The Covid-19 pandemic has caused a surge in the uptake of healthcare technology and digital health solutions as health and care organisations look for ways to deliver care safely. But the rapid requirement to deliver digital care also prompted a rise in cyberattacks, which are now considered a genuine threat to life by many in the sector. These concerns are not unfounded – in fact, a ransomware attack in Germany in 2020 saw hackers disable computer systems at Düsseldorf University Hospital. As a result of the IT downtime, a patient died as doctors were delayed transferring her to another hospital, causing the first known death attributed to a cyber-attack.
More recently in 2021 a ransomware attack on the Health Service Executive caused a nationwide shutdown of all health service IT systems within Ireland. This attack caused severe hospital disruptions, including huge numbers of appointment cancellations, and is regarded as the largest attack against a health service computer system in history – costing the executive up to €100m to recover from.
With cyberattacks on the rise, now is a crucial time for healthcare organisations to strengthen their cybersecurity and avoid further health risks, maintain continuity of care, and save time for frontline workers.
A new standard for healthcare cyber security
With support from the government’s Cyber Essentials, a scheme to help organisations protect against cyber-attacks, and the release of the Government Cyber Security Strategy, the UK government is attempting to help organisations across industries protect themselves against the latest threats.
Organisations that have access to NHS patient data and systems must use the Data Security and Protection (DSPT) toolkit to ensure strong data security and to certify that personal information is handled correctly. Completion of the DSPT is a contractual requirement for NHS bodies and a deadline is looming: all organisations must complete their next DSPT assessment by 30th June 2022, or face failure to comply with data protection regulations and NHS codes of practice.
Whilst shifting to more digital-focused care options, the NHS has been working to transition to Integrated Care Systems (ICSs), new partnerships for organisations to meet healthcare needs and co-ordinate services across an area.
As part of the NHS’ longer-term plan, every region of England is now covered by one of the 42 ICSs. They will be partly responsible for ensuring organisations within their remit are as cyber-secure as possible – and implementing the DSPT will ensure they are practising good information governance.
With 81% of healthcare organisations suffering a ransomware attack last year, it’s clear there are persistent cybersecurity challenges within the industry. The DPST is the path to success – yet many organisations still fail their annual assessment. So how can the industry take on these challenges and shore up its defences?
Cyber challenges facing UK healthcare organisations
According to IBM’s ‘Cost of a Data Breach Report 2021’, the healthcare sector had the highest average cost of a data breach compared to other industries for the 11th year in a row – with the average cost coming in at £7.069 million in 2021.
It’s therefore unsurprising that healthcare data is frequently targeted by cyber-attackers as it is more valuable on the black market than data from any other sector – fetching up to £200 per record as a result of the personally identifiable patient information held.
The healthcare sector has previously struggled to adapt and bring in new technologies due to challenges around funding. This has led to some instances of the industry experiencing security gaps, impacting patient safety and the efficiency of frontline care workers.
Malware and ransomware are the most common attacks in the healthcare industry, and these often wreak havoc because of the legacy technology that is still in place at many healthcare institutions. Outdated systems usually handle sensitive, high-value patient and clinical data, but they struggle to integrate with newer technologies.
For example, they often do not receive automatic updates and patches to address security vulnerabilities. This compromises the security of the entire network as it means ransomware attacks can spread more easily and, if successful, these attacks can render machines inoperable until the healthcare organisation or insurer pays the ransom.
Another challenge of remote consultation and digital health is decentralised hospital network security, as patients are now using their own technology to access online hospital resources and chat with a healthcare professional. In the past, IT teams had visibility across a single, centralised hospital environment for their devices, allowing for a greater degree of control and security.
In addition to patients accessing hospital networks from anywhere using diverse and various devices, there are now more medical devices with an IP address within a hospital setting than ever before – such as CT scanners, CCTV, or physical access cards. This means there are an increased number of access points for cybercriminals to attack, and this widespread distribution makes it difficult for healthcare IT teams to control, manage and secure these devices.
To comply with the DSPT and protect themselves adequately, healthcare organisations need to have visibility of everything sitting across their network that has an IP address – and put simply, the legacy cybersecurity tools many currently have in place fail to achieve this.
Ensuring adherence to the Data Security and Protection Toolkit
Adhering to the Managed Data Security and protection toolkit is critical to making sure a healthcare organisation can defend against cyber criminals and give IT teams clear visibility of their organisations’ cyber security posture.
To adhere to the standard, organisations must first ensure they have the technology in place to collect data across all endpoints such as laptops, desktops, servers (on-site, off-site and cloud) and remotely set policies on these devices to ensure security.
From there, they should be able to perform analysis to identify vulnerabilities such as NHS CareCerts and pivot into patching these issues quickly and easily. With COVID-related shift changes prompting many workstations to be loaded with additional user profiles, in-hospital machines may be running slower and are unable to accept patches due to low disk space. In addition, devices used by a staff member on shift for only a few hours a day may miss their patch maintenance windows. These are both challenges which the right endpoint management platform can easily identify and fix in real-time.
The ability to scan, report, and remediate problems rapidly and at scale is also crucial. To do so, the cyber security tools should be able to manage all devices and threats across a single dashboard to avoid the effort of having to easily detect and remediate issues holistically versus working with siloed solutions.
With the threat of cyberattacks being ever present and even more costly, everyone working within a health and care organisation must be connected digitally to a single point of risk, control, and governance. Part of this solution comes down to basics, such as ensuring good cyber hygiene and implementing cybersecurity training so that employees are aware of the latest threats and how to reduce their risk exposure.
With the latest figures for February 2022 showing a record of over 6.1million people waiting for NHS treatment, frontline care workers are more stretched than ever after months of pandemic-related disruption. To ensure peace of mind around the continuity of care, the sector must put smart endpoint management capabilities in place which can ensure visibility, prioritise asset management, and deliver solid remediation plans for when IT issues arise. Only by doing so will ICSs be able to connect health and care services, be compliant with the DSPT and truly ensure faster and safer delivery of quality care.
Kieran Bamber, Director, UK Healthcare at Tanium