Israeli hospitals were “significantly hacked” 13 times according to a report by State Comptroller Matanyahu Englman issued on Tuesday regarding the current state of cyber security in Israel’s medical field.
10 of these hackings were “of the most severe level,” said Englman in the report.
In addition, Englman noted that the cost of Hillel Yaffe Medical Center in Hadera recovering from it being hacked in October 2021 had exceeded NIS 36 million.
At the time, a massive hack of the medical center disabled much of its ability to continue ongoing operations based on standard procedures.
Israel's health sector was a major target of cyberattacks
Already by 2021, Israel’s health sector was one of the most attacked sectors by hackers, called “A” in the report.
A major way that Englman discovered the extent of the health sector’s deficient cyber security situation was using a “red-team” managed by his office to do a controlled hack of a major medical center.
The “hack” revealed a large number of deficiencies in A’s cyber security conceptions, in defense and in handling a hack once already penetrated – all of which can also be applied to a variety of other medical centers, said the report.
More specifically, the report said that the health sector lacks sufficient: segmentation of its different networked services, ongoing inspections of cyber security, probes into the different ways medical devices and facilities access the internet, broad structural defenses and failure to update security for content. The report cited a wide variety of machinery which are becoming more networked from MRI-related devices to CT scan-devices to ultrasound devices.
The cost of fixing the deficiencies was estimated at an ongoing yearly cost of more than NIS 10 million for facility “A.”
The comptroller said that it was not only critical for medical centers to have initial cyber security defenses, but also to know how to mitigate losses even after a hacker might succeed at penetrating one or more systems, before they can spread into other systems.
Moreover, the report recommended that the Health Ministry take a more active role in enforcing higher cyber security standards among different medical centers.
Along those lines, Englman said that all medical centers should be required to undergo a “red team” controlled hacking test to expose their weaknesses on a regular basis.
Meanwhile, the report also said that it “exposed extended years of neglect regarding information security,” by the Israel Prisons Service
“There are deep gaps and significant deficiencies regarding information security which create concrete dangers” of being hacked, said the report.
According to the report, the IPS is ill-equipped culturally to address cyber security issues and does not take its role in maintaining information security on classified items seriously enough.
The list of deficiencies varied from failure to perform basic cyber defense of classified information, negligent sharing of information with outside parties and failure to properly delineate what different IPS officials’ security clearance should include and not include.
Englman wrote that an earlier NIS 144 million invested in improving the organization’s communications and information security failed miserably, but that despite that failure, the IPS did no in-depth review of what went wrong and how to improve.
In addition, the report criticized both the Public Security Ministry – now the National Security Ministry – and the IPS for failing to approve and use the new budget approved to address information security issues.
Although NIS 532 million is supposed to be approved, the political echelon has only approved use of NIS 104 million, and even from those limited funds, the IPS has only used NIS 39 million.
62% of acquisition orders needed to implement new cyber security programs have not even been sent out.
While the IPS budget has risen by 12% and other ministries have increased their technology budgets by 25% on average, the IPS has reduced its technology budget by 13%, said the report.
Like in the health sector, the comptroller suggested that the IPS regularly under controlled “hacking” by “red teams” to discover their deficiencies.
In addition, the report said the IPS has no solid plan to handle an episode in which its networks get hit with a significant hack.
Englman said that the IPS, National Security Ministry and even Prime Minister Benjamin Netanyahu, since national security is involved, had responsibility to improve the situation.
The Health Ministry issued a response extolling its digital openness and access in multiple languages to Israel’s citizenry.
The IPS responded, stating that in May 2021 it started mapping out its cyber security vulnerabilities. It noted that in two years, the IPS has completed over 80 projects, including making prison facilities run on a more networked and efficient basis as well as transferring over physical criminal and medical files to being digital.
Further, the IPS said that Prisons Chief Katy Perry had placed technological issues at the top of her agenda after her predecessors had ignored the issue.
The statement said that the IPS would continue to press forward to close cyber security and other gaps, while noting some of its ability to do so could be limited by state budget issues.