Cybersecurity: preparedness & prevention

Back in April and May, it was reported that every 3 days, a healthcare IT system had been the target of a cyberattack. The pressure did not let up, as various organisations providing health services were attacked, including the Australian government, a US healthcare giant, and the Slovakian MyHealth app. Cyberattacks have negative consequences for any organisation, but the stakes are even higher for those handling emergency care. Sadly, this became clear in September: a man in Düsseldorf University Hospital (Germany) was the first patient whose death was “linked directly” to a cyberattack, after his care was disrupted.

Now more than ever, cybersecurity should be high on the priority lists of public safety organisations. We don’t just mean hospitals and technology providers, but all actors along the chain of emergency response. Unfortunately, emergency call centres are not exempt from cyberattacks. In Turkey, for instance, the 112 emergency number was impacted by hackers earlier this year. Losing continuity of service of emergency numbers can have a detrimental impact on people’s safety, as can the breach of important and confidential information. Implementing an effective prevention policy is therefore essential for emergency response.

Be aware and be prepared

Making an organisation cyber secure may seem a daunting task, especially considering the quick and constant evolution of threats. The most important aspect of staying secure is implementing long-term cybersecurity measures. Regardless of the type of attack, the best time to implement a solution is before it happens, not during or after. Cybersecurity is therefore an exercise in risk management. Alongside a dedicated cyber risk assessment, policies, including an information security policy, need to be established and continually updated to raise awareness of risks and best practices.

Technical measures

Preparedness should also be integrated into technical measures, by ensuring that the IT infrastructure is as protected as possible. This may involve, for instance, using a Virtual Private Network (VPN) when connecting from outside a Public Safety Answering Point (PSAP) or from another organisation. The VPN will encrypt the connection, so that no-one on the same Wi-Fi connection can intercept the traffic. Another example is the use of firewalls. Although most organisations use such a tool to protect the network from unauthorised access, this is often not used to its full potential.

As the emergency services chain involves increasing numbers of technological solutions, ‘cybersecurity by design’ is crucial. Rather than implementing security solutions as an afterthought, developers should focus on protection from the early stages of design. Cyberattacks are an unavoidable reality of our connected world, so we should build technology with security in mind. In short, this means making attacks and disruption as difficult as possible and detection as easy as possible.

Standards make an important contribution to cybersecurity, by ensuring an adequate minimum level of protection and a consistent implementation of protection requirements. For example, in Germany, the Federal Office for Information Security provides a series of standard requirements for the modules that make up a PSAP’s IT system, based on Basis Protection, Standard Protection and Core Protection approaches. These requirements must be integrated into the overall cybersecurity approach and should be implemented in a specific order to ensure that the basic risks are covered early in the process. On an international level, it is essential to ensure cyber-secure cross-border cooperation.

IT security culture

A further consideration is the role of human error in facilitating a breach. Education is key: employees cannot be expected to respect cybersecurity best practices if they do not have the tools and knowledge to do so. All organisations should therefore create a culture around information security by providing security information trainings for employees, designating a responsible person for cybersecurity, and limiting the number of employees who have administrative access.

Finding direction for the next steps

We’ve mentioned just a few examples, but of course there are many best practices and strategies to take into consideration before, during, and after an incident. The good news is, there are resources out there to help. The advice in this blog post originates from our document ‘Cybersecurity: Guidelines and Best Practices for Emergency Services.’ This is a good place to start! We’ve also put together below a (non-exhaustive) list of guidelines and resources.

The pandemic has brought the importance of cybersecurity for emergency services to the forefront, but cyber threats in the public safety field are not new. Some organisations take a long time to act. As technology develops and we move towards Next Generation emergency services, public safety organisations will be receiving more and more data and from an increasing variety of sources. Research suggests that data-driven public safety, as well as resilient energy and infrastructure projects, will account for over half of global spending on smart cities between 2019-2023. These developments will bring significant positive impacts for people’s safety, but to take advantage of these benefits, public safety organisations need to be sure that their systems are secure.

Cyberattacks can happen anytime and anywhere. Being cyber secure means being prepared.

Resources:

More on EENA’s work on cybersecurity

Key EENA resources: Cybersecurity: Guidelines and Best Practices for Emergency Services, Cybersecurity in a PSAP, a practical approach , Ensuring continuity of service of emergency call handling (webinar), Security & privacy issues in NG112 , How can I protect my organisation against cyberattacks? (presentation at EENA Conference 2019)

ENISA (EU) guidelines on Internet of Things, Telecom & 5G, Procurement in hospitals, Healthcare sector during COVID-19

NIST (USA): Cybersecurity Framework Standards, Draft guidelines for technology leveraging positioning, navigation & timing (PNT), Cybersecurity Framework Standards

APSSIS (France): Guide to cybersecurity for health information systems (in French)

National Cyber Security Centre (UK) : Cybersecurity design principles

Author: Rose Michael, former Knowledge Officer & DPO at EENA

The opinions expressed are those of the author and do not necessarily represent the views of EENA. Articles do not represent an endorsement by EENA of any organisation.