For centuries, healthcare has grappled with immense challenges, from limited resources to evolving diseases. Yet, it remains a powerful symbol of hope and healing, entrusted with our most sensitive information and, often, our very lives. This responsibility rests on a core foundation: to heal, to comfort, to protect.
However, in the digital age, this very sector faces a completely different challenge – cyberattacks. Bad actors are infiltrating the heart of healthcare, jeopardising patient safety and putting lives at risk. In 2023 alone, healthcare organisations saw a consistent month-over-month increase in attack attempts of 13%. Costs of healthcare breaches soared, reaching around $11 million per breach, the most expensive industry for the 13th year in a row. And the UK’s healthcare sector saw an average of 1,383 cyberattacks per week in May 2023.
The situation is alarming. With each breakthrough in medical technology comes a growing attack surface, making devices increasingly vulnerable to exploitation. The future of healthcare now hinges on our ability to bridge the gap between patient care and digital security, which have become one and the same.
Healthcare in the crosshairs
This once sterile environment is now teeming with potential entry points for cyberattacks. The rapid proliferation of connected medical devices, from infusion pumps and patient portals to media writers and imaging equipment, has created a vast and vulnerable attack surface.
Nurse call systems have been identified as one of the riskiest medical and IoT devices in clinical environments, with 39% having critical severity unpatched CVEs and almost half (48%) having unpatched CVEs. Other Internet of Medical Things (IoMT) devices like imaging workstations and media writers witnessed increased risks in 2023 too.
More worryingly, the sector is one that still relies on legacy technology and end-of-support (EoS) Operating Systems (OS), at more than 12%. In many NHS organisations, legacy systems account for 30-50% of all IT services. Indeed, millions of medical devices in NHS Trust hospitals across England are either incapable of running security software or rely on EoS versions. In many cases, they’re totally unmonitored.
Additionally, the NHS has systems scattered all over the country, with a database that has comprehensive patient records going back decades. These vulnerabilities continue to put the sector at risk to evolving threats.
Unfortunately, this information is not new to bad actors. The sector is struggling with the challenge of digital maturity in the current cyber landscape. These malicious actors know the sector is woefully understaffed and under-resourced, and therefore an easy target – especially with ageing server infrastructure and decades-worth of data – which leaves hospitals and patients increasingly vulnerable.
The Department of Health and Social Care (DHSC) found that out the hard way last year, as did several NHS ambulance organisations and many other NHS foundations. These attacks are only going to escalate with various nation-state threat actors making a habit of going after healthcare providers in search of sensitive data and with the aim to cause maximum disruption.
And that’s just the half of it. While some might be motivated by geo-political agendas, aiming to disrupt critical infrastructure or sow panic, other bad actors are often fuelled by money, looking to sell information on the black market. After all, having your hospital network crippled by ransomware can delay critical care, often leading to hefty ransom payments due to the pressure to restore operations quickly.
The revolving door of attacks and apologies within healthcare’s cybersecurity paints a stark picture. Millions of patients have had their privacy violated, jeopardising their trust and potentially delaying critical care. It’s time to modernise the industry’s approach to cybersecurity, shifting from reactive measures to proactive prevention.
A step in the right direction
Ignoring the persistent cybersecurity weaknesses plaguing the industry is not only irresponsible, but also potentially life-threatening. That’s why it’s crucial for healthcare to first acknowledge there is a problem and confront its cybersecurity vulnerabilities head-on. After all, any effective treatment requires a complete diagnosis.
Thankfully, the UK has recognised this. In March 2024, the UK government also shared plans for the NHS to receive a £6bn funding boost to invest in new technology and digital transformation. Of that, £2bn will be used to modernise fragmented and outdated IT systems across the NHS, spread out over a three year period.
Ultimately, it’s important to improve funding, identify parts of the healthcare system where a cyberattack would cause the most harm to patients and embed security into emerging technology. However, combined with an expanding attack surface, an ageing population and increasingly expensive new health technologies, there are concerns that funding alone will fall flat.
Therefore, other solutions must be implemented. That starts with improving cyber resilience and following best practice guidelines. From data security to response plans, there are toolkits and resources readily available that every healthcare provider should be adhering to. What’s more, the Department of Health and Social Care (DHSC) and the government are working with health and adult social care organisations, as well as the supply chain, to achieve cyber resilience across the sector by no later than 2030. Again, while this is a step in the right direction, there are already rampant threats out there. So, a more immediate fix is needed.
Modernising patient safety and protecting patient data
As part of the five pillars in the DHSC’s plan, being able to see the entire attack surface has become essential. This means having complete visibility and security for all connected medical devices, clinical assets and the entire healthcare ecosystem, helping to also keep protected health information (PHI) of patients secure.
While advanced technology enables greater connected care, it also creates a larger attack surface. With an average of 55,686 physical and virtual assets connected to organisational networks, only 60% of these assets are monitored on average, leaving 40% unmonitored. Without full visibility, healthcare organisations are exposing themselves to these threats.
Only by understanding and seeing all potential vulnerabilities, can organisations prioritise remediation efforts and effectively mitigate risks. The right tools can help keep connected assets secure and PHI systems safe, so the medical devices closest to patient care can operate uninterrupted and uncompromised.
Moreover, while EoS OSs and legacy systems remain part of the biggest threat, it’s not always so simple to upgrade, no matter how much additional funding is thrown at the NHS. Medical devices are intricate parts of a larger system. Replacing an MRI machine or CT scanner isn’t as simple as buying a new laptop; it can disrupt entire care networks and can be incredibly expensive and resource intensive, particularly for a sector that’s understaffed and constantly faces budget cuts.
Fortunately, there are other steps healthcare organisations can take to mitigate these risks. Segmenting the network by essentially creating barriers between critical systems and older devices can help contain potential breaches and limit the damage attackers can inflict. Implementing best practices like strong passwords, firmware updates and access control – alongside visibility of the attack surface – can improve cyber hygiene and make organisations less vulnerable.
This also includes comprehensive security awareness training for staff, as human error remains a major threat, accounting for over 80% of cyber incidents. Equipping them to identify and mitigate threats is key to rebuilding patient trust in the face of evolving dangers. Not only that, but the sector, as highlighted in the DHSC’s cyber resilience five pillars, must be better integrated in its overall approach, with centralised platforms and services to avoid silos and duplicated efforts. This includes sharing data, learning and resources to improve sector-wide resilience.
Cybersecurity as an ethical imperative
The healthcare industry stands at a crossroads. Legacy systems, growing attack surfaces and a lack of awareness among staff create vulnerabilities that bad actors exploit. While funding is crucial, it’s not the sole solution.
The industry must embrace a multi-pronged approach that prioritises cyber resilience, implements best practices and invests in solutions that help organisations gain complete visibility of its ecosystem. After all, the evolving threat landscape requires a more nuanced approach to vulnerability management.
Healthcare organisations must consider the criticality of assets within the care process. Not all devices are equal – an infusion pump in an ER carries a higher risk than one in a day clinic. Collaboration with clinical units is crucial to prioritise vulnerabilities based on context and impact, moving away from the common siloed approach and instead, integrating cybersecurity throughout the entire care journey.
By acknowledging cybersecurity as an immediate, ethical imperative, the healthcare sector can ensure its focus remains where it belongs: on patient well-being and safety. It’s time to rebuild trust and ensure technology remains a force for healing, not harm.
