Cyber Horizons

Biomedical and cybersecurity: specific challenges?

Published on 27 May 2022

Is biomedical informatics a computer like any other? Directly linked to medical equipment, it supports the core of hospital activity and is distinguished in any case by particularly critical issues.

Health-specific operational systems

Medical imaging, appointment scheduling, remote consultations, IT has become ubiquitous in healthcare facilities and in the patient care pathway. Biomedical informatics thus includes all health equipment connected to information systems: scanners, analysis devices, monitors, etc.  This field, historically managed by doctors and not by IT teams, represents a real risk for the cybersecurity of hospitals, but not only. In this industry even more than anywhere else, network availability and data integrity are critical: lives can depend on it.

And specific issues

In the hospital, it is therefore vital that the operational infrastructure works when it is needed. However, as soon as these various biomedical devices are connected to the network, they become just as vulnerable as conventional computers or servers. Unfortunately, the professionals concerned, both users and manufacturers, are still unaware of the cybersecurity issues specific to this biomedical informatics. However, the sector has a long experience in operational safety but it integrates less the logic of security, which requires to consider malicious acts. To these cultural aspects is added a fleet of equipment often obsolete and difficult to master. Its inventory can be complex because of the diversity of the devices that compose it, their geographical distribution and the low centralization of information about them.

For Léonard Keat, Head of Operations South-East Advens, the difficulties also stem from a certain dependence on suppliers or software publishers:

“Few internal teams have access to equipment, either because the supplier has not integrated the notion of role, or because the latter is the only one authorized to access it.”

Léonard Keat • Head of Southeast Operations

Auditing to better protect biomedical informatics

While it is impossible to prevent cyberattacks 100%, solutions exist to better secure this fleet of connected devices. The latest recommendations of the French Association of Biomedical Engineers (AFIB) call in particular to be more demanding vis-à-vis suppliers and to fight against the obsolescence of equipment. Advens also advocates the adoption of an “immune” posture that aims to detect cyber threats as early as possible to reduce their impact. This response strategy is based on a set of protection, detection and response services that very often begin with an audit phase.

This simple and effective step makes it possible to know the level of safety of the biomedical park. Rémi Martin de Abia, Advens auditor, recently carried out an external penetration test for a CHU. Through a search for domain names and subdomains, he discovers two important vulnerabilities that allow access to the system and then to patient records. For example, you can read comments on X-rays. Rémi adds:

“For the attacker, attacking an office workstation at the reception or a scanner in the radiology room is tantamount to exploiting classic vulnerabilities: he might not even know the difference between the two machines!” Worrying in view of the stakes, which are beyond measure.”

Rémi Martin de Abia • Auditor

The audit report therefore makes it possible to become aware of the vulnerabilities and risks involved, but it can also serve the CISO in his annual budget negotiation or be used as a basis for discussion with biomedical equipment manufacturers. Either a first step towards a better security of this park like no other!

So where do we start to strengthen the security of the biomedical park? A simple mapping of this perimeter can already be a very rewarding first step.