Low perception of risk, few investments, IT security is not a priority despite the attacks and the resulting damage.
Cyberattacks on hospitals and regional data centers are no longer newsworthy, have become commonplace and, as such, only attract media attention when they cause disruption or damage to medical practice or when the amount of the requested ransom is disclosed.
The latest episode concerns the ASL 1 of Abruzzo – Avezzano, Sulmona, L’Aquila – of which you can find news in all the main national newspapers. The methods are always the same, cybercriminals have an easy time penetrating the weak defenses of the information systems of healthcare companies, blocking data and taking possession of it and then asking for a ransom to unlock it and not make it public.
Faced with such a significant risk, one would expect IT security to be the main priority in ongoing ICT investments, but incredibly this is not the case. There is, even among insiders, a low perception of risk, a false certainty about their own security measures and the idea that what has happened to others cannot happen to them.
What is the percentage for IT security compared to current investments? Very low, we are in the order of zero point. What are the specifications and requirements of the ongoing IT security tenders? In many specifications there is not even a specific chapter and the AgID guidelines are merely mentioned. Security is almost never in the evaluation criteria. Little or no training for users on this issue who in fact do not have a correct perception of the extent of the risk. In the surveys in which doctors are asked what, in their opinion, we should invest in digital, information security is not present.
We need a national plan for information security in healthcare, an audit of information systems, adequate investments and training for both technicians and users. Health informatics is vulnerable, it’s time to work hard to protect it.