Cybersecurity in the healthcare industry

The healthcare industry is now the one most targeted for cyberattacks. In 2017, the industry suffered over 32,000 attacks per day per organization – compared with 14,300 in other industries, according to figures from the cybersecurity experts at Fortinet. Therefore this is not a threat to be taken lightly.

For Pierre-Jean Wipff, Innovation Advisor at Innovaud, the elevated level of cybercrime in healthcare is due in part to the high prices that medical data can fetch on the dark web – higher than those for credit card numbers or other personal data. Another factor is the serious consequences for hospitals if their medical equipment or IT systems get hijacked, as that could put patients’ lives in danger. Around 70% of care centers that have been attacked by ransomware ended up paying the ransom. And all that is aggravated by the fact that hospitals’ IT systems are often outdated; they are increasingly connected but poorly protected against cybercrime.

Healthcare professionals have therefore put cybersecurity at the top of the agenda, adding it to the list of challenges brought about by the digital transformation. What exactly are the main threats hospitals face? How can they protect themselves? What regulatory changes in this regard are on the horizon? How can product developers design connected yet secure medical devices?

To answer these questions and more, the Innovaud Connect conference held on 13 March 2018 looked specifically at cybersecurity in the healthcare Industry. The event took place at the Biopôle biotech cluster in Epalinges and was attended by around 50 healthcare professionals from across French-speaking Switzerland.

Major challenges for hospitals

After a short introduction by Wipff, Dr. Michel Buri, Deputy Head of IT for the Valais Hospital Network, discussed the key cybercrime-related challenges that Swiss hospitals face. He pointed out that medical device makers will need to concentrate their efforts on enhancing the security of their devices and ensuring they retain the trust of care givers. In terms of regulations, Dr. Buri pointed out that medical software developers should be required to provide regular security updates for their applications. Some updates are so old that they are no longer available, which means the applications are exposed to all types of malware.

As healthcare goes increasingly digital and devices become ever more connected, Dr. Buri sees security threats on three levels: patient safety; the security of medical data; and hospitals’ ability to function without interruption. He believes the best response to these threats involves taking a holistic approach to prevention and sharing responsibility across the entire chain.

Beefed-up regulations for better patient protection

Because medical devices are typically intended as lifetime treatments, software stands to play a growing role – throwing up new challenges in terms of not only the design of those devices, but also their testing, validation and updates. “All these issues will play a role in the next set of EU regulations,” says Rochat.

At the end of her talk, Rochat recommended that device makers incorporate cybersecurity into their risk assessment processes, quickly implement targeted measures for their products and processes, establish methods for testing their devices against cyberattacks and plan for security updates. They should also develop plans for how they will handle and communicate on data security-related issues going forward.

World-caliber MIoT skills in Vaud

Next up was Professor Philippe Ryvlin, Head of the Clinical Neuroscience Department at the Lausanne University Hospital (CHUV), who explained how the Fondation NeuroTech in Epalinges is a pioneer in clinical research on neuroscience-related technology. More specifically, the foundation examines the impacts that mobile healthcare (mHealth) and other technological breakthroughs will have on medicine, the economy and society at large.

One of the key challenges that the foundation studies is cybersecurity. To that end, Professor Ryvlin has teamed up with Professor David Atienza Alonso – Head of EPFL’s Embedded Systems Laboratory and the third conference speaker – to develop new kinds of security systems. Their systems are designed to overcome the three main obstacles related to the medical internet of things (MIoT): medical precision, data security and patient usability. Professor Atienza described the current state of the art and the most recent developments in MIoT. He stressed that while off-the-shelf cybersecurity systems do exist, they are still too cumbersome and expensive to be deployed in MIoT on a large scale. Professor Atienza’s lab is working on promising technology combining precision, security and ease-of-use – and that stands to become one of the pillars of personalized healthcare going forward.

Debiotech traces the path to cybersecurity

The next speaker – Laurent-Dominique Piveteau, CEO of Debiotech SA – provided examples of how cybersecurity systems can be integrated into medical devices. Piveteau believes that cybersecurity has completely disrupted the development process for such devices. Whereas before product developers were concerned mainly with random threats, today they must grapple with the likelihood of a premediated, malicious and dynamic attack. This is a paradigm shift that affects medical-device developers and manufacturers alike.

Lausanne-based Debiotech, founded in 1990, develops highly innovative medical devices that can improve therapeutic outcomes as well as patients’ quality of life. During his talk, Piveteau explained how his company incorporated cybersecurity criteria into the development of its JewelPUMP™ connected insulin pump. The JewelPUMP™ is smaller, thinner and lighter than other pumps on the market and can be controlled by a smartphone.

Time to act

While cyberattacks can have considerable financial consequences for a hospital, more important is the risk they pose to patients’ lives. Hence the urgency to act now.

This Innovaud Connect conference ended with a reminder that healthcare professionals from across the region can call on EPFL and HEIG-VD, which have specific expertise in fighting cybercrime. They can also draw on the experience of experts to set up ambitious development projects like the one at Debiotech.

By Eugène Schön