The ongoing challenge of cyber security in healthcare

1-Feb-2022

Peter Moorhead, head of security pre-sales at Telefónica Tech UK and Ireland, looks at how the COVID pandemic has escalated the threat of cyber attacks on the healthcare sector and why organisations are still falling victim to hackers

The COVID-19 pandemic has made he health sector even more attractive to cyber criminals. Image, Pete Linforth from Pixabay

The COVID-19 pandemic has made he health sector even more attractive to cyber criminals. Image, Pete Linforth from Pixabay

In terms of basic cyber security, the healthcare industry lags behind other sectors which often build their infrastructure with data security in mind.

This is especially challenging given how lucrative healthcare breaches can be to hackers as personal health information is more valuable than financial information on the dark web.

From our cyber security work with a range of NHS trusts we have seen the significant risk to patient care when day-to-day functions are interrupted.

And, as protecting healthcare information is now a top priority for all healthcare organisations, it is critical that manufacturers implement security-by-design to keep patients, and their data, safe.

So, now is the time to invest further to protect healthcare technology and patient information.

Organisations need to continually audit their supply chain to be sure their suppliers are conforming with adequate security measures, and to ensure that an attack would not put them at risk

Cyber security in healthcare protects digital information and assets from unauthorised access, use, loss, and disclosure.

Its goal is to safeguard the confidentiality, integrity, and availability of confidential information, otherwise known as the ‘CIA triad’. And this is becoming increasingly important as the pace of remote working accelerates.

The Health Service Executive (HSE) of Ireland suffered a major ransomware cyber attack in May of 2021.

Many hospital appointments across the country were cancelled, EHRs became inaccessible, radiology systems went down, and the COVID-19 testing referral system was unavailable for a number of days.

Many of us will also recall the WannaCry ransomware attack on the NHS back in 2017 which caused significant financial loss of more than £20m and service outages and forced the NHS to examine the vulnerabilities in its IT systems.

Since the attack, the HSE has invested a further £257m on capital infrastructure, with £70m specifically focused on ‘protecting the core network from cyber entry’.

Crucially, IT system outages affect end users differently to any other sector, as patients and staff alike depend on reliable technology to administer effective care and prevent further harm.

At Telefónica Tech UK&I we have identified four key reasons why the healthcare industry is particularly vulnerable.

In the already overstretched world of hospitals, it is no wonder that cyber security is not top of mind for most workers

1. A complex supply chain

From cleaning supplies to Electronic Health Records (EHRs), and from scanning machines to climate-controlled transport of drugs, the healthcare system is a highly-complex supply chain involving multiple parties and procurement processes.

And, due to the complexity of this supply chain, security practices are hard to enforce.

Organisations need to continually audit their supply chain to be sure their suppliers are conforming with adequate security measures, and to ensure that an attack would not put them at risk.

For this reason, it’s critical to take a holistic approach to cyber security with sufficient layers of defence in place to protect, detect, and swiftly fix any breaches.

2. Data gone digital

Digitised patient data ensures information is always accessible, up-to-date, and easily communicated.

And, while this digitisation has transformed the patient experience, making it easier to manage the end-to-end patient flow and reduce paperwork; with greater levels of digitisation, also comes greater risk, with public data needing increasing amounts of protection from eager cyber criminals.

Consequently, cyber security and transformation strategies need to be developed in tandem.

3. Connected and outdated devices

Medical devices are increasingly connected to the internet and clinical staff rely on these machines to monitor patient health and to serve as a partner in diagnosis.

However, each connected device offers another potential entry point for hackers.

And some healthcare centres still run operations through outdated legacy software that is no longer supported by the manufacturers, such as Windows 7.

Without regular updates, these unsupported devices can leave the healthcare sector unprotected.

4. Overstretched staff

The majority of breaches related to data privacy in healthcare are the result of employee error and unauthorised disclosure.

In the already overstretched world of hospitals, it is no wonder that cyber security is not top of mind for most workers.

The COVID-19 pandemic has only further stretched staff, creating opportunities for cyber criminals who seek to exploit workers, many of whom have not been adequately trained on cyber threats and/or simply do not have the time to consider whether digital activity is suspicious.

The existing demands on staff also make it even more difficult to upgrade technology due to the perceived disruption and necessary training involved in the process.

What good looks like

So how can digital healthcare leaders respond to the cyber security challenges they are facing?

The NHSX, What Good Looks Like framework advises having a system-wide plan for maintaining robust cyber security and an adequately resourced Integrated Care System-level cyber security function.

Sound advice, but our experience suggests effective cyber security demands a base set of skills that an NHS, or public sector healthcare organisation isn’t necessarily well placed to deliver itself.

From our cyber security work with a range of NHS trusts we have seen the significant risk to patient care when day-to-day functions are interrupted

For this reason, many healthcare organisations are deciding to outsource security in its entirety.

The chief information officer of a leading NHS foundation trust, a Telefónica Tech customer, describes how this approach has benefitted them: “We had a vision for a modern system fit for 21st-century medicine, but we knew to try and run this ourselves would be a mistake.

“Now, we have experts across different domains that the trust previously didn’t have access to.

“Malware is trapped before it gets anywhere near the hospital systems and staff are protected with an invisible layer of security, both on and off the hospital campus.”

The above example illustrates the importance of keeping pace with the fast-moving security landscape, but also how removing the immense pressure of day-to-day management can help achieve broader digitalisation goals.

Our experience suggests effective cyber security demands a base set of skills that an NHS, or public sector healthcare organisation isn’t necessarily well placed to deliver itself

Security must be a priority in healthcare because, without adequate protection, trusts cannot fulfil their role to provide the best-possible patient outcomes due to the significant ongoing risk.

Sign up for your free email newsletter

Outsourcing to a managed service provider means that pressure is not only eased, but a dedicated team of experts can consistently monitor for advanced threats and mitigate risks in the background of the wider running of the healthcare infrastructure.

Companies