Joining Forces for Security
Doris Pischitz | 2018-12-17
Marc Rose leads the CyberHealth program at Siemens Healthineers.
Cybersecurity in healthcare is a growing concern. Faced with an increase in cyberattacks, healthcare systems across the globe will have to spend billions in the coming years to protect healthcare delivery. We spoke to Marc Rose, head of the CyberHealth program at Siemens Healthineers.
Download your print version here 0.3 MB.
What makes healthcare such an attractive target for cybercriminals?
People go online, and the criminals follow. In the digital world, the entry threshold is lower than in the real world, and the reach wider – online can be an anonymous “place.” Healthcare providers make especially attractive targets because of the data they hold – patient data sells for more money than other types of data, such as credit card information. Also, because of the traditionally lower investment in cybersecurity in healthcare, the targets are easier to successfully attack.
What is Siemens Healthineers doing to increase cybersecurity?
In the digital world, cybersecurity is a license to operate. At Siemens Healthineers, we focus on three key aspects. First, our cybersecurity culture: We raise awareness for the topic and train our employees. That makes it much easier for each individual to incorporate cybersecurity into their daily work. Of course, awareness and competency are essential in product development, but also in areas such as product servicing, delivery, and contract performance.
Second, our strategy: We produce products and digital solutions that include “security controls by design and by default.” In other words, we incorporate security into the development process in accordance with current industry standards – “by design.” Beyond that, we’re always keeping track of potential risks. If there’s an incident, we immediately issue “Advisories” so that our customers can take action. This is supported by ProductCERT, a globally connected group at Siemens AG.1 If our products are affected, we test and validate the patches, and our customers receive them directly via Smart Remote Services.2
Third, transparency: The industry can only succeed in the long term if we are transparent. We have to be proactive, for example, by giving customers an overview of software components installed in their devices. Many customers are well informed and know when their devices are affected by a security threat.
How is security prioritized in the product development process?
A secure development cycle is paramount, and this begins with requirements engineering. All products undergo a threat and risk analysis that results in a requirements specification which lists the security features to implement. Most importantly, we end with a series of tests. Here, we do precisely the same as the criminals: We attempt to compromise our own devices by any means, including dishonest ones. These results then go back to the development departments to resolve any issues before the product is released. Privacy protection is vital and we’re especially proud that, for example, our cloud-based performance management solution teamplay has been independently audited and awarded the European Privacy Seal (EuroPriSe). The seal acknowledges the excellence of our strategy of “privacy by design and default.”
Likewise, our partners – such as Microsoft, our cloud provider – are chosen for their cybersecurity measures aimed at safeguarding both infrastructure and operations. In terms of company culture, cybersecurity is now integral to product management. Without it, we could not compete in many of today’s calls for tenders. For example, for several years now we have met the very strict requirements of the U.S. Department of Defense (DoD) for many of our products – and we’re proud of the trust the DoD places in us. Some hospitals also have their own rules, which are very similar to those demanded by the DoD. And hospitals are often quite strict when communicating these requirements to suppliers.
We listen to our customers. Our goal is not just to meet the requirements of regulations and standards, but to solve real problems for them. We foster their trust by developing secure medical devices based upon their input. Patient safety is paramount, and secure products build confidence in the resilience of medical technology and IT.
In terms of shared responsibility, what can and should customers do?
Both our customers and we need to join efforts and act in concert to foster cybersecurity in their institutions. It should be self-evident that, like all IT products, medical equipment must be operated in a secure environment. Naturally, we all want the networking benefits of the digital age. We want to send data from an MRI scan directly to the PACS and manage tasks via an RIS, just like we have done in the past. However, we strongly recommend operating medical equipment in a separate network – without internet connection by default. The necessary connections, for example to our Digital Ecosystem, have to be carefully secured by us and the customer’s IT department. The same is true for our equipment service. Our smart remote connection operates through a highly secured tunnel and is ISO 27001 certified.
Our products already include broad security features. One such feature is authentication and authorization, which acts as a powerful tool for IT administrators – provided they use it. First, the administrator needs to ensure that the X-ray technician Jane Doe is known to the identity management. Then they need to determine what she is allowed to do and which equipment and data she may access.
Of course, it’s up to the customer to ensure that Jane Doe is sensitive to cybersecurity issues – which brings us back to cultural change. She needs to understand that, for instance, plugging a USB stick that has not been screened for security into a medical device could lead to a long downtime not only for that device, but in the worst case for the whole hospital.
How do you think cybersecurity – and the changes required to deal with data securely – will impact the future integrity of hospital and sensitive patient information?
There will never be a silver bullet that will allow us to achieve 100 percent cybersecurity once and for all. That’s why both Siemens Healthineers and our customers are establishing processes to rapidly respond to attacks and breaches. The digitalization of healthcare is an unstoppable force, which is good. It enables medical advances and increases value for all. Cybersecurity is a joint responsibility that we share with our customers and to safely use digitalization for the benefit of patients.
About the Author
Doris Pischitz is an editor at Siemens Healthineers with a focus on C-Level and IT-related topics.
1CERT = Computer Emergency and Response Team
2Only available for products with an established and functioning connection to SRS.
The statements by Siemens Healthineers customers described herein are based on results that were achieved in the customer’s unique setting. Since there is no “typical” hospital and many variables exist (e.g., hospital size, case mix, level of IT adoption) there can be no guarantee that other customers will achieve the same results.