The State Comptroller's report published Tuesday reveals that hospitals in Israel are a leading target for cyberattacks, but according to the State Comptroller's examination, they are not prepared for this.
Biometric passport failure | Comptroller's Report
In an attempt by the State Comptroller's Office to penetrate one of the hospitals in Israel, 13 significant findings were identified, ten of which were of high severity and three of which were of medium severity. The Comptroller recommends that the Ministry of Health conduct cyber penetration tests in hospitals and HMOs, in accordance with an orderly plan, and to implement the lessons learned from the audit in the hospitals' operations.
He suffered a serious attack. Hillel Yaffe Hospital in Hadera,
In recent years, cyber threats to the health system, including medical centers, have also increased. According to the National Cyber Directorate, the health sector was one of the ten most attacked sectors in Israel in 2021.
The most damaging attack occurred in mid-October 2021, when hackers broke into computers and servers at Hillel Yaffe Government Medical Center in Hadera. The attack disrupted the activity at the medical center for about three months, caused patients to be diverted from the medical center to other centers, switched to manual rather than computerized work, denied access to patients' medical information, and more. The cost of rehabilitating Hillel Yaffe Medical Center after the cyberattack was estimated at NIS 36 million.The Comptroller's Office notes that this attack highlights the importance of the health system's optimal preparedness for the cyber threat and information security.
State Comptroller Matanyahu Engelman, Photo: Oren Ben Hakon
The State Comptroller's Office conducted a penetration test, with the assistance of an external company, into an unnamed medical center. In the audit, the organization's systems were attacked in order to detect weaknesses in them. In other cases, weaknesses are detected in the organization's applications and websites or vulnerabilities in servers and operating systems.
The purpose of the test was to measure the level of protection of the medical device network at the medical center, including of devices used for imaging tests such as MRI, CT and mammography, as well as the database of imaging test results. As part of the test, more than 100 servers and endpoints were scanned in systems related to medical devices. As stated, 13 deficiencies were found, some of which were corrected by the end of the audit. The flaws were detected in five areas: segmentation and flow control, network access control, station and server protection, outdated software, and insecure access.
The management of the medical center said in its response to the audit's findings that even before the audit was performed, it dealt with vulnerabilities that arose, among other things, in the penetration test, and implemented risk-reducing actions that could reduce damage that may be caused by the system's vulnerabilities. The hospital also estimated that the total cost of correcting the defects could amount to more than NIS 10 million per year on an ongoing basis.
"The ministry is working on several levels to increase the level of preparedness of medical institutions for such events." Ministry of Health building, photo: Oren Ben Hakon
The Ministry of Health said in response to the comptroller's report: "The ministry is working on several levels to increase the level of preparedness of medical institutions for such events. Within this framework, the Ministry published a circular setting out principles for medical institutions for dealing with cyber threats; In 2022, the Ministry began promoting a national project to protect medical devices in medical institutions, whose implementation will begin in 2023; In 2022, risk surveys were conducted in hospitals in order to assess their preparedness to deal with threats and to improve the defense system of medical institutions and their resilience. Penetration tests were also conducted in 2022 at 19 hospitals and two HMOs."
Wrong? We'll fix it! If you find a mistake in the article, please share with us