Cybersecurity in healthcare

Cybersecurity in the healthcare industry carries high levels of risk, especially when considering the sensitivity and volume of data that exists within the industry, and that one of its primary focuses is to save lives. When combining those risks with a myriad of new and legacy systems, a lack of budget and a general lack of cyber awareness (through lack of training and support) suddenly that risk skyrockets.

Consider the most crucial devices in the healthcare industry, those which fundamentally save lives. These devices are continually connected to IT networks to operate, process and store data on patients. If these devices were compromised, lives would be at risk. Protecting these devices by network segregation is incredibly important – This is the art of separating critical network elements from the internet, and other less sensitive networks.

How hackers operate

When a hacker attempts to exploit an organisation, commonly it is via the internet. Once successful, their next move is to escalate their privileges, and this is performed through lateral movement across the internal networks or by utilising vulnerabilities in outdated software or system misconfigurations. Network segregation prevents hackers from excessive lateral movement and gaining access to critical networks and devices. Therefore, this is a crucial technique to safeguard life-saving systems.

Governance and ownership of the networks and systems and the associated risks are primarily with central organisations (like the NHS). However, there are still risks present at local GP practices and other sites, which should not be underestimated.

The risks from mobile devices

The healthcare sector is seeing an increase in the use of mobile devices (such as mobiles being used for patients calls), as are many other industries. Specifically, the use of tablets (no pun intended!). While these devices can advance patient care and streamline services, they also provide new ways for systems and networks to be exploited. With every new device in use, the network ‘attack surface’ is increased, which creates greater scope for a cyber-attack. However, organisations can take active measures to control these risks.

Organisation issued mobile devices can be controlled centrally through a Mobile Device Management (MDM) solution. This is a way of centrally controlling and defining minimum security requirements on the devices. This reduces the risk of the devices becoming compromised, compared to a number of personal mobile devices being used for business purposes (see below). Although, this does not prevent the user from taking actions which put the device at risk.

Now if we refer to BYOD (Bring Your Own Devices) or, commonly referred to in the cyber industry as, Bring Your Own Disaster. These are personal devices which access organisational data, and commonly are not subject to the same controls as centrally issued and managed devices. These devices present huge risks to networks. The best way to control this risk is through a Mobile App Management (MAM) solution, such as Microsoft InTune. This works similar to an MDM solution, but limits the controls to specific apps, such as Outlook, not the entire device. Combine this solution with multi-factor authentication methods and suddenly the risk appears more manageable. Too many organisations do not have a handle on the number of BYODs accessing their data and this is something which needs to change, quickly!

How cyber attacks happen

Around 80-90% of all cyber incidents happen due to human error – commonly, clicking on malicious links, entering credentials into a fake log-in screen, or even opening a simple PDF attachment. It’s so easy to fall foul of these tricks. This shows that every employee has a responsibility to be cyber aware and support their organisations by being a strong line of defence. How can humans be an effective form of defence? By being informed – by being cyber aware.

According to Clearswift (a UK information security company), over a third (39%) of breaches within the healthcare sector occurred because of employees sharing sensitive data with unauthorised recipients. Educating staff and providing cyber specific training is critically important to safeguard healthcare data and systems. It may be the difference between a swift identification and resolution of a cyber-attack, and the loss of Personally Identifiable Information (PII). The latter meaning breaches of GDPR and UK DPR, notifications to the ICO, fines, and potential reputational damage with patients and the public. That’s not including the potential media backlash that could result…

Steps to take to improve cybersecurity

One of the biggest issues in businesses today is the lack of budget to allocate to cybersecurity. It’s easy to justify the budget once a cyber-attack happens, but at that point the cost is far greater than if proactive measures were taken. With costs rising in all other areas of businesses and organisations, this is one area where costs can be reduced provided there is a clear plan and strategy in place.

Great ways to manage these risks are through compliance with government standards such as Cyber Essentials and Cyber Assured. These certifications are governed by IASME (Information Assurance for Small to Medium sized Enterprises), and from what can be seen from the name, who are specifically focused on small to medium sized organisations. They break down some of the larger, more complex, industry-leading certifications (such as ISO 27001) into smaller, more achievable steps.

Cyber Essentials is a standard designed specifically to protect organisations from c.80% of the most common cyber threats. It’s designed to focus on an organisation’s internet-facing devices. Recognising that most cyber-attacks originate from the internet and in-bound traffic (e.g. emails), this standard is a great starting point for all organisations wanting to take positive, pro-active measures towards better security. Certifying to this standard addresses many of the key risks outlined in this article and can reassure investors and Trustees (in wider NHS bodies/other healthcare organisations) that the organisation is more cyber secure.

Cyber Assured goes a step further and promotes a positive cybersecurity posture throughout the organisation. Focusing on people, policies and procedures, this standard seeks to establish formality of cybersecurity. This is complementary to the Cyber Essentials standard whose primary focus is technical controls. As everyone knows, you may have the best technical controls in place, but it only takes one, uninformed user to click a malicious link. Now that user has inadvertently circumvented those technical controls and invited an external user (hacker) into the network…

If you’re wondering how your organisation could be more cyber aware, or would like to know more about the certifications and standards, contact our cybersecurity Director, Phil Osgathorpe for a free initial conversation.