Comment: Why awareness is key to keeping the healthcare sector secure

Andy Barrow, chief technology officer at ANS Group, explains why NHS trusts need operational procedures and skills in place to ensure security infrastructure and software are fit for purpose

Andy Barrow

2016 was a bruising year for the healthcare sector in terms of cyber security, and 2017 hasn’t started any better.

Last year, several NHS trusts suffered attacks, with one declaring a ‘major incident’ after a virus led to the cancellation of 2,800 patient appointments.

Traditional security mechanisms that focus on protecting computer-based networks, which healthcare organisations have historically relied upon to keep themselves and their data safe, are no longer sufficient in the modern connected world

A Freedom of Information (FOI) request also showed that almost half of trusts in England have been hit by ransomware in the last year.

This crystallises the consequences of a successful attack. It’s not just about simple disruption or inconvenience – patient safety can be under threat.

It’s no longer enough for IT departments and CIOs to take responsibility for cyber security; it must be a priority for CEOs and boards.

Hospitals across the country are turning to technology and connected devices to enhance the patient experience and improve outcomes. This is understandable, as any efficiency savings at a time when budgets are stretched are to be welcomed.

However, each new technology provides another avenue for cyber criminals to exploit. Telehealth applications and connected devices such as X-ray machines often make vulnerable targets.

Healthcare organisations must become more agile when it comes to security and more strategic in their approach to security architecture

Only last year, medical devices made by an American company, including pacemakers and defibrillators, were found to have vulnerabilities which could have potentially enabled hackers to remotely control the devices.

Traditional security mechanisms that focus on protecting computer-based networks, which healthcare organisations have historically relied upon to keep themselves and their data safe, are no longer sufficient in the modern connected world.

Healthcare organisations must become more agile when it comes to security and more strategic in their approach to security architecture.

It’s essential to have the operational procedures and skills in place to ensure that security infrastructure, software and measures are consistently fit for purpose.

This means having a team in place that can continuously monitor, identify and remediate security issues in real time.

It’s essential to have the operational procedures and skills in place to ensure that security infrastructure, software and measures are consistently fit for purpose

However, with internal IT departments already stretched there often isn’t the resources or time to effectively deal with cyber threats – particularly on a continuous basis. Instead, they are rightly focusing on patient care.

Monitoring for, and responding to, cyber threats requires high-level expertise and an unwavering focus.

The nature of the risk of cyber crime means that having an effective security solution is a full-time job, requiring dedicated expertise and backed by machine learning and sophisticated threat detection networks.

It’s often more convenient and secure to embrace these capabilities through service partners, who will have robust and proven operational procedures, and will be able to pro-actively defend networks and devices around the clock.

Although security software and products are an important foundation, robust security procedures and easy-to-understand policies are also effective.

It’s broadly accepted that humans are the weakest link in any security chain – as one wrong click can give a nefarious actor the keys to the kingdom

Educating employees as to specific threats and the general risks can pay dividends too. It’s broadly accepted that humans are the weakest link in any security chain – as one wrong click can give a nefarious actor the keys to the kingdom.

Most industries worry about reputation and profit when it comes to cyber attacks. For the healthcare sector there is patient safety to factor in, too. Although budgets are tight, cyber security must be a priority – for everyone, from the CEO to doctors and nurses.

Companies