Joe Kim, CTO of SolarWinds, explores the potential learning opportunities from business for cyber security in healthcare organisations
The cyber security market is currently valued at $122.45bn, with an expectation that this will rise to $202.36bn by 2021. Cyber security is becoming a huge concern for businesses, with so many enterprises coming under attack recently. However, over the next few years, the threat landscape will develop and the aim of a cyber attack won’t be solely financial.
Though cybercriminals are usually incentivised by financial gain, the reality is that a cyber attack can create far more damage than just hitting an organisation fiscally – this is especially the case when it comes to healthcare organisations. Health data is far more valuable to a cybercriminal, going for roughly 10 or 20 times more than a generic credit card number. Therefore, we can expect to see a surge in healthcare breaches. However, the impact of this won’t just cripple a trust financially. It’s possible a cybercriminal could take over a hospital, manipulate important hospital data, or even compromise medical devices.
It’s already started
These sort of breaches are already happening. At the start of 2016, three UK hospitals in Lincolnshire managed by the North Lincolnshire and Goole NHS Foundation Trust were infected by a computer virus. The breach was so severe it resulted in hundreds of planned operations and outpatient appointments being cancelled.
The event, which officials were forced to deem as a “major incident”, also made it difficult to access test results and identify blood for transfusions, and some hospitals struggled to process blood tests. This is one of the first examples of a healthcare cyber security breach directly impacting patients in the UK, but it won’t be the last.
Follow in the footsteps of enterprises
Breaches like these have put a great deal of pressure on healthcare IT professionals. Though there has been a shift in mentality in enterprise, with security becoming a priority, the same can’t be said for the healthcare sector.
Before healthcare IT professionals can even start to fully protect against these potential life-threatening attacks, the mentality of healthcare organisations needs to change. Currently, it’s very common for most healthcare organisations to lack basic cyber essentials, with some still running on outdated operating systems, and many devices not having basic anti-virus software. It’s already a challenge for healthcare IT professionals to keep the network safe and secure. From a community nurse using her iPad to input important patient data, to hospital clinics trying to record everything, the entry points are enormous.
This creates a huge disadvantage for healthcare IT professionals from the get go. The situation is worsened with most healthcare organisations often having budget cuts, making security a hard thing for the board to prioritise.
It doesn’t need to break to be fixed
Healthcare IT professionals have made it clear that they aren’t confident they could prevent their trust from a severe breach. Many assume the board will only focus on security once a significant breach occurs, and wonder how bad it needs to get for them to listen. It is time healthcare organisations learned from enterprises that have seen breaches occur and acted. In the meantime, there is work that requires little investment that IT professionals can do to protect the network.
Educate and enforce
Employees are often the weakest link when it comes to security in the workplace. Few workers understand how simple it is for a cybercriminal to gain access to the network through an employee’s mobile phone, and often opt to use their own devices in the workplace.
However, it is vital that healthcare IT teams have a consolidated overview of what devices are connected to the network by running an awareness campaign that encompasses both education and enforcement. By doing so, employees will have a better understanding of the potential threats that could come from having an unauthorised device connected to the network.
For example, healthcare workers need to be shown how a cybercriminal could infiltrate the network through hacking someone’s phone. This would also start a dialogue between healthcare employees, helping them to prioritise security and thus giving the IT department a better chance of protecting the organisation from a breach.
It’s naturally assumed that a healthcare IT professional should be able to effectively protect his or her organisation from an attack. However, even the most experienced security professional would struggle to do so without the right tools in place. To protect healthcare organisations from disastrous attacks requires funding, investment, and cooperation from employees.