It’s no secret that healthcare organisations have become a prime target for cybercriminals. Last year 81% of UK healthcare organisations experienced a ransomware attack resulting in many having to cancel patient in-person appointments. 65% admitted that a cyber-attack could increase patient mortality rates. As an industry, healthcare suffers from some of the highest costs of a data breach and takes longer to restore and recover its data than any other industry sector.  

For years, hackers have been targeting hospitals and other providers for the theft and sale of confidential patient information and health records or holding them to ransom for payment in return for this stolen data. All of these attacks have led to costly and dangerous interruptions, which can have serious consequences on patient safety and well-being. The situation has become ever more alarming with cyber espionage by pariah nation-states targeting the theft of lucrative clinical research and intellectual property. Just last month the Chancellor of the Duchy of Lancaster, reinforced this risk in a statement confirming that ‘emerging Wagner-like cyber groups are attempting to cause maximum damage to the UK’s critical national infrastructure, such as our NHS system.  

So how are cyber gangs managing to inflict damage on our critical healthcare systems? 

Growing attack surfaces against healthcare organisations

Healthcare providers have sprawling networks of old and out-of-date IT and IoT systems that need to connect with multiple partners such as medical specialists, insurance, pharmacies, public and population health centres and more. The public sector is particularly burdened by a huge technical debt brought about by the failure to replace end-of-life and out-of-date technologies.  

Yet, medical and healthcare IoT devices make up three-quarters of the hospital’s connected endpoints; devices used to diagnose, monitor, manage and treat medical ailments, which puts patients at extreme risk if such equipment is compromised by hackers.  

Furthermore, there’s connected building management systems that control lifts, CCTV cameras, hallways and doorways and HVAC systems for maintaining clean rooms and controlling the spread of airborne pathogens. This interoperability between different health IT systems and integration with medical and healthcare IoT devices and suppliers, means an increasing attack surface for cyber-gangs.

Despite this, healthcare providers tend to have a largely inaccurate inventory and understanding of the assets that connect to their medical networks, making them unaware of the risks these devices pose. This lack of visibility of their IT infrastructure affects the integrity of the network and puts the safety and well-being of patients at risk.  

Mitigating cybersecurity risks in healthcare 

There is much that can be done to mitigate risks to public and private healthcare services from cyber espionage. The assistance of the government through public-private partnerships, as seen recently with attacks against the Royal Mail, is a significant help. But providers need to do a much better job of understanding what assets connect to their medical networks and the risks they pose. While it tends to be more straightforward to identify PCs, laptops, and servers on a system, it’s more challenging to do the same for healthcare IoT, especially medical devices that can’t be easily scanned for vulnerabilities. 

Next-generation cyber security tools use machine learning to identify and profile a healthcare setting’s IT infrastructure, including any IoT devices and along with any vulnerabilities and risks. They do this by using adaptive data type analysis to passively identify accurate device characteristics without damaging or destabilising endpoints, and by creating digital twins, a virtual double of each device type, which can be used to conduct deeper security risk analysis against, safe in the knowledge that expensive equipment will not be damaged or that there is even the slightest chance that a patient is connected to such a virtual device. In so doing, true risks can be identified and baseline network activity established for the immediate identification of suspicious or anomalous activity. 

IoT security tools should be highly automated as well as seamlessly integrated with existing security tools to quickly remediate risks before patients are placed at clinical risk. This includes network access control capabilities to segment and isolate at-risk medical devices, to permit the continued safe use of otherwise risky systems that cannot be easily replaced because of budget constraints. Tools also need to provide improved reporting capabilities for senior management and government. But most critically, new tools need to be implemented immediately given risks, rising attacks and a tsunami of medical devices being continuously deployed across our hospitals. 

However, healthcare networks are only as secure as their weakest link and often that chink in the armour is through a lack of cyber risk awareness. “As a CIO or CISO, you don’t know what you don’t know,” claimed Staynings. “We need to change that.” 

Teaching staff to be cybersecurity aware is critical to keeping breaches down. This includes regular training for the entire workforce, from front line medical teams to back-office management. Teach them ways to spot phishing and social engineering techniques, as well as the importance of using strong passwords, secure authentication, and access control measures.

In addition, healthcare providers must be diligent in their vendor selection and management practices, thoroughly vetting and assessing the security postures of providers before granting them access to healthcare networks. Third parties should also have clear policies and procedures for managing vendor relationships, including regular security assessments and contract clauses that hold vendors accountable for any data breaches or security incidents. 

In the event a breach does occur, having a robust incident response plan in place, which is tested and updated regularly, means healthcare organisations can then swiftly detect and respond to any security incidents. Identifying key stakeholders and decision-makers responsible for implementing the plan in the event of an attack can help contain the incident as quickly as possible – something that is critical for an industry that is under constant attack.  

Richard Staynings is an international luminary for healthcare cybersecurity, author and Chief Security Strategist at Cylera.