HackableHospital: an Interactive Healthcare Cybersecurity Simulation
An interactive online group simulation to train healthcare professional to follow good cybersecurity practices
Q1: What is cybersecurity?
Cybersecurity is concerned with the safety of computer hardware, software, and data. This includes protection from various threats: data theft, service disruption, identity theft, or even damage to network connected devices. It’s a big field, that encompasses a wide variety of threats to information technology (IT) systems. Many of the threats are technical, and hard to understand. In many cases however the threats are simple tactics.
Q2: Why do hospitals and healthcare organizations need to take cybersecurity more seriously?
All of us are seeing in the media that cybersecurity risk is increasing. Healthcare is one of the most commonly targeted industries. Healthcare data is extremely valuable to criminals — far more valuable than credit card information. In addition, information technology systems are far more interconnected than they were even 10 years ago. Being able to exploit a hospital’s IT security can allow perpetrators to access many other hardware and software systems: power, infection control, medications, or heating.
There is also the personal threats to cybersecurity that all of us face each day. Social engineering attacks. Phishing emails. Protecting ourselves from identity theft and personal data theft is not something we can leave to others to do for us. Each of us needs to take our own cybersecurity very seriously.
Q3: How did you come up with the idea of a simulation software for the cybersecurity of hospitals?
At Stat59 we do a lot of customer discovery, where we talk to researchers about how they manage their research data. We noticed early on that many researchers do not follow good cybersecurity practices, or even adopt poor practices such as shared passwords, data stored on unencrypted hard-drives, and even sensitive documents being sent back and forth by email. We were noticing at the same time that the number of published cases of cybersecurity attacks in healthcare was rising. Reading through the descriptions of the attacks we found that in many cases perpetrators were using simple techniques to bypass security. Often as simple as password guessing and social engineering.
The huge gap between the growing threats and the lack of cybersecurity protection in healthcare was very concerning to us. In 2019, I was invited to speak at the European Society of Emergency Medicine conference in Prague about cybersecurity. The session was very well-received and there was excellent conversation afterward. I have written a number of simulation software packages in the past. And, on the way back home from Prague I started thinking about how to work the teachings of the lecture I had given into an interactive simulation. From there, the HackableHospital was born.
Q4: How does the simulation work?
HackableHospital is an interactive online group simulation. The participants do not need to be in the same room, and can be anywhere that has internet access. This has been a huge advantage of our software during the COVID pandemic where in-person teaching is being curtailed. We prefer to work on the inverted classroom model: the participants are asked to watch a short YouTube video on cybersecurity prior to the simulation.
The scenario of the simulation can vary with the background of the participants. For instance, we have used the simulation software for teaching the students of the European Master in Disaster Medicine about cybersecurity and cyberterrorism. In this setting, the students are divided into groups and play the role of IT experts who work in Disaster Medicine tasked with finding weaknesses in the hospital infrastructure and developing mitigation and recovery plans for the weaknesses. Regardless of the scenario, the main task of the HackableHospital is to bypass the hospital IT security and cause chaos in the system. The simulation is vulnerable to many types of attacks including spoofing, tampering, social engineering and password guessing. When the participants are able to find and use an exploit, there is a news release giving instant feedback that the exploit has been found.
We find that the simulation works best when the participants work in small teams of 5-10 people. We often have several teams working on different (but identical) hospitals, and it creates a type of fun / competitive atmosphere as the teams can see the results of the attacks on the other hospital in the news release, but do not how it was done. Each simulation session ends with a debriefing. Usually, each team is asked to describe one exploit, provide the name of the exploit, and then give 1 or 2 mitigation strategies. We also like to leave time for the group to discuss other issues of cybersecurity.
Q5: Conclude by telling us what, in your opinion, is the uniqueness of HackableHospital?
Cybersecurity is not always the most interesting topic. Keeping participants engaged during a lecture is not easy. Before attending our simulation, many healthcare workers tend to perceive cybersecurity as “things that IT does to keep the network safe” rather than “things I need to do to keep myself safe.” The HackableHospital is unique in that the architecture of the software and the flow of the teaching sessions are optimized to ensure that participants learn tips that are helpful both in their careers in healthcare and for protection of their own personal data and identity. There is often an element of surprise when participants see how easy it can be to penetrate a poorly protected system, and how simple it can be to protect from these attacks.
The HackableHospital gives an interactive (and fun) experience where participants exit with a useful toolkit to protect both their workplace and their personal lives from cyberattacks.
Read more about Hackable hospital