Cyber-attacks are part of the daily life of companies and public institutions. This is not a new threat, but the rise of digitization has multiplied the activity of cybercriminals. No sector is spared from these criminal practices that are driven by the search for profit. Although no one is safe, health is an activity that is especially exposed to this type of attack. Beyond the benefits they can obtain, the organizations behind these crimes know that by attacking health institutions they achieve great social repercussions. Few things generate as much sensitivity among citizens as those that have to do with health. And the bad guys in this movie know it.
Why attack a hospital? How to defend yourself? Is our health data safe? To answer these and other questions, Diálogos La Vanguardia, with the collaboration of the professional services firm EY, brought together a group of cybersecurity experts linked to the health sector. From his opinions it is clear that the bad guys are many and capable; but, the good ones are not being left behind, precisely. They don't just wait for the next attack. They have taken action for a long time, have larger budgets and work in a collaborative environment capable of transferring trust to society. As if all these measures were not enough, they are fully aware that they are going to be attacked. And that is always an advantage.
The context is very complicated. Xavier Ferré, partner responsible for cybersecurity at EY in Catalonia, explains that the growth of cyberattacks in recent years is exponential. "There are data that show that last year there was a growth of 38%." The threat is very real. The reasons for this development must be found in the fact that “cybercrime is now a very profitable business that achieves great benefits. It is said that it is already the third economy in the world”.
Society is increasingly digitized. The number of connected devices is growing. Something that is very evident in the health sector where "everything is more interconnected and, in this way, added value is offered to the well-being of patients and society," said Ferré. At the same time, the introduction of these technologies also increases exposure to cybercriminal activity. The EY expert points out as another key element the appearance of cryptocurrencies that "make it difficult to follow the traceability of money and it is easy to lose track". As a countermeasure, the level of awareness is growing rapidly.
Miguel Ángel Benito, regional information security coordinator of the Health Service in the Balearic Islands, welcomed the fact that investment in cybersecurity in public health has increased by 62% this year, "without counting on the European funds that are going to represent a economic injection of 40 million euros in the next two years as part of the primary care transformation project promoted by the Ministry of Health”. Benito stressed that "we should not invest based on fear, because that is a short-term response and what we need is to have a strategy." But money is by no means the only thing needed to counteract the activity of cybercriminals. In the opinion of this expert, it is essential to "raise awareness throughout the chain of health professionals".
Behind cyberattacks there are organizations with a high technological capacity, with resources and with a large business on their hands. Their activity ranges from kidnapping and extortion to selling data. “Who is buying the health data?” Benito wondered. Knowing it is essential in this police plot.
Tomàs Roy Català, general director of the Catalan Cybersecurity Agency, appeals to the co-responsibility of all the parties involved as part of protection intelligence. “This is not going to protect each one of us in our bunker because there are external providers, medical devices, pharmaceuticals, care centers, among others, and it is impossible to protect this ecosystem alone,” he said. Roy Català explained that, fortunately, "the actors that make up the healthcare fabric are committed to proactive co-responsibility, threat intelligence and transparency to defend themselves".
In line with what was expressed by Benito, the person in charge of cybersecurity of the Generalitat considered it necessary to "discover the motivation of these criminals in order to demotivate them." It is a fight in which, among many other things, "you have to put a lot of intelligence". We are in a stage of "active defense, of studying the adversary, of anticipating and responding," he concluded.
Indeed, the reality of cybersecurity and the healthcare environment has changed a lot in recent years. Carmen López, Global Manager for Product Security Communications
López explains that the current level of awareness is very high and is perceived in the day-to-day relationship with health centers. “We are beginning to see the figure of the person in charge of cybersecurity in some hospitals and also express references in the specifications of public tenders for the acquisition of medical equipment,” he revealed. Now the concern is no longer limited to knowing the functionality "and they ask us about the security measures implemented by the devices and how we are going to connect and maintain it".
Another factor to keep in mind is that most of these medical devices have a very long life. Therefore, computers with state-of-the-art security measures coexist with others for which it is even difficult to change the password. López stressed that "in these cases, additional protection measures must be established."
José Luis Rojo, cybersecurity partner at EY, stressed that "we are facing criminal groups that lack scruples and do not care about putting people's health at risk." What they seek is to make their attacks profitable. Over time, we have learned that "we are moving in a terrain that is complex to protect and with a high level of exposure." Rojo made reference to the fact that "we have many hospitals, a lot of technology in a sector that needs to facilitate the exchange of data to improve the provision of services provided to the citizen."
All the participants in the session agreed that progress in the digitization of healthcare and services such as telemedicine cannot be called into question due to the threat of cybercriminals. In this sense, cybersecurity acts as a powerful ally. Benito assured that "a transformation like this is based on trust and if users distrust security measures then we will lose the opportunity."
Attacks against the health sector are not an exclusive phenomenon in Spain. Due to its particular characteristics, its social relevance and the nature of the information it handles, it is a priority target for cybercriminals on a global scale. Carmen López recalled that "citizens around the world are very sensitive to everything that has to do with health"
In all defensive architecture against the activity of hackers, it is worth asking what role does the human factor play? Health brings together large groups of professionals who participate in the provision of services and who, involuntarily, can facilitate the work of cybercriminals through their actions. By opening an email, for example, they can facilitate entry into the system. It is a reality, but the speakers pointed out that it would not be fair to place the responsibility on users, even though it is necessary to raise the level of awareness of all professionals.
Among the advances in the cybersecurity strategy, the experts highlighted the importance of sharing information and experiences and focusing on the main threats. “We prioritize knowledge about what is happening to be more efficient. Co-responsibility between providers and governments in solutions and regulations is the answer to a global problem without transferring the responsibility to the user”, said Roy Català. "When you know what is happening, you can focus on protection and see if you have that risk at home," added José Luis Rojo. For his part, Ferré considered that "knowing how cybercriminals think and act allows you not only to protect yourself, but also, in the event of an attack, you can respond more quickly and minimize the possible impact."
Another relevant aspect is knowing how the rise of Artificial Intelligence (AI) or technologies such as Chat GPT will affect cybersecurity. Ferré assured that the AI is already being used both in attack and defense actions. From the good side, "we are making progress to advance knowledge of this type of technology and use it as mechanisms that contribute to protection." For Miguel Ángel Benito, AI "is going to help us be more efficient." The person in charge of Illes Balears affirmed that "now our defense capacity is based on getting more people, but the market no longer offers more and we need alternatives". Tomás Roy Català, for his part, pointed out that "AI is going to solve talent problems for us and, as has always happened in the history of humanity, it is going to free us to continue evolving."
One of the aspects that traditionally have most concerned companies and institutions that are victims of a cyberattack is the reputational cost. However, in the opinion of the experts, that situation has also changed. In a context in which attacks are the order of the day, suffering one does not generate a stigma. Of course, we must act "with transparency", explained Benito. "The occultism of the incidents hurts much more than being transparent with what happened," he pointed out.
Roy stated that “our job is not to be incident-free, but to recover and to do it efficiently and quickly.” The work begins long before a cyberattack occurs. For Xavier Ferré “you don't lose reputation for being attacked, but you can have a problem because of the way you manage it. You have to be prepared, have a strategy, know how to communicate it and what measures to take”. Again, there was unanimity in pointing out that what cannot happen is receiving the same attack twice. Reiteration is not admissible.
