David Higgins, EMEA Technical Director, CyberArk
Better technology in the NHS is no longer a ‘nice to have’, said Secretary of State for Health and Social Care Matt Hancock earlier this year. It’s crucial. Speaking prior to the pandemic, Mr Hancock’s words couldn’t have been more prescient.
While it’s now clear that without innovative technology, our efforts to control disease would be hampered, we must also remember technology has drawbacks. Cyber vulnerabilities are among the most common.
Cyber-attacks have had a marked effect on healthcare organisations over the past decade. In fact, over 50% of healthcare providers claimed to have been affected by them in the three years preceding our most recent threat landscape report. The consequences are becoming more and more concerning, too. The physical capabilities of cyber-warfare have in the past been put into question, but a recent cyber-attack in Germany, which resulted in delayed treatment and ultimately a person’s death, has served as a reality check.
Prompt action must be taken. And all healthcare must start with addressing privilege. Of all the providers we spoke to in our threat report, almost 20% identified privileged users as their highest priority threat. Privileged users – those with high-level access – must, therefore, be prioritised.
We cannot risk discovering the consequences of inaction.
Securing healthcare in the Cloud
Healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information—much of it located in the cloud. Recently, the NHS announced their intent to create a nationalised approach for the digitisation of millions of GP records as part of the government’s ‘Cloud First’ policy.
The transition to cloud in the healthcare sector has been extensive. Our data indicates that 43% of all healthcare organisations surveyed deploy or store patient data, including data subject to regulatory oversight, in the cloud. Nearly half (46%) are deploying or storing cloud-based business critical applications, including revenue-generating customer-facing applications, in the cloud. Furthermore, 45% of healthcare organisations are deploying critical business applications on software-as-a-service (SaaS) offerings – including customer facing applications, enterprise resource planning (ERP), customer relationship management (CRM), and financial management software.
As more and more functions are moved to cloud and hybrid cloud environments, the security risks only increase. To clarify, the use of the cloud is not problematic in and of itself, rather some troubling cloud-related habits exist among those organisations that are adopting cloud-based strategies, which may be to blame. For example, 35% of healthcare organisations are fully depending on their cloud provider’s built-in security to secure assets, despite not believing it is sufficient. Even more disturbing – a good number of healthcare organisations admit that they didn’t notify their customers when their sensitive data had been compromised as a result of a cyber-attack, and 37% said they would prefer to pay a penalty or fine for non-compliance with regulations instead of substantially changing their security strategy.
In fact, complying with data privacy regulations appears to be a major challenge for healthcare companies, with only 40% saying they were prepared for a potential General Data Protection Regulation (GDPR) breach investigation.
As healthcare organisations continue to embrace digital transformation, they need to modernise their security programs to suit this new landscape.
Protecting healthcare’s privilege
Another key security concern for the healthcare industry is privileged access management. A large majority of organisations (86%) think IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are secured. Yet, 38% of healthcare organisations do not have a privileged access management strategy in place for cloud infrastructure and workloads, and 44% do not have a privileged access management strategy in place for business-critical applications – including customer-facing applications.
The oversight when it comes to privileged access management is likely due to a limited understanding in the healthcare sector of where privileged accounts, credentials, and secrets can exist within an IT environment. Only 24% of organisations recognised that privileged accounts and credentials exist within containers and only 30% said they exist within continuous integration/continuous delivery (CI/CD) tools. That being said, more than one quarter (28%) of all planned security spending in the healthcare sector in the next 24 months will go towards preventing privilege escalation and/or lateral movement, according to the study.
Building a resilient healthcare sector
The risk profile of an organisation is influenced by every single employee, application, and technology it employs. So, as healthcare organisations such as the NHS look towards a fully-fledged digital transformation post-pandemic, IT and security teams must look to understand the impact these efforts have on the security of an organisation’s assets. Once the impact has been recognised and understood, practices can be adapted to suit necessary requirements.
To build a resilient healthcare sector for the country’s future success, critical adjustments to the current cyber security practices are imperative. This may require new talent, skillsets, and tools, but they are nonetheless vital in protecting assets from advanced threats in the current landscape.
Updating tools and managing access to privileged accounts and credentials reduces a cybercriminal’s moves considerably and constricts their path. In a sector with so much stake, it is key that every piece of the cybersecurity puzzle is in place to completely secure a targeted network. All stops must be pulled out to maintain the critical functions of our most needed establishments.
