Across the healthcare sector, many organisations are facing increasing pressures, with cybersecurity becoming an even more serious concern. It is no secret that the healthcare digital landscape is rapidly changing, with more hospital staff and patients relying heavily on IT systems to access health information.
These pressures have been worsened by the growing threat of cyber criminals who have brazenly targeted the critical systems of the most vulnerable – disrupting planned medical treatments and the lives of patients and medical teams.
According to our research, this level of disruption looks set to continue. There were 69 cyber extortion attacks on healthcare businesses during Q1 of this year, up more than 100% from Q1 in 2023. To combat this, healthcare organisations must deploy new technologies and strategies to tighten their security processes.
Here are three key recommendations for how healthcare organisations can incorporate cyber resilience into their ‘business as usual’ approach.
A moral tipping point
The moral boundaries of cyber-attackers are wavering. Four years ago, one of the most prominent ransomware families, Maze, declared they would not target hospitals or other essential organisations. However, recent attacks on healthcare victims and organisations prove otherwise.
Healthcare organisations are storing more sensitive data than ever, making criminals even more desperate to bring chaos to critical infrastructure for financial reward. Following a cyberattack on pathology services provider, Synnovis, in June this year, more than 7,000 outpatient appointments and 1,500 elective procedures have so far been postponed by two London hospital trusts. Our research shows that health and social assistance is now the third most targeted industry, with a 160% jump from last year. Managing this change will require active collaboration with law enforcement, cybersecurity experts, and industry partners to coordinate and share information on ransomware threats and trends. Healthcare leaders must also educate their internal teams about good security practices and implement well-defined security procedures and policies. By combining knowledge, resources, and support, healthcare teams can increase their cybersecurity readiness and respond quickly to cyberattacks.
Incorporating resilience
In this sector, more than any other, a defence-in-depth approach to security is required. Healthcare security leaders must provide and build out essential mechanisms to ensure that business operations remain up and running even in the face of a live cyberattack.
To do this, healthcare organisations must make cybersecurity a core value. Genuine security must be at the heart of every strategy and healthcare leaders need to work hard to demystify cybersecurity and illustrate how making the right behavioural adjustments can not only protect the entire organisation, but go beyond that to help it operate better more generally.
Further to this, leaders must be able to clearly demonstrate the consequences of inadequate security measures and effectively communicate their security strategy across their organisation. This will facilitate the resilience required to mitigate cyber risks and promote a strong cybersecurity culture.
The importance of resilience is being increasingly recognised. Not only has cyber resilience been set out as a key pillar of the UK’s National Cyber Security Centre (NCSC) vision for improving the UK’s overall security posture, but it will soon be part of the UK’s regulatory landscape.
As presented in July 2024’s King’s Speech, the new UK government proposes a Cyber Security and Resilience Bill. This Bill aims to introduce regulation to improve cyber resilience amongst the UK’s critical service providers – including healthcare.
This means that, while healthcare budgets remain tight, new regulatory requirements will drive healthcare providers to make the investments required for compliance. This is important because of the succession of security breaches impacting UK healthcare providers that demonstrate the vital importance of investing in better security controls, including the ransomware attack on Synnovis. The risk to life that resulted from the interruption of these treatments must be weighed against the cost of ensuring appropriate cybersecurity.
Third-party risk management
Organisations are increasingly turning to third-party providers for support with their digital transformational strategies. With the proliferation of the cloud, software-as-a-service and AI-driven security platforms, mitigating the inherent risk of using third-party providers has never been more crucial. The Synnovis example demonstrates this perfectly.
A key challenge when using third parties is that it is difficult for an organisation to apply its own policies, procedures and controls to protect data within an external environment. This can make collaboration, cooperation, risk management and technology adoption more convoluted and time- consuming.
To work around this, healthcare organisations must establish a third-party risk management program that requires third-party providers to meet certain thresholds in terms of cybersecurity skills, technologies and processes – that operate in tandem with their internal policies. By deploying a governance structure that establishes scalable standards that apply to numerous providers, healthcare leaders can ensure that they are complying with regulatory and data protection
requirements.
