for maintenance outside the institution, including indicating in the registration whether the medical information stored in the devices is deleted before they are released for maintenance and upon the termination of use,” the report adds.
Although each medical institution has the responsibility of ensuring that the correct cybersecurity standards are met, the responsibility for cyber defense in medical institutions is overseen by the Health Ministry, whose preparedness in the face of a cyberattack was deemed inadequate by the comptroller audit.
“The Health Ministry has not completed the formulation of its guidelines on the subject of cyber protection, including basic principles for managing cyber protecting and tools for dealing with a cyber incident,” reads the report.
As such, the recommendation was made for the Health Ministry to finalize the formulation of their procedures and to distribute them to medical institutions as soon as possible. When presented with the findings, the Health Ministry responded that the draft of the cybersecurity procedures has been approved and the final version will soon be published.
“The audit revealed deficiencies in the field of information security of medical devices in 25 medical institutions examined: 11 general-governmental medical centers, two public medical centers, four health funds and Clalit’s eight medical centers,” the comptroller report states, summarizing the findings of the audit.
“Issues have arisen in medical institutions, including large medical institutions. The shortcomings relate to the management aspects of the information security field […] and the operational aspect of protecting the devices, for example, the lack of critical security measures that the medical institutions should have implemented in the network for the purpose of protecting imaging devices.
“The Health Ministry must continue to act as a regulator in order to assist the medical institutions at the national level in dealing with the information security challenges in medical devices. The medical institutions must act in order to correct the deficiencies that arose in this report and implement appropriate information security measures and controls throughout the life course of the medical device – before purchasing it, when receiving it in the medical institution, during its regular use and maintenance and when using it.
“Addressing these shortcomings will reduce the information security risks, to which medical institutions are exposed during the day-to-day use of medical devices.”