Advertisement Feature
Healthcare at risk: the cyber security timebomb Nicky Whiting, head of Compliance for Bulletproof, discusses the urgency of improving healthcare cyber security
Why do hackers attack healthcare? The first thing to understand is that most cyber attacks are not targeted. Opportunistic cyber criminals aren’t aiming at healthcare or any other sector, rather they’re looking for an easy target. And if that happens to be an NHS computer, so be it. The perilous state of many healthcare organisations’ IT setup makes them an easy target for cyber attack. We’ve already seen opportunistic hacking create large-scale disruption within the NHS in the form of 2017’s WannaCry ransomware attack. Private healthcare is more often directly targeted, since its data contains not only sensitive health data, but also payment and insurance data. Private institutions are also more likely to pay a hacker’s ransom to protect their reputation. Technology empowers and endangers The increasing digitalisation and technological innovation in the healthcare sector has delivered great results: electronic patient records, video appointments, apps and medical devices have all increased the quality and
quantity of healthcare provision. But these same advancements in technology have created new opportunities for hackers. Greater electronic and internet-based access to sensitive data creates bigger risks through increased security vulnerabilities. Patching is a particular problem, being a major cause of critical security issues in corporate and healthcare organisations alike. The 2021 Bulletproof Cyber Security Report reveals that out-of-date and unpatched components were responsible for over a third of all critical vulnerabilities. This paints a concerning prognosis for healthcare security unless action is taken. The human element Security is often thought of as a technical matter, but people play an enormous part in cyber defence and data protection. This is especially true in healthcare sectors where both the technological oversight and the levels of staff awareness are typically much less than in corporate environments. This lack of staff engagement and awareness negatively impacts security defences and data protection as people don’t understand their individual responsibilities through the course of their daily working lives. The mass shift to remote working during 2020 has exacerbated matters by further reducing security oversight and introducing new uses and locations of data that may not have been previously considered. Meeting the risk management challenges As the current state of cyber security suggests, combatting these twin problems of people and technology is a challenge. But the problems
The 2021 Bulletproof Cyber Security Report reveals that out-of-date and unpatched components were responsible for over a third of all critical vulnerabilities. This paints a concerning prognosis for healthcare security unless action is taken.
Written by Nicky Whiting, Head of Compliance
Healthcare is repeatedly cited as the number one targeted sector for cyber criminals. And it’s no secret that both private and NHS healthcare providers need to step up their cyber security in order to meet today’s standards of data protection. But that’s often easier said than done, and the resulting lack of security controls can lead to disrupted services, data breaches, and even potentially threaten lives. This is happening in hospitals up and down the country, meaning the time to act and secure cyber defences has never been more vital.
are not insurmountable. Like all journeys, the path to good security starts at the beginning, and that means getting the basics right. Cyber Essentials is a compliance framework based on standard best practices and this makes it an excellent first step for private and NHS providers alike. Cyber Essentials can form the basis of your cyber security strategy and in the process stop a lot of opportunistic attacks. Resourcing is repeatedly cited as a barrier to tackling compliance (in particular the GDPR) and cyber security, so partnering with a trusted provider with experience in the healthcare sector is vital. Lean on your security partner’s experience to complement your existing internal knowledge and capabilities. There are also cost-effective service shortcuts, such as outsourcing the Data Protection Officer role. Training is often overlooked as a cyber defence, but it has the power to be one of the most robust defences against hackers and non-compliance. In a world where technical security controls can be undone by an overworked healthcare practitioner clicking on a malicious link in an email, investing in staff training is paramount. Bulletproof recently conducted security training for St Andrews Healthcare. In place of a traditional presentation, we workshopped an innovative ‘capture the flag’ virtual tournament, where St Andrews Healthcare staff took turns in playing the parts of attacker and defender. This resulted in a deeper understanding of the aims, motives and techniques used by hackers and security professionals alike. Staff are now better equipped to identify and counter the cyber threats they face in their everyday jobs. Now’s the time to act With administrative healthcare staff working remotely and hackers leveraging the unprecedented global situation, data protection and cyber security in healthcare is more perilous than ever. There are services and solutions from trusted providers that can help, including covidsafe delivery. Investing in cyber security defences is the only way to avoid the extensive financial and regulatory repercussions of a data breach. Keep your sensitive data secure To find out how Bulletproof can help you overcome your healthcare security challenges, contact our experienced consultants today. L FURTHER INFORMATION Tel: 01438 500 500 contact@bulletproof.co.uk www.bulletproof.co.uk/cyber-report
Issue 20.4 | HEALTH BUSINESS MAGAZINE
81