Three years ago today, the UK’s National Health Service descended into chaos.
In one fell swoop, a fairly unsophisticated worldwide ransomware attack called WannaCry infected computers in hospitals across the country, hijacking thousands of pieces of connected medical equipment and holding patient and hospital data for ransom.
Becker’s Hospital Review estimates that in the United States data breaches cost the healthcare industry approximately $5.6 billion every year. The WannaCry attack cost the UK healthcare system nearly £92m. But while it was the largest breach the NHS had ever experienced, it wouldn’t be the last.
In terms of basic cyber security, the healthcare industry lags woefully behind other sectors like finance and manufacturing who often build their infrastructure with data security in mind. This is especially troubling given how attractive healthcare breaches can be to hackers (personal health information is worth an average of 10 times more than financial information on the black market). Not to mention the dire risk to patient care when day-to-day functions are interrupted.
Here are some of the ways in which the current healthcare system is more susceptible to breach than ever and why incorporating security practices needs to be prioritised:
A complex supply chain
When we speak about the healthcare industry we aren’t just talking about hospitals and computers full of medical records.
The healthcare system is possibly the most complex supply chain in our economy. It includes everything from cleaning supplies to CRM appointment reminder software, scanning machines to climate-controlled storage of drugs shipped from all corners of the globe.
It is common practice for hackers to target the supply chains of the organisations they want to access. It is very often these small suppliers- 15 or 20 employee companies- that offer an open door through weak security practices. A November 2019 study by Orpheus of NHS suppliers showed that 95% lacked advanced security protection. 88% of them had already experienced some sort of email and employee password leaks before working with the NHS.
There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.
There is much at stake. Trust in this highly regulated industry is paramount. A data breach for a small supplier could mean the end of their business.
Data gone digital
The days of paper records are all but gone in healthcare. And with good reason. Digitised patient data makes it easy to quickly communicate between internal hospital departments and outpatient clinics, and to ensure information is always accessible and up-to-date.
However, it also makes the institutions that hold this data an increasingly attractive target. Once acquired, patient data can be held for ransom or sold on the black market.
Last year, an Israeli research group exposed more insidious potential consequences when it demonstrated how a hacker could very quickly and realistically add or remove medical conditions (such as the appearance of a tumour) on 3D medical scans in real-time. Although this would likely only be used to target specific individuals for specific reasons- they mentioned insurance fraud and political assassination- it demonstrates how severe the consequences can be for even a simple breach.
Connected and outdated devices
From hospital lifts to MRI machines and implanted pacemakers, the healthcare system is increasingly connected to the internet. Doctors and nurses rely on these machines to monitor patient health and to serve as a partner in diagnosis.
Unfortunately, every connected device offers another potential entry point for hackers and the level of security of each device varies widely. Some of them are new and modern but others, such as expensive scanners may be ten or 15 years old. They are running on outdated operating systems and no one has the time or skillset to patch them.
A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.
Hacked devices can be hard to detect and are likely running on many devices now unbeknownst to staff. A drip delivering chemotherapy drugs that had been infected with crypto-mining malware might just run a little bit more slowly. But when the precise and timely delivery of a dose is paramount, this can have disastrous results.
Over-stretched staff
A key part of any industry's cyber health is knowledge and good practice among its organisations and employees. JAMA Internal Medicine reports that the majority of breaches related to data privacy in healthcare were the result of employee error and unauthorised disclosure.
In the already overstretched world of hospitals, it is no wonder that cyber security is the last thing on the minds of most workers. It makes sense. Our healthcare providers are trained to take care of patients, not to be IT experts.
But the NHS is the largest employer in the UK and we must come to accept that cyber security awareness is a critical part of every job- and may do its own work to save lives.
Many of these breaches could be prevented through the basic cyber hygiene covered in the government-backed Cyber Essentials scheme. This includes maintaining strong password protection, up-to-date software and firewalls, and anti-malware. If you are a healthcare provider or supplier, consider getting certified in Cyber Essentials.