DUBAI: A lack of proper cybersecurity training is making Gulf hospitals and medical providers among the most vulnerable targets for “catastrophic” attacks by hackers who have more than one way to breach their defenses, experts have warned.

The IT framework of health care facilities has also created challenges in building an effective cyber-safeguard, according to information security leaders who say health chiefs must adopt a “360-degree view” of cybersecurity to block “bad actors.”

The ramifications of hackers invading the health sector were illustrated in May, when the global WannaCry ransomware attack crippled the UK’s National Health Service (NHS), causing IT shutdowns at hospitals and GP surgeries.

Experts say health care organizations are potentially disadvantaged because they fear threat-detecting measures could impair how medical staff do their vital jobs.

Despite the measures introduced by countries such as the UAE to ensure health care facilities have rigorous security networks and data protection procedures, Amir Kolahzadeh, CEO of Dubai-based cybersecurity firm ITSEC, said there is no room for complacency because cybercriminals are not restricted to conventional hacking.

“In the context of one-dimensional security, medical companies and hospitals in the UAE and the region are well-protected,” he said.

“But as cybersecurity becomes more complex to defend against, we have to adopt a 360-degree, multidimensional view. The lack of understanding of social engineering, social media safety, and proper cybersecurity and patient privacy training for medical and administration staff places these organizations in a higher-risk category.”

Kolahzadeh said cybercriminals are no longer hacking into systems via the Internet, but using phones, obtaining information through visits, and impersonating third-party vendors or clients to target a facility and gain access to data that could compromise its network.

“Traditional network firewalls are just a small factor in the complex cybersecurity equation, and the health care industry must have a holistic view of security to win this particular cyberwar,” he said.
Greater network connectivity within the health sector through the Internet of Things (IoT) has been cited as a particularly vulnerable spot for hackers to exploit.

“The fallout from hospitals and medical companies not having adequate cybersecurity provision in place is potentially catastrophic, as major attacks and compromises can cost lives if a hacker remotely takes control of power, cooling systems or medical devices,” said Kolahzadeh

“It’s not just a case of data leaks or medical records being stolen, which is why health care facilities must think outside the box on cybersecurity.”

Scott Manson, cybersecurity lead in the Middle East and North Africa (MENA) for technology giant Cisco, said health care organizations prefer to flow data through a single network and use “logical segmentation” to separate different types of network traffic.

But he warned: “If this segmentation isn’t done properly, the risk of attackers gaining access to critical data or devices increases.”

He added: “Globally, ransomware attacks have already done damage to health care organizations. They’re an attractive target for online criminals who know health care providers need to protect patient safety at all costs. In health care, most decisions about security are driven by patient safety, outside of regulatory requirements and the protection of corporate assets.

“Leaders of health care organizations fear attacks that could take down mission-critical equipment, endangering patients’ lives. They’re also concerned that security measures designed to monitor online traffic and detect threats can slow down the flow of data in critical systems, undermining medical professionals’ ability to diagnose and treat patients.”

Experts say despite the life-and-death risks involved, health care often ranks close to the bottom in terms of spending on information security.

“Health care devices are costly and intended to remain in place for several years, so their software and operating systems are often not updated as frequently, hence exceptions that allow them to adhere to different security protocols to operate reliably,” said Manson.

“The better approach, according to security experts, is to isolate and segment traffic between the network and mission-critical devices. Alternatively, organizations should improve their security infrastructure and network segmentation to better handle the exceptions that require compensating controls.”

Aisling Malone, professional indemnity and cyber lead for MENA at insurance giant AIG, said the expansion of electronic health records and digital health platforms, combined with wider use of connected devices, have made the health care sector “particularly vulnerable to security breaches and attacks.”

She added: “Across the GCC (Gulf Cooperation Council), we’re seeing an increasing number of companies, especially those who are potentially more exposed or sensitive to cyberattack, look to protect themselves by taking up cyber-insurance. Globally, this is one of the fastest-growing products we offer, and it clearly demonstrates the real threat that such attacks now pose to businesses.”

Source: Arab News