Is The Critical Healthcare Infrastructure Protected?
"Public health offices: with paper, pen and fax against Corona," was the headline in the press in 2021. The criticism focused on the digital connection and thus the networking of general practitioners and specialists, hospitals and laboratories with the health offices. According to plans, the public health offices in Germany should since long have reached their highest level of digital maturity.
In the end, a sensitive gap occurred during the pandemic. But it was not only the fast, networked transfer of data that came under discussion – since then, IT security in the critical healthcare infrastructure has also come under scrutiny. How secure is patient data in hospitals? Is information and data security guaranteed at all times for all players in the healthcare ecosystem? And are IT security solutions really as robust and reliably protective as they claim to be?
The digital hospital
It is undisputed that digitization also opens up a wide range of opportunities in healthcare, especially in the context of much-vaunted personalized medicine. To this end, the Federal Ministry of Health is pursuing an ambitious digitization strategy, through which it is hoped, among other things, to achieve more efficient administrative processes. The Hospital Future Act, which came into force in 2020, has already prescribed a digital update for German hospitals. In the "digital hospital" of the future, the electronic patient file and its linkage with numerous software components, such as drug prescription software, are indispensable. Devices and objects will be linked digitally in a far more complex way than they are today - gone will be the days when employees of medical laboratories had to laboriously enter handwritten data from doctors´ practices into their IT systems.
"The more digitization in critical health infrastructure, the more important security becomes, so simple yet highly complex is it all."
CISO establishes security architecture
IT security is not a niche, but a necessity that permeates everything. Critical healthcare infrastructure is not exempt. The number of hospitals that must meet the requirements of the IT Security Act will increase in the future, regardless of the legal obligations. The requirements and necessities for digitization have given rise to new positions and departments responsible for information and data security throughout the organization. Increasingly, hospitals are setting up Security Operation Centers (SOC) operated by their own experts, which should enable them to analyze external hacker attacks in order to keep their own IT systems and IT infrastructures stable and protect them from damage in the face of increasingly complex attack technologies.
With the SOC, IT security is also taken into account not only in healthcare, but also with regard to medical and building technology. The head responsible for overall corporate and cyber security is the Chief Information Security Officer (CISO, all genders). His or her area of responsibility is far greater than that of the Chief Security Officer (CSO, all genders) or a department head for security. A CISO, whether working in a hospital or a health department, develops a holistic overall strategy for information security, but is not organizationally anchored in IT; instead, he or she usually reports directly to the CEO or the CIO.
Convincing of the need
Based on an interdisciplinary strategy, a CISO creates an individual analysis of all systems and processes to ensure a protected and robust security architecture. The CISO optimizes security policies, controls identity management and leads training and awareness sessions for employees. Communication skills and strong assertiveness are mandatory, especially when a CISO has to convince about the necessity of IT security and about adjustments of process flows in the company. The discussion about the relevance of the function ends at the latest when the CISO intervenes in a security-relevant incident as "Superman" or "Superwoman" who saves the day. Anyone who underestimates such incidents or IT gaps and cyberattacks is blatantly misjudging the role of the CISO.
Security where the threads converge
IT security experts in critical infrastructure face a tremendous and challenging workload. In hospitals, they often find IT systems and software applications that run in parallel like a patchwork and are not always compatible, which is a gateway for sensitive data to be leaked and intercepted. In addition, these experts must take a forward-looking strategic view of hospitals as interfaces for networking practices and health insurers – multisectoral networking across hospital boundaries, from nursing to outpatient care in doctors' practices, is also a sustainability goal formulated by politicians.
Processes and responsibilities will continue to change in digitization, there is no going back and this would also speak against any progress. Horton International Germany, which has focused on digitization and networked technologies since its founding more than 25 years ago, has been observing the challenges for a long time: the more technology and AI are used in therapy and diagnostics, the more complex the demands on IT security in the critical healthcare infrastructure become. Managing the latter, while always striking a balance between data security and business effectiveness, is the task of specifically trained IT security experts, wherever the threads have to come together quickly and transparently, whether in laboratories, health offices or clinics.
However, this requires a change in mindset and a sense of urgency among many of those responsible. Again, IT security is not a niche, but permeates all areas of healthcare. Policymakers should not always be the first to call for action or even reinforce measures. Individual responsibility is key and the imperative mandate.
The message of optimal IT security has not yet been received everywhere, but to ignore it would be to expose oneself to avoidable risk and, above all, to an enormous loss of trust on the part of patients.