Cyber attacks they continue to target health care in Italy too. But what is the situation? To deal with the cyber threat, infrastructures and regulations exist and are valid: ma the training of personnel the vulnerability of hacker attacks. what emerges from scientific research on the preparation and awareness of IT risk in Italian health. An analysis born from the collaboration between Sham – Relyens group and the Management Department of the University of Turin. The survey, the results of which are detailed in the whitepaper Understanding Cyber risk: the new horizon in healthcare, collects and analyzes the responses of 68 health professionals operating in structures spread over 14 Italian regions. The professionals interviewed are Risk managers, Quality managers, Data protection officers (Dpo), IT Security (Ciso) and Clinical Engineering managers, as well as referents of the Health and general management. 70% of the structures belong to the public health sector, 30% to the private sector, with dimensions ranging from less than 250 beds to more than 750, representing the composition of the national health system in a homogeneous manner.
Big data, opportunities and dangers
a circumscribed but representative analysis, which photograph the state of the art of the preparation of our healthcare professionals regarding the cyber threat and whose results can contribute concretely to research on the safety of the health sector, he says Roberto Ravinale, executive director of the mutual society leader in civil health responsibility in Northern Italy. What is happening in the healthcare sector, well described in the whitepaper: In the healthcare sector the application potential of the use and development of robotics and artificial intelligence are manifold: it ranges from medical robotics where diagnostic software significantly minimizes human error thanks to the precision of pre-programmed mechanical movements to the use of robots to maneuver surgical instruments that are often too heavy and unwieldy for the human operator; from personalization of care that allows to refine more and more the diagnosis and prognosis with respect to certain clinical conditions and possible therapeutic and intervention options to all those activities more directly linked to professional patient care services. The concrete application and operation of Artificial Intelligence, especially in the health sector, passes through the increasingly massive storage of an increasing amount of identifiable and sensitive personal information of patients, the so-called big data. In a recent “Big data survey” – conducted by Agcm, Agcm and the Privacy Guarantor – highlighted as “in the health sector, thanks to advances in next-generation technologies that have led to an increasing availability of biomedical data, free access databases have been created containing anonymous genomic and clinical data of patients. Such databases containing a large number of heterogeneous data constitute a great opportunity for scientists, who, using Big Data analysis techniques, can automatically extract new knowledge on a given pathology “. But, the huge amount of new data generated is counterpointed by the need for their processing and processing to take place in a context of technical, IT, organizational, logistical and procedural security measuresThe research has allowed us to identify critical issues and areas for improvement with the ultimate goal of strengthening health risk management actions also in the IT field, add the authors. Anna Guerrieri, Risk manager of Sham in Italy e Enrico Sorano, adjunct professor of Business Economics at the Management Department of the University of Turin.
The results: cyber risk recognized as a priority
What emerged from the research? 24% of the facilities reported having suffered cyber attacks, of which 11% consisted of ransomware and 33% from unauthorized access to data. Illicit data tracking, ransomware or cryptolocker and device / device theft follow with lower percentages: all three items register a percentage frequency equal to 11%. the issue of cyber risk in healthcare as a priority which impacts on services provided and internal organizational models. A further 31% rated the issue as partially a priority. Nonetheless the measures adopted by the structures to prevent and manage cyber risk are still infrequent: a internal risk mapping the structure has not yet been put in place, or only partially carried out, by 49% of respondents and only 29% engaged in the activity. Parallel to the detection of the data on the possible analysis of the potential risks present in the reference company organization, which reiterates the frequency percentages indicated above: it was not carried out or only partially carried out for 53% of cases, and even here carried out only for 31%. Likewise, the percentage of attendance relative to conducting vulnerability tests limited to 35%. It should be noted that on this specific element the percentage of “I don’t know” increases to 26%. Overall – explain Guerrieri and Sorano – the regulatory environment, the level of priority within the company management and the hardware equipment are up to the growing challenge. But the level of alertness and technical competence among the personnel who daily use the devices is not sufficient. Quite often, doors are opened to hackers completely unconsciously. It is essential to raise the alert level by introducing ongoing training courses and new skills.
Awareness and awareness
The opportunity to be seized now – underlines Arabella Fontana medical director of the hospital of Borgomanero – Asl Novara -. Digital information and services will be exchanged in ever-increasing volumes. We must also apply a proactive approach to the cyber sphere: IT security must be foreseen and considered in every process. Awareness and awareness are at the heart of improvement: understand the value of data security and the enormous damage that its lack can cause. Another paradigm is needed – he adds Antonio Furlanetto, “Futurist” and Risk Manager expert in civil liability, Professor of anticipatory risk management at the University of Trento and CEO of Skopa Srl Anticipation Services -. We can no longer rely on purely reactive risk management but we must accept that the future holds events that we cannot predict, but for which we can prepare. It is not a limit of our knowledge, in the nature of things that there are genuinely uncertain risks. Cyber risk falls into this category and cannot be limited to hacker attacks alone. We have a risk linked to the malfunction of the technology itself, to the use of data, to the attention or not of people. All this makes cyber risk a multipurpose risk that requires simultaneous preparation on all levels in which it occurs.
July 7, 2021 (change July 7, 2021 | 12:42)
© REPRODUCTION RESERVED