Cybersecurity of the Health Sector – The Way Forward
Written by Adv. Vered Zlaikha, Partner, Head of Cyber Affairs & Artificial Intelligence, Lipa Meir & Co.
The health sector has been one of the most vulnerable sectors to cyber attacks globally in recent years, and this pressing topic continues to capture public attention worldwide. Implications of cyber attacks for this sector may be severe (or even fatal) in terms of human life. Health organizations may have to deal with growing threats, with limited resources to defend themselves. Due to a cyber incident occured in a hospital in Israel by the end of 2021, and steps taken by state autoritities, this topic has also led to developments in Israel in recent months, including on cybersecurity regulation and sectoral standards, as would briefly described below.
On October 2021, Hillel Yaffe hospital in Israel had been a target to a major ransomeware attack. As reported, although the hospital apparently kept operating as usual (except for unurgent surgeries) and critical equipment kept working as usual, the hospital had been reportedly using alternate systems for its treatments, including writing patients’ information down by hand[1]. In a conference hosted by the hospital and the Ministry of Health in June 2022, it has been revealed that the costs of the incident had reached 36 million NIS (approx. 11 million USD), to cover the reconstruction of the hospitals’ information and communication technology systems, the technicians hired for the mission, loss of revenue, delays in elective medical treatments etc.[2] The incident has enhanced public discussions on cybersecurity in the health sector, and what lessons could be learnt.
In May 2022, the State Comptroller’s Office released a detailed report, examining cyber defences in the health sector[3]. The findings in the report pointed out several elements in health organizations’ preparedness, highlighting the need to maintain cyber hygiene and data protection procedures throughout the lifecycle of medical devices (e.g. requiring cybersecurity checks and approvals before the pursache of new medical equipment; conducting periodic penetration tests and cyber risks surveys). The report also stressed the need that health organizations allocate sufficient resources for cybersecurity in terms of governance and budgets, as well as put in place detailed incident response and recovery plans. The report has also examined the steps taken by state authorities, and urged the Ministry of Health to issue complete cybersecurity regulations.
The Ministry of Health has issued a new comprehensive regulation on the Fundamentals for Cybersecurity of the Health Sector[4] during March 2022, updating and supplementing previous regulations it had issued before. The new regulation addresses a range of responsibilities and duties of health organizations, starting with designing corporate governance mechanisms and cybersecurity strategies and policies, as well as risk management frameworks, to ensure that cybersecurity risks get the proper resources and atteneion. It lists cyber hygiene demands both at the management and the technological levels. Those include also cybersecurity requirements in relation to outsourcing or purchasing from external suppliers, with references to cybersecurity standards ISO 27001 and ISO 27799 required from certain suppliers. This new regulation also stipulates mandatory breach notifications by health organizations in relation to cyber incidents.
The regulation on the Use of Cloud Computing in the Israeli Healthcare System (hereinafter “the Health Systems’ Cloud Regulation”) is another contemporary regulation the Ministry of Health had issued earlier (February 2021)[5]. The Health Systems’ Cloud Regulation requires that health organizations conduct a risk assessment survey prior to taking a desicsion to use Cloud Computing, with the involvement of the ministry of health (Sectoral Cloud Committee) in case risks are found to be high. Furthermore, when a positive decision had been made to use Cloud Computing, it requires that the health organization settle the Cloud service provider’s cybersecurity conduct and obligations, as well as provide for supervision mechanisms by the health organization, in the agreement between the parties.
The recent year may therefore serve as an opportunity for advancement of the cybersecurity resilience in Israel health sector, with the combination of a major cyber incident in a hospital and its lessons, the State Comptroller’s newly report with conclusions and recommendations for the sector, and new regulatory steps taken by the Ministry of Health to delineate concrete and updated obligatory guidelines for the sector. Cyber threats in this sector are expected to keep evolving together with new technologies, and the regulatory steps will obviously have to be updated from time to time. But health organizations should seek to learn the lessons obtained and implement the regulations in force. Considerations of compliance and minimizing risks of legal exposure in the case of the health sector carry broader dimensions with respect to some other sectors, as they may involve direct implications for human lives and wellbeing.
[1] https://hy.health.gov.il/eng/?CategoryID=23&ArticleID=891; https://www.jpost.com/breaking-news/hillel-yaffe-hospital-targeted-by-ransomware-attack-681842
[2] https://www.calcalist.co.il/calcalistech/article/hkdxk9kt9
[3] https://www.mevaker.gov.il/sites/DigitalLibrary/Documents/2022/2022.5/2022.5-204-Medical-Cyber-Taktzir.pdf
[4] https://www.health.gov.il/hozer/mk06_2022.pdf
[5] mk02_2021-en.pdf (health.gov.il)
https://www.gov.il/en/departments/policies/mk02-2021
