With the rapid technological advancements and security incidents such as WannaCry, cyber security is one of the most talked-about topics in the NHS and other healthcare organisations
From medical institutes, hospital trusts to research labs, new technology is evident to push better workflows. More systems are now interconnected, more devices are being used to offer better healthcare. This is also giving rise to the number of security concerns where either manufacturer, system integrators and/or the end clients are failing to perform security validation.
Digital health and care organisations must be prepared at all times given the frequency and constantly evolving nature of cyberattacks.
As per House of Commons review after WannaCry incident, widespread disruption to health services affected more than 1/3 of all NHS trusts. This includes cancellation of 20,000 appointments and operations. Globally, this incident affected 200,000 computers in at least 100 countries.
Healthcare industry is one of the biggest targets for cybercriminals. It's not entirely healthcare organisation's fault, partly due to the volume of attacks targeting this industry. It's lucrative to cybercriminals due to the large amount of sensitive information held by the NHS trusts, private healthcare, and other organisations in this sector.
Although some organisations are committed to patient privacy no matter what it takes, most healthcare organisations are behind in terms of a proactive approach to cyber security advancements. We have found that the most common challenges across the healthcare sector include:
Insider threats are counted amongst the most significant cyber-risks in the financial services sector. Businesses tackling this issue regularly validate their controls around logical access controls, spear-phishing, threat intelligence and regular penetration testing. In addition to technical controls, staff awareness and understanding through training helps build security-conscious culture.
Ransomware has quickly become one of the most dangerous cybercrime threats organisations are facing . Over the past two years, the number of organizations being hit with targeted ransomware attacks has multiplied as the number of gangs carrying out these attacks has proliferated. Paying the ransom does not guarantee that you will get access to your data and threat actors may assume that you would be open to paying ransoms in the future
It's understandable that due to processes and procedures, and sometimes procurement challenges could delay the anticipated timelines for upgrades. In this scenario, is your organisation doing enough to make the target visibility smaller, restricting access to target on need only basis therefore, decreasing the attack surface?
It's more important to test these plans to ensure they are effectively shielding your unsupported systems from cyber attacks.
The loss of client information can have a devastating impact on a sector that has confidentiality at the heart of its business. Firms storing sensitive information, third party data, transactional records are likely to be at a higher risk of data breach than a local high street firm. Therefore, it goes without doubt that secure information storage and processing practices would help minimise the attack surface.
Environment segregation based on defense in-depth principle is one of the most common weaknesses found during NHS trust reviews. It is important to provide need-only permissions; however it's equally important to segregate environments based on functional requirements. For instance, wireless networks and/or wired network segments used by medical devices may not be requiring access from corporate users. This must be validated and assessed by an independent third party consultancy.
This section refers to specific projects' based experience in this sector. This includes assessments performed at NHS trusts, healthcare providers including pharmaceutical industry vendors.
Information obtained via a Freedom of Information request has revealed that NHS trusts spent an additional £151,940,223 on IT security in the aftermath of the WannaCry ransomware attack that brutally exposed the vulnerability of the UK's healthcare system to cyber attacks
The government has announced plans to set up a national artificial intelligence lab that, says health secretary Matt Hancock, will 'ensure that our NHS harnesses AI to develop cutting edge treatments, reduce pressure on staff working lives and ultimately save lives'.
