The Challenges of Cyber Security in Healthcare
Read time 5 mins
Today, on a global scale, the number of cyber-attacks across all industries is rising, and the financial impact is accumulating. Indeed, the UK Government has encouraged all organisations to be more vigilant of cyber threats and follow its guidance to strengthen cyber security practices since almost one in three businesses (31%) said they now experience breaches or attacks at least once a week.
In the healthcare industry, especially, which experiences the highest number of data breaches annually compared to other sectors, cyber threats are a significant challenge. We all remember the May 2017 ‘WannaCry’ attack, which severely disrupted over 80 hospital trusts and 8% of GP practices after ransomware was used to lock down hospitals in England. According to the National Health Executive, this one attack cost the NHS a total of £92m through services lost during the attack and IT costs in the aftermath.
As well as the complications with patient care and the frequently staggering financial implications associated with a successful cyber breach, the introduction of GDPR in May 2018 (or the UK’s implementation of it, the Data Protection Act 2018) brought with it new regulatory challenges and associated fines for non-compliance. As a result, health and social care organisations and all other institutions must follow stricter guidelines on collecting, processing, and storing personal data.
Healthcare’s most common cyber attacks
Since WannaCry, in particular, cyber security has been – as indeed it should be – a huge concern for healthcare facilities. Sadly, the industry (and especially the NHS) has taken constant beatings of late. Years of austerity measures and the subsequent COVID-19 pandemic have already drained scarce resources and made building cyber resilience and defences an uphill battle for many healthcare practices.
Compared to other organisations with higher security budgets, less stretched IT-teams, and modern, well-constructed cyber security systems, some healthcare facilities may be viewed as ‘easy targets’ to make a quick buck from cyber criminals. Not to mention that national intelligence has indicated that state-sponsored actors from Russia would target UK critical national infrastructure and called out the NHS as one of those targets.
The most common cyber threats to healthcare institutions include:
Viruses/malware from third-party devices
From infected removable media devices (hard drives, USBs) to internet-enabled devices unwittingly sharing malware on the organisation’s network, it’s estimated that viruses and malware introduced by third parties make up nearly half of all healthcare cyber-related incidents. Unfortunately, healthcare networks are notoriously complex and outdated (i.e., they don’t collaborate seamlessly), so the prevalence of these types of devices to share data across platforms continues to be an issue for IT security teams to keep track of. As a result, healthcare organisations must view endpoint security as one of the high priorities of their organisation. Every device connected to the network creates another potential entry point or point of origin for security threats. Sadly, it doesn’t matter how well-secured email and web channels are against malware; if there is an open back door in the form of a third-party device, the entire organisation remains at risk.
Employees sharing information
Likely to be human error rather than malicious intent, many security breaches within the healthcare sector occur due to employees sharing sensitive data with unauthorised recipients, e.g., colleagues or suppliers.
Sadly, this illustrates how easy it is to risk organisational compliance and break GDPR / Data Protection directives. Under GDPR rules, sending patient data to a person without proper authorisation can put the organisation at risk of receiving a fine of up to €20 mil or 4% global turnover (whichever is larger). Remember, user awareness training sits at the core of data protection and information security; employees must be educated on and understand how to handle data securely and mitigate the risk of data breaches.
The need to remotely access data
It makes sense that collaborative working is a must for the healthcare industry – departments often work together to diagnose ailments and provide the best patient care. Naturally (especially since COVID 19), those who need to access information often work remotely from different IoT devices.
Unfortunately, connecting to a network remotely can be risky since not all devices will be secure and up to date when it comes to security and software. Remember, it only takes one hacked or infected device to compromise the entire network, infecting hundreds of machines and potentially accessing sensitive patient records. This is precisely why software asset management (SAM) is so important in the healthcare industry. It helps to ensure patches (updates to software that help solve issues, including security flaws) are installed and unwanted, potentially risky applications like browser plugins or extensions are removed.
Medical technology makes incredible advancements every day; however, the same cannot be said for all aspects of healthcare IT. Limited budgets, legacy software, and a hesitancy to install and learn new systems often mean that everyday IT in healthcare is outdated, overly complex, and non-collaborative. The industry can also suffer from what we call ‘supplier sprawl’ (when organisations attempt to juggle too many IT solutions, vendors, and services at once). Not only does this compromise security, but it also means dedicating many resources just to keep things ticking.
To this end, the industry can benefit from a service integration and management (SIAM) solution designed to free individuals from the responsibility of managing resources and suppliers and offering single-contact accountability to ensure all suppliers work together seamlessly. Where it’s not feasible to upgrade to different, more secure software – or where medical staff don’t want the hassle – it’s possible to minimise the risk of cyber-attacks by adding extra layers of security. If one system is compromised, a managed detection and response (MDR) service can help contain and remove the threat, for instance.
It’s necessary, in the healthcare industry, that confidential patient data is made easily accessible to staff, both on-site and remotely. Combine this with the typically urgent nature of the medical industry, which dictates that teams need to be able to share information immediately – often without time to pause and consider cyber security implications – and the risk of a breach increases.
The worry for security professionals is that the devices used to share information are not always protected. In a time-critical environment, it doesn’t make sense to have IT teams or information security officers checking or granting access rights. Bear in mind that users accessing data remotely only need access privileges for the tasks they need to perform. So, if they’re checking their emails, they won’t need full admin account privileges—precautions like this limit the chance of admin accounts becoming compromised. Additionally, multi-factor authentication (MFA) solutions can also help prevent attacks from compromised credentials or unauthorised users.
To enhance the cyber maturity of healthcare organisations quickly, as well as offering expert risk mitigation tactics and reporting capabilities, many healthcare facilities can benefit from the insights of a vCISO, a Virtual Chief Information Security Officer. Always on hand to share strategic insights, meet compliance requirements, and manage cyber policies, employing a vCISO is a cost-effective way for healthcare organisations to access invaluable cyber resources and expertise right off the bat.
If you would like to discuss Littlefish’s managed cyber security services and the ways we can help healthcare organisations digitally transform, feel free to get in touch via the button at the top of this page.