A critical national cybersecurity event and the effectiveness of compensating technical controls provided by Roche-managed firewalls
Success story
Galway University Hospitals
Galway University Hospitals, comprising of University Hospital Galway (UHG) and Merlin Park University Hospital (MPUH), provide a comprehensive range of services to emergency and elective patients on an inpatient, outpatient and day care basis across the two sites.
GUH play a leadership role in acute service delivery providing regional services for a wide range of specialities and is also a designated supra-regional centre for cancer and cardiac services serving a catchment area in the region of one million people.
Optimizing diagnostics with secure, integrated digital solutions
navify® digital solutions integrate seamlessly with diagnostics instruments and in particular with Roche diagnostic solutions bringing together state-of-the-art, on-premise, clinically regulated diagnostics instruments with advanced software solutions to provide optimised end-to-end capabilities for your diagnostics requirements.
The security of our digital products is assured throughout the product lifecycle as is the security of our clinically regulated diagnostics instruments which is evidenced in the following case study.
Galway University Hospitals: a critical national cybersecurity event
On 14 May 2021 the Health Service Executive (HSE) of Ireland suffered a ransomware cyber attack which resulted in a nationwide disruption of its health and social care services:
The threat to Roche Diagnostics systems
Roche Diagnostics, manufacturer of a wide range of network connected clinical diagnostics systems, supports HSE diagnostics operations across a large number of installations across the Republic of Ireland. These form part of the Irish healthcare ecosystem receiving test requests from HSE systems and returning diagnostics test results.
In connecting to such customer networks, the Roche Diagnostics systems are subject to the same cyber security threats as occurred in 14 May 2021.
Rigorous Roche Diagnostics security controls
Roche’s approach is to ensure that the performance of the solution delivers constant reliable results within tolerance. To assure that performance, extensive validation tests are undertaken against standard configurations including all components; hardware, clinical assays and software. The trustworthy, validated performance of Roche instruments underpins the operation of laboratories to quality and license-to-operate requirements such as ISO 15189:2012. Changes to any component in the validated solution, risk the trustworthy performance of the solution.
In recognition of the difference in cycle times between;
Corporate IT controls such as OEM security (Patch Tuesday), Antivirus, AntiMalware updates
The clinical validation cycle of diagnostics solutions
It is Roche's policy to implement compensating controls in the form of a Roche-managed firewall between your network and the diagnostics system. These firewalls deny all traffic which is not directly related to the operation of the diagnostics instrument and its interaction with supporting systems on your network (e.g., Laboratory Information System – LIS).
Across the Republic of Ireland, we have more than 100 diagnostics instruments and modules protected behind Roche-managed firewalls.
The Roche-managed firewall is located within the customer laboratory network to protect Roche devices from cybersecurity threats. It is a stateful firewall manufactured by the leading firewall company – Fortinet, with a custom configuration for Roche medical devices.
The outcome: all firewall-protected Roche instruments were safe
Roche is pleased to report that no instruments connected to the HSE network but protected behind Roche-managed firewalls were infected by the ‘Conti’ ransomware attack in May 2021. This affords high levels of assurance around the effectiveness of this approach in protecting the operation of customer diagnostics operations during a period when the NCSC reports ransomware as the most serious and tangible cybersecurity threat globally.
Roche devices in University Hospital Galway that were located behind the Roche supplied Fortigate Firewalls showed no signs of compromise and were not impacted by the Cyber Attack last year.
- Not every digital product is available in all markets. The use of any third-party app is subject to a separate license agreement with the respective third-party app developer. Roche gives no warranties (express or implied) with regard to any third-party app. Third-party apps might not be available in your country. This website and its content may be accessible worldwide, Roche assumes no liability with regard to the access to the information, which may not be compatible with legislations or regulations in force in your country.