This year healthcare services across the world have been found out as particularly vulnerable to the increasing number of cyber attacks. This was most publicly demonstrated during the WannaCry ransomware attack, which crippled the UK’s NHS in May this year.
The global Wannacry ransomware attack highlighted one of the key cyber security risks to government services: loss of access to data. This attack didn’t target only the NHS, but the NHS was particularly affected by it, causing extensive disruption to patients and healthcare for a week.
>See also: NHS ‘will be hit by more cyber attacks’
Unfortunately, this NHS breach was not a one off. A Freedom of Information request in 2016 found that 47% of NHS Trusts in England had already been hit with ransomware attacks. The sheer scale of the infection is unprecedented. In light of this, the question asked at the UK Health Show in Olympia last week was: can digital healthcare be secured?
First, it should be understood why hackers are so fond of attacking the NHS. It is a huge organisation, with 1.1 million email accounts, making it an easy target. Data is valuable and the NHS has a lot of it. Not only this, but healthcare data is 64% more expensive on the Dark Web than financial information.
In a range of talks throughout the day, Information Age investigated what can be done, if anything, to mitigate the risks posed to the most vital public body for UK citizens.
The general consensus was that the threat can be mitigated, but it is no easy task. It is important, Information Age learned, for law enforcement agencies and healthcare organisations to work together. A public and private collaboration can help disrupt the success of attackers, by upstreaming intelligence, and sharing threats and vulnerabilities.
The message from Rick Hemsley, managing director of UK Security at Accenture, during his keynote at the event was that this collaboration is key. In the security environment, healthcare professionals, administrators and officials must protect both patient data and scientific endeavour – both highly-coveted by those who would sell or exploit it – which presents unique challenges to developing effective cyber-security solutions for healthcare.
Managing the risk
The threat of a cyber attack is not very preventable. But this sad fact extends to every organisation, in and out of the healthcare sector. This is because there are an unprecedented amount of attacks targeting organisations, and the attack surface area is growing. Technology is used to drive better patient outcomes, but the implementation of these digital strategies creates this increased attack surface.
In healthcare cyber criminals might attack an organisation via a supplier, which won’t necessarily have security on the top of its agenda – there are a multitude of attack vectors, which are near impossible to fully protect. What’s important is the response plan to the imminent attack.
Hemsley provided a number of methods whereby healthcare organisations could at least limit the damage caused by an attack, and get back ‘online’ as soon as possible.
He said that organisations need to understand the vulnerabilities within them – this extends to people, processes and systems. On top of this, it is crucial to understand the most valuable assets, which the hackers are likely to target. On top of this, it is imperative that cyber security is on the board or trust’s radar. ‘It is not just an IT issue.’
Cyber criminals are becoming more and more organised, even offering cyber-crime-as-a-service. Technology, Hemsley stated, ‘is not necessarily the answer’. There is a need to think about the ecosystem as a whole. This holistic approach to security, looking at the people, processes and systems will ultimately provide a more secure future for healthcare services.