Robust cybersecurity policies within Healthcare environments are crucial, as medical organisations become increasingly reliant on hospital information systems to see patient data, such as the electronical healthcare record (EHC). The aim of cybersecurity in healthcare is to defend these highly important medical systems from unauthorised access and disclosure of patient data.
The sensitive data contained in medical records makes them an appealing target for cyber criminals who are then able to sell this information or hold it for ransom, and as a result 43% of healthcare organisations have experienced a ransomware attack in recent years.
Learning from the past
A lot can be learnt from the WannaCry attack, a ransomware attack that impacted a significant number of major healthcare providers in May 2017. Thousands of appointments and operations were cancelled, and in some places patients had to travel further to accident and emergency departments.
No healthcare organisation paid the ransom, but the level of widespread disruption was significant, and dangerous. A cyber researcher ultimately activated a ‘kill switch’ so that WannaCry stopped locking devices to enable data to be stolen.
Since this attack, the healthcare organisations that were impacted have written to every major health board to ensure that they have implemented all alerts and taken action to secure local firewalls. It was a wake-up call for a sector with teams largely underfunded and compromised by legacy systems, with investment and upgrades needed and cybersecurity suddenly a priority.
Cybersecurity Risks
Sharing data online opens up the possibility of being hacked, which is why it is important for security teams within organisations to know where the potential risks are. Good cybersecurity practices are essential across the healthcare sector, due to the sensitive nature and value of its data – methods of prevention should therefore be in place.
The main risk is often through emails, a primary means of communication, but also an obvious potential entry point for attackers to target. All employees need to be aware of phishing emails that may look genuine but are from unreliable sources, while strong passwords should also be used to ensure that hackers are unable to break into emails.
It is also important to remember that healthcare establishments, such as hospitals and GP surgeries, are public places. If physical devices are left unattended then anyone can potentially have access to them. Laptops, tablets and mobile phones could easily fall into the wrong hands if they are not correctly looked after, and again, strong passwords and security precautions should be used on these devices.
These spaces also often offer free Wi-Fi, meaning anyone can potentially access these networks. IT teams need to ensure there is a clear separation between the public Wi-Fi and any network that links through to sensitive data or operational systems, and that appropriate passwords and security measures are in place.
Adopting good practices for healthcare cybersecurity
Healthcare organisations need to have a well-developed plan to prevent cyberattacks from taking place, and a well-defined plan in place to tackle this issue and implement solutions if one does happen.
Organisations should establish a security culture which involves regular risk assessments and employees receiving regular cybersecurity education and training. There are constant developments in healthcare, with new medications and trials going ahead to find the cure to aliments. The same applies to cybercriminals finding new ways of targeting people and organisations to make their attacks more convincing, meaning awareness also needs to continually evolve.
Well-developed incident response plans need to be prepared and developed in case of attacks taking place. Organisations must be proactive rather than reactive, which will ensure that there is a solution to the problem before it has even occurred. In this way, organisations can get ahead of an attack and deal with it head on, before it becomes a bigger problem.
The key way to ensure an organisation limits the possibility of a cyberattack, is to use security solutions that include the best possible firewalls. The use of these alongside the installation of antivirus software means that getting hacked is less common.
What healthcare organisations can do now
There are a few vital effective methods of improving an organisations security posture. First and foremost is foundationally integrating security into the business practice. Even when a business wants to quickly adopt new technologies or clinical workflows, security needs to be embedded into those workflows across IT, networking, etc. The convergence of networking and security is important. And then adopting a mesh-type architecture approach to security. It’s important to have a comprehensive, integrated approach to security that includes zero trust as well. Securing remote and online care is paramount in healthcare.
Right now, we’re seeing much higher adoption of multifactor authentication and having zero-trust solutions embedded into networks to minimise the impact of an attack. Healthcare organisations are doubling down on security because they’re starting to understand it better. The health systems that have become more mature within security operations to get in front of or limit the damage of attacks are being successful, and that information is spreading through the industry.
By Chris Parker, Director of Government Strategy, Fortinet