In the summer of 2021, a ransomware attack against a National Health Service (NHS) third-party IT provider showed how vulnerable critical infrastructure can be to significant cyber-attacks. This attack impacted not only the 1.3 million NHS workers – the largest workforce in Europe – but also an entire nation of patients who potentially became unable to access crucial healthcare services or whose personal medical history may have been compromised.
In March 2023, the UK government announced a five-point strategy to build cyber resilience in healthcare by 2030. At Resilience, our experts commend this increased awareness. However, this plan needs more fine detail to protect the healthcare sector from further damaging attacks.
Healthcare providers are prime targets for ransomware, as they typically offer access to a large pool of sensitive and personal data. The digitalisation of healthcare has led to greater interconnectivity between systems than ever before, creating a complex chain of information– a chain that is only as strong as its weakest link. This interconnectivity provides a larger surface area for bad actors to target, leaving entire sectors vulnerable to external threats which they can’t manage through basic risk transfer and mitigation. This attack, as well as others that have occurred in recent years, is proving that ransomware events against crucial healthcare systems are on the rise. This means government leaders must commit to investing in Cyber Resilience to ensure that custodians of sensitive data are one step ahead of highly damaging attacks.
Vulnerabilities in the system
The COVID-19 pandemic has increased the demand for remote consultations and the use of medical technology, making the healthcare sector more reliant on digital systems than ever before. This digital transformation has created significant vulnerabilities. For instance, the interconnectivity between systems can lead to increased access points that can be exploited.
With the rise of healthcare-related IoT devices, there is an increasing number of connected devices with potential vulnerabilities that cybercriminals can target. This is compounded by many of these devices lacking adequate security measures, making them an easy target.
Third-party IT providers present weak links in the security chain. This is especially true for cloud-based systems, where many healthcare providers store their data. These providers may not always have the same level of security protocols as in-house IT teams, creating vulnerabilities that cybercriminals can exploit.
The cost of cyber-attacks
The cost of a cyber-attack can be significant from a financial and legal perspective and from the potential impact on patients. The ransomware attack on the NHS software provider shut down NHS’s care, treatment, and finance systems, leaving patients’ data and paperwork inaccessible to staff. It took two months for key NHS software systems to recover. While services were being restored, healthcare was compromised, leaving patients potentially without crucial treatment. This added to the already existing backlogs in the NHS’s system, creating an additional burden for an already overstretched organisation.
Data regulation for patients’ healthcare information means that these attacks are more costly from a financial and legal perspective than other ransomware events. Ransomware attackers recognize the value of personal data acquired from healthcare organisations and utilise this knowledge to engage in data extortion. This data is often not returned, even if a ransom is delivered.
Better cybersecurity is crucial
Given the rising number of cyber-attacks in the healthcare sector, better cybersecurity is crucial. Organisations should think about holistically managing their cyber risk to quantify and understand the potential impact of scenarios and best practices to remediate them. Building cyber resilience requires finance, risk, and security leaders to share, align, and prioritise strategic objectives. Those objectives consider how business opportunity and risk mitigation work together and support making informed trade-offs when necessary. By aligning technical visibility on threats with regular cyber hygiene and strong insurance coverage, organisations can optimise their return on investments in managing cyber risk.
Investing in prevention and proactive risk prioritisation protects patients. Health organisations should implement security awareness training for employees, have a strong backup and recovery strategy that is well-tested against a variety of incidents, and implement basic cybersecurity measures such as multi-factor authentication (MFA), attack surface scanning, and network segmentation. Strong insurance coverage is also essential to manage residual risk and keep you financially afloat during an attack.
It is important to acknowledge that the NHS and its third-party partners will likely experience further attacks in the future. As such, it is crucial for organisations like the NHS who have experienced an incident to work with experienced cybersecurity providers who can offer a Cyber Resilient approach to holistic risk management. Resilience offers dynamic risk transfer, active monitoring, and actionable cyber hygiene measures that have been proven to help healthcare providers stay protected from cyber threats.
While cyber threats to UK healthcare providers are a growing concern, there are measures that can be taken to mitigate this expansive risk. By investing in better cybersecurity measures and working with Cyber Resilience professionals, healthcare providers can protect themselves and their patients from the consequences of data extortion attacks. Building a stronger healthcare network for the future means investing time, resources, and extreme consideration into Cyber Resilience. Our experts appreciate the UK government’s first step toward Cyber Resilience and encourage them to continue expanding this plan to protect their critical infrastructure by guiding organisations through holistic risk management.
Author: Si West, Cyber Advisory Lead at Resilience
