Case study

A critical national cyber security event and the effectiveness of compensating technical controls provided by Roche managed firewalls

navify digital solutions integrate seamlessly with diagnostics instruments and in particular with Roche diagnostic solutions bringing together state of the art on-premise clinically regulated diagnostics instruments with advanced software solutions to provide optimised end to end capabilities for your diagnostics requirements.

The security of our digital products is assured throughout the product lifecycle as is the security of our clinically regulated diagnostics instruments which is evidenced in the following case study.

Galway University Hospitals: A critical national cyber security event

On 14 May 2021 the Health Service Executive (HSE) of Ireland suffered a ransomware cyber attack which resulted in a nationwide disruption of its health and social care services:

The threat to Roche Diagnostics systems

Roche Diagnostics, manufacturer of a wide range of network connected clinical diagnostics systems, supports HSE diagnostics operations across a large number of installations across the Republic of Ireland. These form part of the Irish healthcare ecosystem receiving test requests from HSE systems and returning diagnostics test results.

In connecting to such customer networks, the Roche Diagnostics systems are subject to the same cyber security threats as occurred in 14 May 2021.

The solution: rigorous Roche Diagnostics security controls

Roche’s approach is to ensure that the performance of the solution delivers constant reliable results within tolerance. To assure that performance, extensive validation tests are undertaken against standard configurations including all components; hardware, clinical assays and software. The trustworthy validated performance of Roche instruments underpins the operation of laboratories to quality and license to operate requirements such as ISO 15189:2012. Changes to any component in the validated solution, risk the trustworthy performance of the solution.

In recognition of the difference in cycle times between;

1) Corporate IT controls such as OEM security (Patch Tuesday), Antivirus, AntiMalware updates and,
2) The clinical validation cycle of diagnostics solutions

It is Roche policy to implement compensating controls in the form of a Roche managed firewall between your network and the diagnostics system. These firewalls deny all traffic which is not directly related to the operation of the diagnostics instrument and its interaction with supporting systems on your network (e.g.: Laboratory Information System – LIS).

Across the Republic of Ireland we have more than 100 diagnostics instruments and modules protected behind Roche managed firewalls.

The Roche managed firewall is located within the customer laboratory network to protect Roche devices from cyber-security threats. It is a stateful firewall manufactured by the leading firewall company – Fortinet, with a custom configuration for Roche medical devices.

The outcome: all firewall-protected Roche instruments were safe

Roche is pleased to report that no instruments connected to the HSE network but protected behind Roche managed firewalls were infected by the ‘Conti’ ransomware attack in May 2021. This affords high levels of assurance around the effectiveness of this approach protecting the operation of customer diagnostics operations during a period when the NCSC reports ransomware as the most serious and tangible cyber security threat globally.

“Initial reports indicated a human-operated ‘Conti’ ransomware attack that had severely disabled a number of systems and necessitated the shutdown of the majority of other HSE systems.
There are serious impacts to health operations…..as hospitals implement their business continuity plans.”

National Cyber Security Centre (NCSC) Ireland1

1 National Cyber Security Centre (NCSC), Ransomware Attack on Health Sector – UPDATE 2021-05-16, https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf. Last Accessed 11 Aug. 2022

“Roche devices in University Hospital Galway that were located behind the Roche supplied Fortigate Firewalls showed no signs of compromise and were not impacted by the Cyber Attack last year.”

Martin Murphy
Technology Manager Galway University Hospitals, Ireland

Explore
more

See how navify Tumor Board streamlines the entire tumor board process

Play video

Explore navify Tumor Board

Read more

Explore apps for navify Tumor Board

Read more