Cyber Security: The Next Big Healthcare Emergency?
Infrastructure and continuity
Resilience to emergencies is crucial to maintain continuity of patient care and minimise interruptions to regular hospital services. Unfortunately, however, healthcare infrastructure has been subject to IT service outages and downtime on more than one previous occasion due to malicious software.
More widely, events during the Coronavirus pandemic of spring 2020 highlighted the need for public bodies and other large organisations to prepare for the unexpected, wherever possible. Thus, senior health service staff are aware of the problem and recognise the urgent need to develop and maintain an adequate response ready for such incidents.
In strategic planning sessions, service managers have been turning to the thorny question of what exactly the next major emergency in healthcare provision is likely to be. However, as is quite common in hypothetical scenarios relating to complex systems and entities, not all the experts agree.
Notably, in March (2021), Professor Marcel Levi, the outgoing chief executive of University College London Hospitals NHS Foundation Trust, voiced doubts. In his expressed views, public bodies such as the NHS that came under attack might not be able to deal with problematic results swiftly enough.
Furthermore, Levi suggested that healthcare providers may not even be able to prepare precise responses in readiness for everything that could come their way. Nonetheless, during a meeting of the Institute of Health and Social Management, concerns centred on the possibility that the next disaster could result from a global cyber attack.
Looking at the previous form, one could see some justification for these fears. Over recent years, news agencies have reported the calamitous consequences experienced by private enterprises, public authorities and national institutions alike. Everyday entities that have featured in headlines include hospitals, telecommunications operators and banks.
In 2017, the WannaCry attack saw ransomware infiltrate critical administrative NHS computer systems across Britain. Although the crypto worm episode was extensive in its impact, the instigators had not even focused the malware on healthcare providers.
Such digital attacks are on the increase around the globe. For instance, the Department of Homeland Security and the FBI have repeatedly warned about increased threats to healthcare systems in the USA. Similarly, in the UK, NHS Digital circulates regular warnings to hospitals, health centres and care providers.
Significantly, the threats featured in these bulletins take advantage of various vulnerabilities. Of course, though the detail in weekly updates and high priority security alerts might seem repetitive, managers and IT decision-makers should not underestimate its importance. The potential adverse effects if left unheeded are all too easy to imagine.
On the NHS Digital website, statistics published at the beginning of November (2021) list 257 security alerts this year so far. Some 33 were recorded in April alone, an average of more than one every day of that month. Seven incidents were of high severity to date, whereas 47 potential problems were of medium concern.
In its 2020 annual review, the National Cybersecurity Centre commented that it had prioritised defending the NHS against threats. According to Eleanor Fairford, the organisation’s deputy director for incident management, health service computers and IT networks have been the second most intensely supported sector during 2021. Notably, around a quarter of all recorded incidents were linked to the Coronavirus pandemic.
Conscious of the above concerns, health service management has instructed specialists to resolve what they described as critical vulnerabilities in various IT hardware and software implementations supplied by well-known technology companies. The balance is delicate because a high degree of digitalisation increases efficiency and gets the job done. However, interconnectivity and mobile devices can leave systems vulnerable to cyberattacks.
Accordingly, the NHS has held talks with Sectra. This Swedish company specialises in medical imaging and secure communications. Its corporate experience seems to fit the bill; it boasts expertise in protecting information systems as part of critical healthcare infrastructure.
Speaking for Sectra’s senior management, sales director Chris Scarisbrick mentioned a desire to share expertise with hospitals worldwide. He and his team aim to use their knowledge and skills to improve communication networks, enhance cybersecurity and protect sensitive data.
Examples of potentially insecure or unsafe assets include administrative systems, data networks and medical hardware devices connected to the IoT (Internet of Things). In considering protection measures, the definition of critical infrastructure also includes lighting and power supplies to hospitals due to the possible adverse implications for patient care in the event of problems.
Recently, the NHS published a framework entitled What Good Looks Like (WGLL). The document sets out the tenets of good practice. It also recommends specific actions to improve and maintain security in the use of health service IT systems. In particular, NHSX, the mammoth healthcare organisation’s IT arm, recommends that designers prioritise building cyber security into digital projects from their inception.
Whether perpetrated to cause sabotage, attempt blackmail or access sensitive information, the growing number of attacks and other security incidents could affect critical healthcare functions. Because breaches can be ruinous, the utmost care is necessary.
On a general note, moving applications to cloud computing could help to alleviate some of the burdens on hard-pressed technical teams throughout the NHS. However, it is essential to configure cloud deployments correctly if they are to be secure.
Nonetheless, experts can see outsourcing to cloud solutions and vendors as a potentially successful and cost-effective way to reduce complexity and lower the risk of DDoS (distributed denial of service) or other attacks against on-site server farms.
Guarding against supply-chain weaknesses through vendor certification is now more critical than ever. Moreover, the acceleration of cloud and cybersecurity digital safety strategies should also extend throughout the rest of the UK public sector, experts say.
New EU directives or national regulations and legislation, such as GDPR and national security laws, look set to impose stricter demands regarding secure information management. Specifically, the international standard ISO/IEC 27001 specifies how to manage information security.
There are more than a dozen different standards in the ISO/IEC 27000 group. Implementing them means organisations can ensure the safety of financial information, intellectual property, employee details and data from third parties.
The standards also detail the principles of due diligence, risk assessment and resilience against threats. In short, if implemented correctly, the recommendations minimise opportunities for attackers to find and exploit weaknesses.
Finally, if – as Professor Levi observed – it is impossible to be ready for every scenario, organisations should nevertheless develop contingency plans for if and when things go wrong.