The third CyberSANE pilot took place on the 1st of July 2022 and was focused on the detection and communication of cyber-threats within hospitals.
In a regular hospital environment there are numerous medical devices for imaging, such as ultrasound imaging, magnetic resonance imaging or computer tomography devices. Those devices produce medical data linked to individual patients during diagnostic processes. The whole system of medical devices and their data is protected with firewalls, therefore organized in virtual local area network segments. Nevertheless, imaging devices own a relatively large attack potential as the focus during the integration of those devices into a clinical IT infrastructure often hides potential IT security risks. Medical technology is furthermore increasingly connected to network functionalities in order to orchestrate better clinical and business processes; medical technology used to be built for closed subsystems but nowadays it gets more closely related to the hospitals’ information technology. In addition, advancing digital transformation in the hospital environment leads to a large heterogeneity on infrastructure and application layers. This has a negative impact on extensive awareness of technical staff about all possibilities of cyber-attacks.
The following diagram shows a general view on the IT infrastructure within a hospital:
As an example, service technicians regularly provide support for medical devices and thus access potentially critical medical IT networks. This is a weak point for hospital IT security.
For the CyberSANE pilot, we focused on simulated attacks during a maintenance of an ultrasound device. The pilot demonstrated the cyber-threat identification in a simulated hospital environment due to an external attack and communication of lessons learned to partners using the CyberSANE platform. The diagram showed below illustrates the CyberSANE healthcare pilot deployment.
Subcomponents such as SiVi, a part of the LiveNet, and L-ADS, a part of HybridNet, were used to localize the attack flow. Furthermore, an analysis of potential cyber-attacks in the media by using EventRegistry and knowledge exchanged with partner using ShareNet were presented.
The following three scenarios were conducted in the CyberSANE healthcare pilot:
- Scenario 1 – External attack due to an infected service technician’s notebook
- Scenario 2 – Malware spreads into local network and performs DoS attacks
- Scenario 3 – Rapid communication with other hospitals about threat
The main challenges during preparation and operation phases of CyberSANE healthcare pilot were:
- Realistic scenarios definition within a simulated environment of healthcare provider
- Demonstrations in critical infrastructures such as hospital
- Difficulties to replicate infrastructure using simulated environment
- Use of sensitive or confidential patient data only by synthesizing and anonymizing Pilot operation and demonstration by connecting the local hospital IT infrastructure with the cloud-based CyberSANE platform
Some lessons learnt during the CyberSANE healthcare pilot were:
- Promising for rapid information exchange on cyber-attacks and potential threats within hospital network
- Larger hospitals in Germany are part of the so-called KRITIS (critical infrastructures)
- It is obliged to inform the German federal office of security in information technology (BSI) (see the diagram below)
- The CyberSANE platform would allow to interact with partner and regional hospitals on possible and occurred cyber-attacks in a timely and structured manner
- Harmonisation of local Information Security Management Systems (ISMS) with other hospitals
- The CyberSANE platform assists by creating common attack patterns and identify special anomalies
- Educational awareness of local Security Operations Center (SOC)
To learn more about the Healthcare Pilot case study, visit the events blog post and watch the recording today. If you want to learn more about CyberSANE, then visit the blog post for the CyberSANE 2022 ARES Workshop and catchup on the recordings also.