We speak to Peter Moorhead, head of security pre-sales at Telefónica Tech UK and Ireland, about the reasons the healthcare industry is so vulnerable to online attacks
The COVID-19 pandemic has made he health sector even more attractive to cyber criminals. Image, Pete Linforth from Pixabay
In terms of basic cyber security, the healthcare industry lags behind other sectors which often build their infrastructure with data security in mind.
And this is especially challenging given how lucrative healthcare breaches can be to hackers as personal health information is deemed more valuable than financial information on the dark web.
From Telefónica Tech’s cyber security work with a range of NHS trusts, the significant risk to patient care when day-to-day functions are interrupted is evident.
“Protecting healthcare information is now a top priority for all healthcare organisations,” explains Telefónica’s head of security pre-sales, Peter Moorhead.
“It is critical that manufacturers implement security-by-design to keep patients, and their data, secure.”
IT system outages affect end users differently to any other sector, as patients and staff alike depend on reliable technology to administer effective care and prevent further harm
And now is the time to invest further to protect healthcare technology and patient information.
Moorhead explains: “Cyber security in healthcare protects digital information and assets from unauthorised access, use, loss, and disclosure.
“Its goal is to safeguard the confidentiality, integrity, and availability of confidential information, otherwise known as the ‘CIA triad’, and this is becoming increasingly important as the pace of remote working accelerates.”
The Health Service Executive (HSE) in Ireland suffered a major ransomware cyber attack in May of 2021.
Many hospital appointments across the country were cancelled, EHRs became inaccessible, radiology systems went down, and the COVID-19 testing referral system rendered unavailable for a number of days.
Many of us will also recall the WannaCry ransomware attack on the NHS back in 2017.
That attack caused significant financial loss of more than £20m and service outages and forced the NHS to examine the vulnerabilities in its IT systems.
Our experience suggests effective cyber security demands a base set of skills that an NHS, or public-sector healthcare organisation, isn’t necessarily well placed to deliver itself
Since the attack, the HSE has invested a further £257m on capital infrastructure, with £70m specifically focused on ‘protecting the core network from cyber entry’.
But what makes the health sector so attractive to hackers?
Moorhead said: “Crucially, IT system outages affect end users differently to any other sector, as patients and staff alike depend on reliable technology to administer effective care and prevent further harm.”
And he believes there are four key reasons why the sector is so vulnerable.
From cleaning supplies to Electronic Health Records (EHRs), and scanning machines to climate-controlled transport of drugs the healthcare system is a highly-complex supply chain involving multiple parties and procurement processes.
And, due to the complexity of the supply chain, security practices are hard to enforce.
Organisations need to continually audit their supply chain to be sure that their suppliers are conforming with adequate security measures and to ensure that an attack would not put them at risk.
For this reason, it’s critical to take a holistic approach to cyber security with sufficient layers of defence in place to protect, detect, and swiftly fix any breaches.
Digitised patient data ensures information is always accessible, up to date, and easily communicated.
This digitisation has transformed the patient experience, making it easier to manage the end-to-end patient flow and reduce paperwork.
However, with greater levels of digitisation, also comes greater risk, with public data needing increasing amounts of protection from eager cyber criminals.
Consequently, cyber security and transformation strategies need to be developed in tandem.
Medical devices are increasingly connected to the internet and clinical staff rely on these machines to monitor patient health and to serve as a partner in diagnosis.
Each connected device offers another potential entry point for hackers, with some healthcare centres still running operations through outdated legacy software that is no longer supported by the manufacturers, such as Windows 7.
Without regular updates, these unsupported devices can leave the healthcare sector unprotected.
The majority of breaches related to data privacy in healthcare are the result of employee error and unauthorised disclosure.
In the already-overstretched world of hospitals, it is no wonder that cyber security is not top of mind for most workers.
The COVID-19 pandemic has only further stretched staff, creating opportunities for cyber criminals who seek to exploit workers, many of whom have not been adequately trained on cyber threats and/or simply do not have the time to consider whether digital activity is suspicious.
The existing demands on staff also make it even more difficult to upgrade technology due to the perceived disruption and necessary training involved in the process.
So what does good look like?
So how can digital healthcare leaders respond to the cyber security challenges they are facing?
Moorhead said: “The NHSX What Good Looks Like framework advises having a system-wide plan for maintaining robust cyber security and an adequately-resourced Integrated Care System-level cyber security function.
“Sound advice, but our experience suggests effective cyber security demands a base set of skills that an NHS, or public-sector healthcare organisation, isn’t necessarily well placed to deliver itself.”
It’s critical to take a holistic approach to cyber security with sufficient layers of defence in place to protect, detect, and swiftly fix any breaches
For this reason, many healthcare organisations are deciding to outsource security in its entirety.
The chief information officer of a leading NHS foundation trust, a Telefónica Tech customer, describes how this approach has benefitted them: “We had a vision for a modern system fit for 21st-century medicine, but we knew to try and run this ourselves would be a mistake.
“Now, we have experts across different domains that the trust previously didn't have access to.
“Malware is trapped before it gets anywhere near the hospital systems and staff are protected with an invisible layer of security, both on and off the hospital campus."
The above example illustrates the importance of keeping pace with the fast-moving security landscape, but also how removing the immense pressure of day-to-day management can help achieve broader digitalisation goals.
“Security must be a priority in healthcare as, without adequate protection, trusts cannot fulfil their role to provide the best-possible patient outcomes due to the significant ongoing risk,” said Moorhead.
“Outsourcing to a managed service provider means that pressure is not only eased, but a dedicated team of experts can consistently monitor for advanced threats and mitigate risks in the background of the wider running of the healthcare infrastructure.