Tackling cybersecurity issues in healthcare

Nic Sarginson, Sr. Solutions Engineer for UKI and RSA at Yubico, discusses the cybersecurity issues facing healthcare organisations and how the threat dynamics are expected to change over the coming 24 months

Data held within the healthcare sector is particularly sensitive. Cybercriminals looking to capitalise on a compelling mix of valuable data and vulnerable security systems may find prime targets among healthcare organisations. To mitigate the risk, security measures must include strong authentication methods, employee training and communication, and an extension of cybersecurity measures to the organisation’s supply chain.

In healthcare, computer systems hold sensitive data, while also supporting the organisation in providing a standard level of care to patients – making the sector a prime target for extortion attempts. In 2017, the WannaCry cyberattack affected thousands of computers around the world, including those used within the NHS. Some computer systems were paralysed as hackers demanded ransom payments to release encrypted data.

The impact of this attack was substantial. In October 2018, the Department of Health & Social Care released an update, which reported that the cyber incident disrupted services across a third of hospital trusts and around 8% of GP practices. The cost, while difficult to calculate comprehensively, was estimated at approximately £19 million of lost output. The estimated total financial impact reached £92 million, which included IT costs both during and after the attack.

Emails provide an entry point to hackers

Phishing, whereby a cybercriminal presents themselves as a legitimate organisation or individual in order to trick a target into action, is a common form of attack on organisations across all sectors. Emails are often used as way in, with links to bogus websites or attachments.

This type of attack is a particular concern in healthcare because it can compromise email accounts used to exchange data of a highly sensitive nature. If a healthcare employee’s email login information is stolen or leaked — including the username and password — this can be used by criminals to gain access to patient information.

Healthcare organisations must ensure robust security measures are in place to mitigate the risk of compromised email accounts, data breaches, and other cybersecurity incidents. It’s important to note that security measures should cover all aspects of people, process and technology:

1. Practices and procedures – strong authentication methods secure access to applications, systems and data
2. Communication with staff and other key stakeholders – regular updates and reminders on good security behaviours and mandatory actions should occur when security falters
3. Dealings with suppliers – cyber criminals may exploit any weak link in a supply chain to gain access to a target. According to Osterman Research: “Tight connections between businesses across a healthcare ecosystem can compromise an entire ecosystem”ⁱ
4. Training – induction training, regular boosters and additional training for all staff and, where appropriate, other stakeholders.

Stronger authentication to bolster security

The means by which employees authenticate their identity to gain access to email, other cloud-based applications, and computer systems is a primary source of entry for bad actors. This makes multi-factor authentication (MFA) imperative for organisations looking to protect their employees and corporate assets from the damaging effects of phishing and other attacks aimed at compromising login credentials.

MFA requires users to provide more than just something they know (a username/password). For example, users can present something they have, like a physical authentication device, and/or something they are – which can be in the form of a biometric identifier like a fingerprint or iris scan.

The strongest authentication option is a security key, which can be registered to applications and services used by employees. Every time an employee attempts to log in, a security key is also required to gain access to the application which achieves a higher level of protection than just a username/password. A security key is something an employee has in addition to something they know and because authentication no longer relies on only what the user knows – which can be stolen through a phishing attack – security is heightened.

An example of this is seen with the new generation of devices based around the global authentication standard FIDO2, which allows users to use secure devices to authenticate to desktop and web services. FIDO2 itself is being seen as central to services such as NHS Indentityⁱⁱ, forming part of their authentication roadmaps that incorporate a new era of hardware-backed authentication.

Robust cybersecurity measures are essential for organisations in all sectors. Healthcare organisations are an attractive target for cybercriminals because of the very sensitive nature of the data they hold and process. To mitigate the risk of data breaches and other compromising cybersecurity incidents, healthcare organisations should ensure clear and effective security procedures are in place, along with strong authentication methods. This approach should be backed up by regular communication and training so that cybersecurity is not only delivered in practice, but also forms the foundation of a cybersecurity culture within and beyond the organisation.

[i] Osterman Research: Cyber Security in Healthcare February 2020
[ii] NHS Digital: Authentication Service September 2019