Building a cyber-resilient healthcare organisation

Mark Brown, MD-Cybersecurity, Information and Resilience, British Standards Institution (BSI) talks about the immediacy of cybersecurity in primary healthcare

The COVID-19 pandemic demonstrated the crucial importance of a fully functional pharmaceutical and healthcare ecosystem. As many more staff work from home and the rapid adoption of remote consultations indicates a new era of telemedicine, many healthcare organisations around the world have been subjected to damaging cyber-attacks. These cyber-attacks have exposed the fragility of many healthcare networks and their ecosystems. With the changing landscape of the healthcare industry, from technological advancements, digitisation and complex regulations, organisations need to be resilient to adapt and embrace these changes. Effective information security and data privacy resilience is needed to ensure business security. Whilst the societal and organisational risks of cyber-attacks are high, some of the mitigation techniques can be reassuringly simple. Fear of complexity is no excuse.

Why the immediacy of cybersecurity in primary healthcare?

COVID-19 has both increased the potential impact of a cyber-attack and increased the likelihood of it happening. With unprecedented demand on healthcare, the impact of service disruption caused by a cyber-attack can be devastating. Cybercriminals have tried to take full advantage of the pandemic with Interpol reporting a significant uptick in phishing and ransomware attacks during the pandemic with many attacks focused on primary healthcare organisations. Healthcare is particularly susceptible to phishing attacks with the aim of harvesting information, such as login details to systems that hold valuable data, or bank details. This information is often resold on the dark web for a fee. Healthcare data is more valuable to cybercriminals than any other data as it is permanent and not subject to easy changes. An average stolen data set is worth about £20 (US$25) per record; clinical data can be worth up to £100 (US$140) per record.

The adoption of remote and online working at speed has significantly increased the risk of employees using their personal devices, working in potentially less secure environments, and using unfamiliar technologies like teleconferencing for remote care provision. Sharing unsecured data and relying on potentially vulnerable information systems does expose gaps in cybersecurity which can be exploited by ‘hackers’. Hackers can launch attacks with the intention of disrupting data and systems.

What could a cybersecurity breach mean for healthcare providers?

A breach of cybersecurity means criminals can access, freeze, manipulate and publish data. For a primary healthcare facility, this could include blocking access to email, online appointment booking and triage systems, patient records, staff rotas and contact details; manipulating or corrupting data, removing ‘red flag’ alerts from clinical records, changing test results or even publishing confidential clinical records.

In 2017, the UK National Health Service (NHS) was infected by ransomware, malicious software which froze clinicians’ access to the data in what has been called the Wannacry attack. Affected users in primary and secondary care were unable to access patient records, online diagnostics, appointment booking systems or emails. The hacker issued a ransom demand, in an attempt to extort money to unlock the files. Primary and Secondary care serve as ‘soft-targets’ for such attacks and the attack caused great damage. Some hospitals and clinics had to temporarily close their admissions and cancel outpatient clinics, while inspecting, disinfecting, and restoring clean backups of hundreds of machines. Healthcare industry reports show that ransomware attacks have even been the cause of at least one death.

Mitigation of cybersecurity risks

Many of the risks outlined above can be managed by basic cyber-hygiene. While nothing can guarantee 100% safety from an attack, following the basics of cyber hygiene can substantially reduce the risk. Good cybersecurity means applying layers of security measures in case one fails. By adopting a layered approach, organisations can make themselves a less attractive target to attackers and reduce the chance of an attack being successful.

  • Physical security- Healthcare providers need to ensure the physical security of devices used to process or store sensitive information, such as laptops, tablets and smartphones. Users need to be educated to lock devices away securely when not in use. Removable devices such as USB memory drives should never be used to store clinical information. Staff should be discouraged from lending their device to others due to the risk of loss or infection of the device with malware.
  • Safe information storage- Information stored on devices is protected, so if devices are lost or stolen, the information cannot be compromised. It is vital for organisations to check their devices encrypt data while at rest. Preemptive measures may need to include the ability to remotely ‘wipe’ data from devices, should they be lost or stolen. Healthcare organisations should implement real-time visibility of the devices people are using, so that they can spot anomalous activity early and if need be, respond to it remotely. Providers need to ensure that devices are updated as per the industry standard with antivirus and antimalware protection.
  • Safe use of information systems– Healthcare providers need to ensure that a system’s information is kept secure. Effective access controls, such as strong and regularly changed passwords with two-step authentication, are recommended. Education is also important in helping staff recognise phishing emails seeking access to information systems. Phishing is still a popular strategy for cybercriminals to try to breach your organisation and it is therefore important to educate staff on what an attack can look like by providing them with some training.

Cybersecurity is the foundation of safe patient care, the reputation of the healthcare organisation, and the trust of patients in it. If the technology fails, the healthcare organisation could fail too. In the face of a global pandemic, the huge strides made in recent times have allowed healthcare organisations globally to continue to function.

Protecting all aspects of healthcare information against theft, breaches or corruption will ensure that health services not only continue to function, but also succeed. Ensuring cybersecurity systems are in place, and staff are educated and supported to use them, is an essential part of today’s healthcare management.

Cybersecuritytechnology
Comments (0)
Add Comment