The Importance Of Cybersecurity In Healthcare Facilities

The healthcare sector is increasingly dependent on technology, from maintaining daily operations to crucial patient care and data management. There is no doubt that this is driving up standards of quality and efficiency in hospitals, care homes, and other healthcare settings, but it also carries significant cyber security risks. 

BBC News reports on the latest cybersecurity attack that affected major London hospitals in early June, including King’s College Hospital, Guy’s and St Thomas’, and the Royal Brompton and the Evelina London Children’s Hospital. This has caused serious disruption to services, as some departments could not connect to the main server. 

The cyberattack has led to cancelled operations, diverted emergency services, and blocked access to pathology results, including blood tests and blood transfusion results. This could delay emergency care as IT experts work to establish how widespread the ransomware attack is, and which parts of the network can be safely accessed.

This is just the latest example of how vulnerable healthcare services are to cybersecurity threats. Here’s an overview of the main cybersecurity threats and challenges faced by the sector, and how they can be addressed. 

Patient data security

As we have seen, the security of patient data is of paramount importance. This includes access to vital test results, and also highly sensitive and confidential information that can lead to patient identification and medical histories. If this data is accessed by cybercriminals, they may use it as a method of blackmail or for identity theft. 

Furthermore, UK healthcare providers must comply with strict data safeguarding regulations, including the General Data Protection Regulation (GDPR) and the Data Security and Protection Toolkit (DSPT). If the provider is found to be in breach of these regulations, it can result in severe penalties and a loss of public trust and confidence. 

Complex and outdated IT infrastructure

Hospitals can have huge and extremely complex IT infrastructure that supports a range of interconnected systems and operations, with very little capacity for downtime for updates or repairs. The systems should ideally be compatible with all aspects of daily operations, and this can present enormous IT security challenges and risks. 

Furthermore, some hospitals and care homes may still be running legacy systems that are too outdated to support new security updates or have the necessary features to safeguard from cyber attacks. Unfortunately, cybercriminals are adept at exploiting these vulnerabilities and will deliberately target organisations with outdated systems.

Lack of resources and training

Many healthcare organisations are facing severe budget restraints, which limits their ability to maintain up to date IT systems and implement the best cyber security systems. This can leave them vulnerable to security breaches and lapses that are exploited by cybercriminals. 

There may be further constraints due to staff shortages, or the lack of time and resources to train staff in cyber security awareness. The care home sector is particularly reliant on staff from diverse backgrounds and they may not be familiar with UK security requirements or procedures. The sector also has a high staff turnover, bringing a further barrier to training.

This can increase the risk of human error causing cyber security breaches, and undermine the prompt reporting and an effective response to the incident.

How can healthcare organisations minimise their cybersecurity risks?

Regular risk assessments

The first step to robust cybersecurity management is to carry out a risk assessment to identify current and potential risks and vulnerabilities in the system. The assessment should be fully comprehensive and leave no stone unturned, from patient data security to the operation of medical devices and equipment. 

Implementing updates and patching

When upgrading the entire network is out of the question due to budget or operational constraints, regular patching or individual software updates should be installed to guard against the latest security threats. 

Extra layers of security can be added with data encryption that protects data when in transit, so even if it is intercepted the data remains unreadable. 

Multi-factor authentication

Multi factor authentication (MFA) can make it more difficult for attackers to gain access to systems and data, even if they do manage to gain the login details of a member of staff. MFA relies on not just a password, but a second or third means of authentication, such as biometric data, or a pin code sent to a mobile device, or an email.

Comprehensive IT monitoring and support services

Healthcare organisations often work with a third party IT management and support service, who have access to the most up to date information and techniques for best cyber security practice.