Healthcare organisations provide an essential service that can have serious consequences if disrupted by a cyber attack, potentially endangering patient safety, disrupting care delivery and even leading to loss of life. In the event of a security incident, the fallout would not just impact the victim organisation but also their patients and overall national security.
Public Health Impact
Any disruption or compromise of a healthcare organisation’s systems could prevent them from assuring patient care, treatment delivery, and public safety.
For example, a successful ransomware attack could prevent the organisation from accessing vital medical records or operating life-saving devices due to a ransomware virus holding them hostage. Such a scenario would severely impede a clinician’s ability to provide effective patient care and it may take some time – often weeks – to resume normal operations.
Sensitive Data Handling
Healthcare organisations process vast amounts of sensitive and confidential patient data, including medical records, treatment histories, and personal information. Protecting this data from unauthorised access, disclosure, or manipulation is paramount to maintaining patient privacy and confidentiality.
An attacker gaining access to this data not only presents the risk of data theft, but may also lead to them intentionally or unintentionally altering patient data. This could ultimately lead to clinician’s misdiagnosing their patients, which comes with a host of associated risks.
Service Availability
Continuous and uninterrupted access to healthcare services is essential for patient wellbeing and the effective functioning of the healthcare system. Cyber attacks targeting healthcare infrastructure or systems can disrupt service delivery, leading to treatment delays, appointment cancellations, and potentially life-threatening situations.
While it may feel like a distant memory, patient outcomes were put at risk during the May 2017 "WannaCry" ransomware attack on National Health Service (NHS) computer systems. This attack led to ambulances being diverted and surgeries being cancelled, underscoring the direct impact cyber threats can have on healthcare delivery and patient wellbeing.
Interconnected Healthcare Systems and Digital Infrastructure
The interconnected nature of healthcare systems and digital infrastructure increases their complexity and susceptibility to cyber threats. Healthcare organisations rely on interconnected networks, medical devices, and information systems to deliver care, communicate with healthcare professionals and exchange patient data.
Any vulnerabilities within these interconnected systems can be exploited by malicious actors to launch cyber attacks and infiltrate critical healthcare infrastructure. The highly connected nature of these systems also increases the risk of a compromise in one location moving laterally to other parts of the network, leading to further consequences beyond the initial compromise. An attack could expose a weakness in a medical device such as an ECG, for example, which could later lead to attackers having access to the wider network and an entry point to wider healthcare records.
National Security Implications
Cyber attacks against healthcare organisations – especially the NHS - can have broader national security implications, affecting the resilience and stability of the healthcare sector as well as undermining public trust and confidence in government institutions. As a cornerstone of the UK's social fabric and public services, protecting the NHS from cyber threats is integral to safeguarding national security interests.
Why is Cyber Security Important for Medical Devices?
Unlike regular computers, medical devices often lack robust security features which can make them more susceptible to compromise. These devices often rely on hard-coded and widely known passwords and they may not be easily patchable or updatable.
Complicating matters further, the diversity of manufacturers and distribution channels results in a lack of standardised security controls, including passwords, encryption, and tracking of device handling. The primary security risk lies in the potential exposure of both data and device control, creating a delicate balance between safety and security that demands collaborative efforts across stakeholders, particularly in implementation and maintenance strategies.
Healthcare organisations must prioritise and invest in securing these devices, recognising that older medical devices were not initially designed with cyber security in mind and are challenging to secure properly. The proliferation of newly connected devices exacerbates pre-existing vulnerabilities, underscoring the importance of securing medical devices to mitigate operational disruptions and safeguard patient safety and privacy.
How to Secure Healthcare Organisations
We have ten recommendations for healthcare organisations looking to improve their cyber security, based on our experience working within the sector:
Adopt a proactive stance towards cyber security, encompassing a holistic approach that addresses people, process, and technology.
Define clear roles and responsibilities for the security of networks and information systems so employees can take ownership of key cyber security practices.
Conduct regular cyber risk assessments to identify vulnerabilities, assess potential threats, and prioritise remediation efforts based on the level of risk to critical systems and patient data.
Provide comprehensive training programs to enhance awareness and readiness for cyber threats.
Establish well-defined policies and procedures as part of your security management system with easily accessible documentation to guide your security practitioners.
Implement defence-in-depth technical controls to protect, detect, respond, and recover from incidents effectively.
Backup and disaster recovery planning to ensure the availability and integrity of critical data in the event of a cyber-attack, system failure, or data breach.
Address medical device security explicitly throughout the product/ system lifecycle.
Vendor cyber risk management to assess the cyber security posture of third-party vendors, service providers, and business associates that have access to sensitive patient data or provide critical services.
Ensure alignment with compliance frameworks such as DSPT, GDPR, NIS Regulation, HIPAA, among others.
By embracing these best practices, healthcare organisations can enhance their defences, mitigate cyber risks, and safeguard patient data and critical infrastructure from evolving cyber threats.
Looking for support in securing your healthcare organisation? Get in touch.
Author: Emran Ali, Principal Lead Consultant
First Published: 22/02/2024
Author
Emran Ali
Principal Lead Consultant
Emran is an information security professional specialising in strategy, security transformation, risk management, incident response and supply chain assurance for private and public sector organisations. He is a member of both ISC² and ISACA, and holds numerous certifications including CISSP, CISM, CCSP CRISC, SSCP, CCSK, ISO27001, ISO22301 and SABSA SCF.
Blogs