Several public healthcare institutions in Singapore faced an online service outage last month due to a distributed denial-of-service (DDoS). Although services like email and staff productivity tools were inaccessible during the disruption, mission-critical systems supporting clinical services and operations including patient records and internal networks were unaffected, so patient care was not compromised.
Responsible for the IT operations of Singapore’s public healthcare institutions, Synapxe said it detected an abnormal surge in network traffic, which circumvented the tools it had in place to block abnormal surges. This overwhelmed Synapxe’s firewall, triggering the firewall to filter out the traffic and caused all the websites and internet-reliant services to be inaccessible. Once the cause was identified, Synapxe immediately worked with service providers to deploy measures to block the abnormal traffic to allow legitimate traffic required for internet services to resume.
“This recent DDoS attack is a reminder of the ongoing cybersecurity risks the healthcare sector must contend with. Essential service providers like healthcare institutions are an attractive target for bad actors because of their access to sensitive data, such as medical records and patient information, as well as the potential for widespread disruption in the event of a successful attack,” says Leonardo Hutabarat, head of solutions engineering for Asia Pacific and Japan at LogRhythm.
The incident also shows that healthcare organisations need full visibility into their IT systems to swiftly detect a DDoS attack before it overwhelms the capacity of the public healthcare network and firewalls.
Hutabarat says: “When an attack is in progress, redirection or disposal of DDoS traffic becomes increasingly challenging. This is why proactively leveraging tools — such as a Web Application Firewall or a DDoS mitigation provider, as well as using Content Delivery Network caching, Anycast routing and rate limiting — to prevent and counter DDoS attacks early on is critical.
“Furthermore, dedicating separate systems to host external web pages and internal operating systems provides an additional layer of protection that helps ensure mission-critical systems, such as electronic health records, remain accessible during an attack.”
See also: Keys to achieving human-centred automation testing
Risks posed by connected medical devices
As Hutabarat points out, healthcare is a growing cyberattack target. Check Point Research found that healthcare organisations worldwide averaged 1,463 cyberattacks per week in 2022, up 74% from 2021. Among the reasons for this is the widening attack surface as healthcare institutions digitalise their operations.
Medical devices are increasingly becoming connected to healthcare data and systems to deliver more personalised and holistic care to patients. Research reveals that around 3.2 million internet of medical things (comprising medical devices and software as well as related technologies and systems) were in use globally in 2021, and this number is estimated to reach 7.4 million by 2026. What’s worrying here is that each device represents a potential access point for bad actors to exploit.
See also: Human element still important for effective mass communication
“Many connected medical equipment used in healthcare institutions aren’t built with security in mind, and when those devices lack sufficient security updates and patches, their vulnerability increases. Older legacy medical devices are particularly troubling as they may no longer get regular updates from the manufacturers or have patches left uninstalled. Also, connected medical devices may be running in silos so it’s difficult to have visibility and secure all of them,” says Scott Jarkoff, director of Intelligence Strategy for APJ and Middle East at CrowdStrike.
Adding to those challenges, medical devices are not conducive to traditional security measures. Hutabarat shares that those devices may not use encryption on the network, making it easy for data to be read on the wire. Attackers could also perform man-in-the-middle attacks and send commands directly to the device once they interpret the network protocol and switches.
Cybersecurity labelling scheme
To help reduce the complexity of securing connected medical equipment, Singapore is trialling an initiative to rate medical devices according to their levels of cybersecurity provisions. The Cybersecurity Labelling Scheme for Medical Devices, or CLS(MD), sandbox is a collaborative effort by the city-state’s Cyber Security Agency, Ministry of Health, Health Sciences Authority and Synapxe.
CLS(MD) aims to incentivise manufacturers to adopt a security-by-design approach, which could also help differentiate their products. Additionally, the scheme enables consumers and healthcare providers to make more informed decisions about the use of connected medical devices such as insulin pumps, respiratory ventilators and X-rays.
Participating manufacturers will put their medical devices through different assessments — including the declaration of conformity, software binary analysis, penetration testing and security evaluation — to be rated.
Products labelled Level 1 and 2 would have met the baseline and enhanced cybersecurity requirements respectively. Those in Level 3 would have met enhanced standards and passed independent third-party software binary analysis and penetration testing. To get the highest rating of Level 4, a medical product must meet the requirements of Level 3 and pass the security evaluation by independent third parties.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
The CLS(MD) sandbox will run for nine months, and the feedback and learning from the sandbox will be used to refine the requirements and operational workflow of the scheme where necessary.
The people aspect
People are another aspect that healthcare organisations must look into to improve their cybersecurity posture. According to Hutabarat, many healthcare institutions lack a cybersecurity culture. “Oftentimes, they are using weak passwords to log into their accounts or for their connected devices. Those passwords also don’t change over time as they are not required to do so. In short, there are not enough people taking cybersecurity seriously.”
To overcome that, organisations should adopt the Zero Trust model, wherein users are authenticated on a continuous basis. Zero Trust should not only cover endpoint and identity layers, but also be extended to the data layer. Protecting data through its entire lifecycle involves data security tools such as anti-malware and intrusion detection systems; data protection tools including backup and recovery; and data privacy technologies and services like encryption, multifactor authentication and tokenisation.
Meanwhile, CrowdStrike’s Jarkoff highlights that healthcare organisations are struggling to defend themselves from cyber threats due to their limited cybersecurity personnel and expertise. “Some leaders in healthcare organisations still don’t see cybersecurity as a top priority. They don’t understand the cyber threats they’re faced with such as ransomware, and think they won’t be targeted. Most have a lean IT or cybersecurity team, and the rapidly evolving cyber threats make it more challenging to have the right skills.”
Having a security information and event management (SIEM) platform that provides visibility, integrates with threat intelligence, and alerts on the threats can help.
The LogRhythm SIEM Platform, for example, offers a single-pane-of-glass visibility into legacy systems and cloud-based solutions. It easily integrates with existing technology, including electronic healthcare record systems, biomedical devices and telehealth systems. It can help bridge threat detection and response by correlating healthcare-specific threat intelligence with the event logs generated by patient care systems. By providing contextual information to make threat intelligence actionable, healthcare institutions can quickly respond to threats and avoid disclosure requirements.
Healthcare institutions can also consider engaging external help to bolster their cyber defence capabilities.
Jarkoff shares that third-party cybersecurity partners like CrowdStrike can help organisations assess their security posture, identify and mitigate risks, and implement security best practices. Besides that, they can help healthcare organisations train staff and raise security awareness, as well as provide the security tools and solutions needed to create a proactive, resilient cybersecurity posture.
The impact of cyberattacks on healthcare can be severe to the point of costing patients lives. As the number of cyberattacks is expected to continue growing, it is critical for healthcare organisations to ensure their systems and data are protected as they digitalise to deliver more accurate, personalised and convenient services.