Getting Healthcare Security Right Starts with the Basics
Table Of Contents:
No organisation wants to suffer a major security breach. But when it happens to healthcare organisations (HCOs) like NHS trusts, there can be an outsized impact on the local community. The WannaCry attacks of 2017 and Conti ransomware raid on Ireland’s Health Service Executive (HSE) laid bare failings on both sides of the Irish Sea. While improvements have been made, many underlying challenges continue to expose the sector to severe cyber risk. With the stakes so high, a comprehensive joined-up approach to managing these risks is long overdue.
Setting the Scene
Why are HCOs so exposed to cyber risk? As the government acknowledges in its own security strategy for the sector to 2030, much of its stems from a series of unique factors, including:
- Its size and diversity make it difficult to standardise approaches across all constituent parts, from primary to adult social care. It also means data is being shared by a potentially large number of disparate entities, which may increase risk.
- Limited resources and cybersecurity specialists to spend on the problem
- Unclear reporting and accountability lines
- Extremely high operational pressure, which has only increased with COVID-19 backlogs
- A large estate of diverse technology assets—from diagnostics machines to patient booking systems and prescription services. Many operational technology (OT) systems may be difficult or near impossible to patch
What are the Main Cyber-Threats to Healthcare?
That said, many of the threats facing HCOs are similar to those in other sectors. They include:
Software vulnerabilities: often exacerbated by the use of unsupported operating systems. OT equipment with a long (> 10-year) lifespan may not support modern software and OS, making patching double challenging. According to William Smart’s Lessons Learned review of NHS England, over 1200 pieces of diagnostic equipment were identified as infected with WannaCry after the infamous threat surfaced in 2017.
Social engineering: Phishing remains one of the top threat vectors across all sectors, exploiting the human weak link in the security chain. Under pressure, healthcare staff may be more inclined to click before thinking.
Remote working: Healthcare has embraced hybrid working where possible to improve productivity and work-life balance. But risks associated with distracted staff and insecure home devices/networks persist.
Malicious insiders: Interestingly, over a third (35%) of breaches analysed by Verizon this year in the sector came from insiders. It warns of the threat from disgruntled employees and collusion between multiple parties.
Accidental leaks: Another trend Verizon spotted is the misdelivery of sensitive information by healthcare staff. Along with basic web application attacks, miscellaneous errors represent 68% of breaches.
Supply chain: With a large and complex supply chain, healthcare providers are exposed to additional risk. A ransomware attack on UK software supplier Advanced has had a widespread impact on the NHS for weeks, including its critical 111 helpline. More recently, Ireland’s HSE admitted the MOVEit data theft campaign impacted it.
What’s at Stake?
WannaCry highlighted for the first time the level of reliance that modern healthcare systems have on digital technology. In total, it disrupted 81 out of 236 trusts in England (34%), leading to an estimated 19,000 cancelled appointments and operations, with many patients directed to A&E departments further afield.
“With an estimated daily 950,000 general practice appointments, 45,000 major A&E department attendances and 137,000 imaging events recorded, the scale of impact—both direct and indirect—from a cyber attack on the health and social care sector is potentially huge,” the government admits.
There is a financial cost to this, of course. Ireland HSE has already spent tens of millions of euros managing the fallout from its massive 2021 ransomware breach. A study from ThreatConnect claims that, on average, HCOs of up to $500m in revenue lose an estimated 30% of operating income if hit by a severe ransomware attack. There is certainly also a regulatory risk, especially if employee and patient personal information is stolen. While there have been no significant GDPR fines to date, regulators have occasionally levied financial penalties, and the regulation indeed classifies most medical data as a “special category”, meaning its subject to stricter rules.
However, beyond the financial, reputational and compliance impact, which can seriously degrade patient trust, there’s a more obvious risk: patient safety. Studies have shown a growing correlation between mortality rates and cyber-attacks. One report even found a link between data breaches and heart attack fatalities. That’s aside from the apparent risk to patient health from ransomware attacks that take critical digital systems offline.
How are HCOs Doing?
Given these high stakes, seeing progress on cyber risk mitigation in the UK healthcare sector is somewhat reassuring. According to the government’s Cyber Security Breaches Survey 2023, organisations in the health, social care and social work sector are “significantly” more likely than the average organisation to take best practice actions like implementing security monitoring, risk assessments, staff testing, vulnerability audits, penetration testing and threat intelligence. The figure is 74% for HCOs versus 51% across all sectors. They’re also more likely (35% vs 18%) to have conducted staff security awareness training over the past 12 months. And more health, social care and social work organisations have business continuity plans covering cybersecurity (46% vs 27%) and formal security policies (57% vs 29%) in place.
However, there’s still more to do, and there’s no guarantee that these efforts aren’t merely box-ticking exercises from organisations operating in a highly regulated sector.
Richard Staynings, Chief Security Strategist for UK healthcare security specialist Cylera, argues that certifying healthcare applications, vendors, and third-party service providers would help a great deal.
“ISO27001 certification makes a lot of sense for some services that can be certified, while a SOC2 Type II attestation based upon applicable ISO 27001 domains and controls may make better sense for others,” he tells ISMS.online. “Either way, providers should not have to be in the space of risk assessing their vendors each and every year as is the current case. At the very least, third parties need to be held to equal or greater levels of security than the providers that they serve. Common standards would most definitely help.”
Mohammad Waqas, CTO for Healthcare at Armis, argues that the NHS Data Security and Protection Toolkit, alongside ISO 27001 and the EU’s NIS Directive, gives the UK “a more mature security baseline” than many other countries. However, he warns that medical device security, in particular, presents a significant risk.
“Being able to monitor these devices and understand their behaviour and risk in real-time is key to ensuring patient safety and smooth operations. It also enables the proactive identification of risks and vulnerabilities, empowering trusts to take timely action,” he tells ISMS.online. “By using a centralised risk management solution, HCOs can adopt a unified approach to risk reduction across all device types, which will ensure a holistic security posture and improve overall security.”
Managing Healthcare Compliance Risk
There’s much to recommend in the government’s 2030 strategy, which mandates all public healthcare organisations be regularly audited under the National Cyber Security Centre’s Cybersecurity Assessment Framework (CAF). The strategy sets out five key pillars for success:
- Focus on the greatest risks and harms
- Defend as one
- People and culture
- Build secure for the future
- Exemplary response and recovery
A large part of what the strategy is trying to achieve is to ensure HCOs first get the cyber hygiene basics right, to eliminate the risks stemming from relatively basic errors like easy-to-guess passwords, unpatched assets and phishing. Where prevention isn’t possible, the idea is to ensure organisations have the right security monitoring tools and incident response processes to ensure they can detect and contain threats before they can make a serious impact.
ISO 27001 can help these efforts by:
- Identifying security gaps
- Minimising supply chain risks
- Supporting regulatory/legal compliance efforts
- Ensuring staff are appropriately trained and security-aware
- Reducing breach risks through properly documented policies and processes
- Managing risk across the entire cyber-attack surface
It’s all about enhancing critical IT systems’ cyber resilience, ultimately building trust with patients and reducing the financial and operational impact of healthcare cyber-attacks.
If you’re looking to start your journey to better information security and data privacy, ISMS.online can help.
Our ISMS solution enables a simple, secure and sustainable approach to data privacy and information management with ISO 27001 and supercharges other frameworks such as SOC 2, GDPR and more. Unlock your healthcare compliance today.
