Healthcare services are under pressure. The Covid-19 pandemic has stretched them to their limit. As if the strains of a pandemic weren’t enough, healthcare organisations have also been subject to cyber attacks.
We’d like to think our healthcare services are immune to such attacks. But, they remain consistent targets.
Why do cyber criminals target healthcare organisations? And what can we do to make the healthcare industry more cyber resilient?
A growing threat
In 2020, the number of cyber attacks soared as cyber criminals took advantage of remote working and the disruption caused by Covid-19. Healthcare organisations weren’t spared during the onslaught. Nearly 140,000 malicious emails targeted NHS staff in 2020. In June, 113 NHSmail accounts were compromised in a phishing attack.
The pattern continued into 2021. In May, the Irish Health Service Executive (HSE) was forced to shut down its IT systems during a cyber attack. Hackers shared patients’ details online and demanded a ransom. The attack caused widespread disruption, leading to cancellations of outpatient appointments and clinics.
Healthcare systems have long been at risk. The WannaCry ransomware attack in 2017 disrupted more than a third of NHS trusts in England. That attack was relatively unsophisticated. Since then, the attack surface has grown.
More IoT devices and greater use of cloud services have opened up entry points for criminals. Remote working has made cyber security practices more difficult to enforce. These changes mean healthcare services remain at risk of another attack as disruptive, if not more so, than WannaCry.
Why target healthcare?
Confidential patient information is an obvious lure for cyber criminals. But several other factors make healthcare organisations prime targets.
The need for data to be shared across healthcare services and between patients and doctors opens up vulnerabilities. If one device is compromised, shared networks leave a whole organisation exposed.
Medical devices provide criminals with plenty of entry points. These devices aren’t designed with security in mind. As a result, lifesaving equipment can be compromised, acting as a criminal’s gateway into a healthcare network.
Legacy technology also poses a risk. A failure to patch systems or stop using older software opens up further avenues for attack.
With healthcare workers stretched thin, limited time and resources are devoted to reducing cyber risk. Thus, people in the industry remain ill-equipped to recognise and act on threats.
With a better-supported workforce, healthcare organisations can strengthen their defences against cyber attacks. With 90% of data breaches caused by human error, improving people’s security behaviour is critical.
“Supported” is not the same as “trained”. An effective strategy is one that empowers employees to recognise cyber threats and act appropriately to reduce risk. Not one-off training or tick-box exercises aimed at meeting compliance standards, employees need ongoing support.
Support. Assist. Empower.