Phil Howe, Chief Technology Officer at Core to Cloud and Richard Staynings, Chief Security Strategist at Cylera share their insights with Health Tech World about rising cyber threats to healthcare…
With the UK Government now on ‘high alert’ – preparing for a wave of potentially devastating Russian-led cyber-attacks towards our critical infrastructure – what preventative measures can the health sector take to ensure better cybersecurity and patient safety?
Rising threats to healthcare
Cybercrime has become an increasing concern for organisations and individuals globally. Governments around the world expect costs to reach $10.5 trillion annually by 2025, with breaches in healthcare settings increasing significantly in type, impact, and frequency.
Cyber-attacks within the healthcare sector have already negatively impacted patient privacy and safety, the ability of providers to deliver proper care, and the operation and access of healthcare services.
The NHS 111 attack against software vendor, Advanced, in August 2022 led specific NHS services to be rendered unusable for a large part of the country.
As a critical infrastructure industry, the NHS will always be a target for cyber-attacks due to the sheer amount of data it harvests and stores.
Medical data is valuable to hackers both via its theft, and through extortion by preventing organisations access to their own data, or the systems that process it.
As the threats from nation states and cyber gangs in general continue to be of considerable concern, our healthcare sector must remain vigilant and learn to adapt and respond quickly to the evolving strategies of cyber attackers.
Security vulnerabilities of medical IoT devices
Medical IoT is growing rapidly, with 75% of all medical devices now connected to the internet. But despite the numerous benefits that these connected devices provide many are over a decade old and have never been patched.
This is significant with hospitals using extremely sensitive pieces of connected technology from infusion pumps that administer vital drugs, to highly targeted radiological cancer equipment.
What’s more, the Interim CIO at NHSX reports that 21 million items of malicious activity get blocked every month within the NHS.
As critical, life-saving devices they require accurate data management and robust security measures to ensure fundamental patient safety. Failure to do so could potentially lead to significant increases in patient morbidity and, even mortality.
So, how can the NHS and healthcare sector protect itself from these attacks?
Increase device visibility
In cybersecurity, seeing is protecting. The visibility of a network connection and the devices on it are important because IT environments are becoming increasingly complex.
With more and more devices accessing any one network, having a solid understanding of where these devices are located and what they’re being used for is the first step to take to prevent future cyber-attacks.
Currently, many connected devices are largely unmanaged, and healthcare staff don’t have enough visibility of what these pieces of equipment are doing in real time.
Understanding how these devices are communicating, what their security footprint looks like and how they’re being used are critical steps to ensure security of these devices in order to mitigate an attack.
This is ever more important with the explosion in remote healthcare with devices connecting from homes, back to the hospital network.
If a cybersecurity breach arises, an organisation needs to see exactly what’s happening and where on the network so that breaches can be rectified in an instant.
Ensure validation & penetration testing
Validation and penetration testing is all about finding out if an organisation’s current cybersecurity controls are working, which is critical in preventing future cyber-attacks as it detects areas of weakness.
From the UK Government’s Cybersecurity Breaches Survey for 2022, 54% of businesses reported taking action to identify cybersecurity risks, and 35% of those reported using security monitoring tools to detect these weaknesses.
As cyber-attacks become more sophisticated, organisations need to stay one step ahead of the hackers. To achieve this, organisations should safely test and exercise their cybersecurity controls to make sure they’re functioning properly.
Known as penetration testing, it allows the organisation to mimic an attack in its own environment, giving real evidence of the robustness of its security systems.
Although a company may have security systems in place, there’s no way of knowing that those measures will work until an attack occurs.
By safely simulating various cyber-attacks, validation tools can identify overlooked weaknesses in security systems allowing the relevant teams to action a remedy.
Manage access of devices
Access to data, systems and services needs to be protected, so proper management of an organisation’s devices is a critical step in preventing future cyber breaches.
This involves restricting employees only to the information they need to do their job, never inherently trusting access, and always having some level of verification in place for every request.
Understanding who or what needs access, and under what conditions, is just as important as knowing who needs to be kept out.
Choosing appropriate methods to establish and prove the identity of users, devices, or systems, with enough confidence to make access control decisions, alongside a good approach to identity and access management will make it hard for attackers to pretend they are legitimate.
It’s, therefore, important for an organisation to consider how it establishes identity.
An identity and access management policy should cover who has access to which systems, data or functionality, why, and under what circumstances, and should consider all potential types of users – including full and part-time staff, contractors, volunteers, students and visitors.
Encourage supply chain security
An attack on an organisation’s suppliers can be just as damaging as one that directly targets the organisation itself.
Therefore, it’s critical to understand the supply chain, including commodity suppliers such as cloud service providers and those suppliers who hold a bespoke contracts with the organisation.
Organisations would benefit from building security considerations into contracting decisions, and where appropriate require suppliers to do the same.
Establishing supply chain security awareness for appropriate staff and working with them to ensure the process is fit for purpose, as well as exercising influence wherever possible, and encouraging continuous improvement will help improve security across an organisation’s supply chain.
Create an incident management and response plan
In the event of a breach or cybersecurity attack, organisations need an efficient approach to manage the aftermath. The main aim is to handle the situation in a way that minimises disruption, damage, and costs, both financial and reputable.
Having an incident management and response plan is a bit like a busy hotel having a fire plan. You’d expect a hotel’s fire plan to map where the relevant safety equipment and fire escapes are located, with an appointed response team that knows exactly how to respond in the event of a fire.
Drilling and training are all part of being ready should an incident occur.
Having a well-regulated cyber incident management and response plan that trains staff in the steps to take should a breach occur is key, with a ready team that know what to do, and when to mitigate damage and secure the rest of the organisation’s IT environment.
Engage and train staff
An organisation is only as safe as its weakest link. This means that the people employed by an organisation need to be at the heart of every cybersecurity strategy.
People can also be one of the most effective resources in preventing incidents, or detecting when one has occurred, provided they are properly engaged and trained in how to respond in the event of an emergency.
Supporting staff to obtain the skills and knowledge required to work securely is often done through regular awareness and training sessions.
This not only helps protect the organisation, but also demonstrates that the staff are valued, and recognised as important to the business.
Better security is the enabler of safer medical services, especially since many of these services will be newly connected to a network for the very first time.
Going forward, healthcare organisations need to take the necessary steps to defend against future cyber-attacks. This will require better tools to enhance visibility of networks, monitor increasing risks, detect threats and action incident response plans to staff who are ready to act.