Cybersecurity: teamwork is imperative. What emerged from the Innovation Lab at FORUM Sanità 2024

The world of healthcare and its complexity—amid technological revolution, significant challenges, and new critical issues—were at the center of the annual FORUM Sanità, held on October 23 and 24 in Rome. During the event, hosted at Zest on Via Marsala in Rome, discussions also focused on cybersecurity and how it has become an area that must be continuously planned, funded, and implemented—especially for a sector that provides essential services to citizens and is economically crucial for the regions. An opportunity to analyze and test the state of the art in protecting healthcare organizations against cybercrime was the Cybersecurity Innovation Lab, organized in collaboration with INIX Group, which saw participation from Healthcare Directors, Chief Information Security Officers (CISO), and Data Protection Officers (DPO).

Cybercrime and threats in the healthcare sector

The Clusit 2024 report notes a doubling of attacks on healthcare organizations, rising from 3% in the pre-pandemic period and 9% in 2021-22, up to 14% in 2023. Among the types of attacks most frequently used by cybercriminals, malware is by far the most common (73% of attacks), followed by unauthorized access, and compromised or encrypted data. “The number of ransomware attacks and ransom demands to regain access to data is becoming significant, to the point that the question healthcare executives, both public and private, need to ask is no longer if they will be attacked, but when,” commented Simone Pretti, Sales Director di INIX Group ItaliaHe participated in the working group. The attackers are often anonymous digital criminals hiding behind nicknames. The most worrying issue is the increasing severity of incidents, with 53% classified as critical. Post-COVID, healthcare facilities are no longer spared. AI allows serious threats like ransomware without expert hackers. “The number of attacks is doubling,” said Pretti. “If access to tumor images is lost, it seriously harms citizens.” Most incidents start from system vulnerabilities, showing organizations are not fully prepared. Awareness is growing thanks to regulations like the NIS2 Directive and Law 90/2024, which require incident reporting to ACN within 24 hours and a detailed report within 72 hours. Cyberattacks and internal incidents pose risks not just reputationally and economically, but also to patients’ health and privacy. To address this, the group used the method of... crisis simulation following an IT incidentThe objective was to promote an exchange of expertise between innovation process professionals and public and private executives, creating an opportunity for discussion and confrontation on the vulnerability of the National Health System.

Incident management in healthcare: the simulation

It is 2 PM on an ordinary working day when the radiology department reports an incident affecting diagnostic images. Within half an hour, fifty reports come in from various parts of Italy, both from users and medical staff. After an hour and a half, a ransom demand arrives: it is a ransomware attack. The hackers request 3 million euros to be paid within 24 hours. An escalation seems to have begun, but at 5:30 PM the entry point is discovered: a supplier made a minor change that infected all the PCs and machines across the different facilities (including the servers). What measures should be taken?

The speakers at the table engaged in a lively and constructive exchange of ideas and experiences, resulting in a summary document with recommendations. The priorities of incident management are many: from analyzing the scope of the incident to classifying the type of attack and the compromised data. In the midst of the crisis, communication must be timely and precise, eliminating improvisation and emotional reactions. There is also the primary need to assess the business impact and ensure the operation of essential services: Has a business impact analysis been conducted? Are we in a position to activate the disaster recovery plan? Containment is an indispensable operational principle: isolating essential areas, continuous data backup processes, strict supplier access procedures, and the use of network access controls to prevent internal intrusions. All these factors together make the difference between a controllable incident and one that spirals out of control, with cascading effects beyond the system itself.

Risk management in healthcare

The healthcare sector is facing increasingly complex challenges in terms of cybersecurity. The growing dependence on information systems makes hospitals vulnerable to cyberattacks that can compromise patient data access, disrupt operations, and cause serious reputational damage. “First and foremost, it is important to understand that information systems are fundamental to running a hospital,” said continued Simone Pretti di INIX Group Italia “It is no longer a secondary system but a vital asset. If viruses infect the system, access to data, images, and reports is lost—this causes serious problems. It’s also crucial to understand how information flows among all involved parties.” The healthcare sector relies on many key suppliers, who must be treated like internal teams in terms of security. Formal certifications, tests, and incident simulations should include all parties, suppliers included. Management awareness, especially among administrative directors, is critical to ensure necessary preventive measures are taken. Often, underestimating risks leads to insufficient budgets. Attention to detail is essential, covering the organization’s structures and processes beyond just technology. Communication, including institutional reporting, must be clear, pre-planned, and use approved templates for efficient messaging. Training at all levels is vital, from top executives to healthcare staff. During crises, IT teams must stay focused and calm to address the incident effectively.

The role of Inix Group and future prospects

INIX Group, as a company specialized in cybersecurity, provides essential support to healthcare facilities by offering expertise and specialized resources that hospitals do not have internally. “INIX Group is the typical third-party company that carries out all those specialized activities that a hospital cannot handle. From all the infrastructure planning and technological design of security systems, such as firewalls, to the design of the network itself, and the assessment of the security conditions of various workstations. Not only that,” he concluded... Simone Pretti di INIX Group Italia —but also managing them with staff who provide 24/7 support, monitor systems, and apply emergency procedures in case of an attack or issue.” Regulations are gradually changing the perspective and awareness of healthcare organizations. The topic of the Crisis Unit is very relevant, although operationally complex. Facilities are often outdated, and technology advances rapidly, making it difficult to find common ground and a shared sense of belonging within the organization. The tendency is for each department to prioritize itself, with a silo mentality. It is necessary to know how to work as a team and have an overall vision. Until now, everyone has defended their own fortress — this is the conclusion of the speakers, summarizing the simulated incident. Against new threats, one solution could be an “emergency control room” model, as well as new forms of public/public partnerships in Security, involving broader stakeholders. It is time to adopt a new collaborative approach.