Ambulance dispatch, emergency prescriptions and the 111 line were amongst the services disrupted – causing criticism that the NHS isn’t spending enough on cybersecurity tech…
The NHS is “sleepwalking into a cybersecurity disaster” after hackers struck services and threatened the safety of patient data via a software supplier.
Bosses were left grappling with disrupted services and fears for patient data after an attack affected ambulance dispatching systems, emergency prescription services, and the 111 helpline – as health and care environments were isolated by the Incident Response Team.
Experts predict that the latest attack was ransomware-related, which is a type of software which demands payment for the release of the system it has infected, though this has not yet been confirmed.
Mounting concern for patient data
Growing cybersecurity risks associated with the UK healthcare sector have caused fear and confusion for patients, who are worried about the safety of their data.
A recent ITV News investigation found that one hospital had only put aside £10,000 a year towards cybersecurity, suggesting that healthcare operators are not taking the extremely far-reaching risks of cybercrime seriously.
Data breaches
Data breaches in healthcare cost millions, take months to resolve and put patient lives in jeopardy. Despite this, hospital Chief Information Security Officers are currently starved of the resources required to stop them before they start.
Compromised credentials, phishing, and cloud misconfiguration are reported to be the top attack vectors, according to a report from IBM.
Stolen or compromised credentials were responsible for 19% of breaches. Phishing was responsible for breaches 16% of the time. Cloud misconfiguration caused 15% of breaches.
Data still not safe from hackers
Ross Brewer, Vice President and General Manager of EMEA & APJ for Security Optimisation Platform AttackIQ, believes cybersecurity is integral to keeping patients’ data out of the hands of hackers.
Speaking to Health Tech World, he said: “Hackers know that healthcare organisations have a duty of care to their patients and if they can spend their budget on better health outcomes for their patients, they will often favour such investments over things like cybersecurity.
“Often healthcare providers are running legacy systems that are hard to or can’t be patched. They use medical systems that are provided by third parties that won’t allow their customers to install their own security tools on them.
“This creates a case for healthcare organisations needing more budget than other sectors.
He added: “Currently, budgets for cybersecurity only become available after a breach has happened.
“Healthcare boards and executives need to recognise the duty of care issue and provide greater dedicated funding as cyber incidents are impacting patient welfare and, in some cases, lives are being put at risk.”
Ross also said not enough testing is taking place to ensure the safety of patient data and of the healthcare system as a whole.
He continued: “CISOs need to know the efficacy and efficiency of their cybersecurity controls.
“Too often organisations install a range of protection mechanisms without making sure that they’re doing what they’re supposed to.
“The missing step is to test those defences and find gaps before the hackers find them.
The UK National Cyber Security Centre highlighted the cybersecurity threats to healthcare in their 2021 annual report.
It revealed that health sector organisations, including vaccine suppliers, accounted for 20 per cent of the 777 incidents it had been directly involved in over the previous 12 months.
