There are many challenges surrounding cyber security in healthcare. As well as exploring the underlying reasons why healthcare in particular is vulnerable to attack, I plan to explore what-good-looks like.
For me the healthcare industry is a prime target for medical information theft as it lags behind other leading industries in securing vital data. It’s imperative that time and funding is invested now to protect healthcare technology and the confidentiality of patient information. Cyber security in healthcare protects electronic information and assets from unauthorised access, use, loss, and disclosure. It’s goal is to safeguard the confidentiality, integrity, and Availability of confidential information, otherwise known as the CIA triad. It’s becoming increasingly important now, with accelerated remote working bringing a new wave of security risks.
Earlier this year the Health Service Executive (HSE) of Ireland suffered a major ransomware cyber-attack. Many hospital appointments across the country were cancelled, EHRs became inaccessible, radiology systems went down, and the COVID-19 testing referral system rendered unavailable for a number of days. The scale of the disruption, the alarming threat to life, and repair costs estimated in the millions underscores the massive danger posed by cybercriminals and the growing necessity for stronger cyber security.
Medical records containing highly sensitive data need to be kept private. For large records (e.g. CT scan images) the problem is doubly complicated by the size of the files being transferred and displayed.
In terms of basic cyber security, the healthcare industry lags behind other sectors like finance and manufacturing who often build their infrastructure with data security in mind. This is especially challenging given how rewarding healthcare breaches can be to hackers (personal health information is worth an average of 10 times more than financial information on the black market). Not to mention the significant risk to patient care when day-to-day functions are interrupted.
Protecting healthcare information is now a top priority for all healthcare organisations. Innovative medical devices and healthcare applications are critical to patient care, but, as seen in Ireland, we are all too often the target of cybercriminals. It is critical that manufacturers implement security by design to keep our patients and their data secure.
So how can digital healthcare leaders respond to the cyber security challenges we are facing? The NHSX, What Good Looks Like framework advises having a system-wide plan for maintaining robust cyber security and an adequately resourced ICS-level cyber security function.
Sound advice, but my experience suggests effective cyber security demands a base set of skills that an NHS, or public sector healthcare organisation isn’t necessarily well placed to deliver itself.
For this reason, many healthcare organisations are deciding to outsource security in its entirety. The Chief Information Officer of a leading NHS Foundation Trust, describes how this approach benefitted them:
“We had a vision for a modern system fit for 21st century medicine, but we knew to try and run this ourselves would be a mistake. Now, we have experts across different domains that the Trust previously didn’t have access to. Malware is trapped before it gets anywhere near the hospital systems and staff are protected with an “invisible layer of security” both on and off the hospital campus.”
Keeping pace with the fast-moving security landscape is vital, but also removing the immense pressure of day-to-day management can help achieve broader digitalisation goals within healthcare.