Protecting Patients from Healthcare Hackers
Hospitals and healthcare providers are under attack from criminals looking to extract valuable medical data. Wai To, Senior Cyber Security Analyst at Wellbeing Software, discusses what they should do to keep hackers out
The COVID-19 pandemic has shone a bright light on our health service over the last twelve months. In many areas we have seen the great strengths of the NHS, with the general public rallying around doctors, nurses, researchers, and other health care staff as they work to subdue the virus. However, the pandemic also exposed the stark reality of keeping sensitive patient data out of the hands of cybercriminals.
The healthcare industry is one of the most prolific targets for cybercrime, and that trend shows no signs of slowing down in 2021. The pandemic forced a shift towards virtual care and experts suggest it has accelerated the adoption of digital solutions by almost three years. This created new opportunities for malicious hackers to take advantage of gaps in security protocols, or prey on busy key workers who may innocently click on a sophisticated phishing scam.
In order for healthcare providers to effectively protect themselves and their patients online, they must first understand the threats they are facing. Here are some of the most common techniques for stealing credentials:
Weak passwords – Attackers can successfully access accounts by simply guessing commonly used passwords, like password123. Poor password practices have long been an issue in cybersecurity, but the unfortunate truth is most people struggle to remember complex passwords, especially in high pressure environments. As a result, they opt for weak or frequently used passwords out of convenience.
Phishing – Phishing attacks are designed to trick recipients into thinking they have received a genuine message when in fact it may contain either a malicious code, attachment or link that enables criminals to breach defences or enact ransomware attacks. Phishing has become more sophisticated and targeted, and as a result a recent study found that only 5% of Britons could spot a scam email. The number of phishing sites on Google also reached a record-high in 2020 with criminals capitalising on the pandemic and more people working from home. They are increasingly taking advantage of general concern around welfare, unemployment and in some cases offering access to vaccinations.
Poor security protocols – The 2020 DBIR from Verizon found that 45% of breaches featured hacking, and 70% were carried out by external actors. Hackers aim to stay one step ahead of an organisations’ security protocols, and a chink in the security armour could give criminals access to the network and enable them to move laterally. This means they could steal a huge volume of sensitive data in a short space of time. Unsecured systems also give attackers access to the network where they can place a fake site between their victim’s computer and the website that they are accessing in what’s known as a “Man in the Middle” (MitM) attack.
So how can you protect yourself in an increasingly digital world?
Prevention is the best protection
Healthcare providers should ensure that security policies and procedures are communicated to all staff. They should take some time to educate staff about the importance of providing care beyond immediate medical needs and protecting patient medical records. Regular communication with all staff is key to reinforcing what should be done to prevent breaches, and how to respond in the event of one.
It only takes one person to click on a link for an entire network to be infected. Regular training is needed to stop users falling for threats as they constantly evolve in line with the changing digital landscape. All members of staff with IT access should be advised to follow basic best practice to help protect their accounts. They should always choose complex passphrase credentials and use a password manager like Dashlane to store them safely. They should never open an attachment or click a link if any aspect of the email seems suspicious, they should be reminded of good habits while using shared computers or their own devices, and cyber security awareness campaigns should always be encouraged. It is also critical that they only use centrally managed computers for sensitive tasks.
Anything connected to the internet should have a firewall and antivirus software as a minimum. However, simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time. One of the biggest weaknesses highlighted by the large-scale WannaCry attack was the fact that thousands of NHS PCs were using out of date operating systems that were no longer supported or updated. While our systems were protected against attacks, others were not so fortunate.
In the current regulatory environment, Data Loss Prevention (DLP) is critical for healthcare organisations if they want to avoid damaging data breaches and fines. Healthcare providers process and store huge amounts of sensitive information and they must comply with rigorous data security schemes set out by the NHS. It is these strict regulations which means the healthcare sector has the highest overall costs associated with data breaches: 65% higher than the average across all industries. To ensure compliance, organisations are required to purchase services using the Cyber Security Services 3 framework, which is available to the public sector as a way to procure National Cyber Security Centre (NCSC) certified cyber security services.
It is important to note that security is not a binary thing and it is a fine balancing act mitigating risk while maintaining operational effectiveness. So, the question is if we cannot stop an attack, what is the next best thing? The most effective way to minimise damage is to isolate the network in micro-segments, stopping the lateral movement of malware and a potential full-scale takedown.
Fail to plan? Plan to fail
While no institution wants to deal with a data breach, those that prepare before it happens weather the storm better. Prioritising the protection of data and systems starts at the top and ensuring there is a holistic, comprehensive approach to your security and privacy strategy will also help with leadership buy-in by giving security a place in the decision-making process.
There is no simple fix to prevent cyber criminals from attempting to plunder your most precious resources, but it is possible to keep them from walking out with the data they want. The best way to achieve this is to ensure good cyber security practices are implemented and that these are reinforced throughout the institution from leadership to every member of staff.
Work with the right professionals
To improve cybersecurity in healthcare it is crucial to work with and employ IT professionals who can not only collect, manage, and utilise data, but protect it as well. You should also work with technology and software providers who take cybersecurity seriously and have the right credentials.
Wellbeing Software holds a Certificate of Compliance from Cyber Essentials, acknowledging the robust information security and cybersecurity policies and processes we have in place across the entire organisation. The “Cyber Essentials Scheme” is a government-backed initiative run by the National Cyber Security Centre that aims to reduce cybercrime for businesses across the UK.
If you would like any more information about Wellbeing Software’s data protection strategy or our cyber security credentials, please get in touch today.