There are more digital touchpoints in the healthcare systems we experience today than ever before.
Telemedicine, virtual care, medical devices enabled by the Internet of Things (IoT) and patient communication portals are helping to improve clinical outcomes and provide new models of care in a rapidly changing healthcare landscape.
This transition towards digitally enabled healthcare has accelerated during the pandemic too, as doctors have relied heavily on virtual appointments to fulfil routine healthcare check-ups and, in turn, help the NHS deal with the extra patient load.
Better technology has now become vital for the NHS instead of a “nice to have”, according to Secretary of State for Health and Social Care, Matt Hancock. He also recently announced that incorporating AI and Machine Learning into patient care will be a key priority for the NHS going forward.
These developments will clear a path for a higher standard of healthcare, better affordability, and enhanced convenience for patients around the country. But the creation of a complex care delivery network also brings unwanted attention from cybercriminals seeking potential vulnerabilities: 50% of healthcare organisations report that a cyber attack has impacted their business within the last three years, according to our recent global threat landscape report.
Furthermore, nearly 20% of healthcare organisations identified privileged insiders – or user accounts that can access and control vital data and applications – as their number one security threat.
As hospitals and healthcare ecosystems continue to battle Covid-19, attackers have also found new ways to disrupt any progress. Recently, the National Cyber Security Centre (NCSC) identified a heightened cyber threat level across the UK health sector since the onset of the pandemic, with cyber crime groups attempting to steal sensitive intelligence, intellectual property and personal information from pharmaceutical companies and medical research organisations.
These attacks can have potential life and death consequences too; recently a German woman became the first person to die as an indirect result of a cyber attack, after a local university hospital – which was mistakenly hit by hackers looking to target the university itself with the attack – was forced to redirect her to another hospital for a critical medical procedure when hackers deactivated their computers.
These events make it abundantly clear that prompt action must be taken to alleviate the cyber threat. Healthcare providers need to put an emphasis on protecting highly targeted electronic personal health information (ePHI) within these expanding, interoperable care delivery networks.
Forecasting a cloudier outlook
Healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information – much of it located in the cloud. Recently, the NHS announced their intent to create a nationalised approach for the digitisation of millions of GP records as part of the government’s ‘Cloud First’ policy.
The transition to cloud in the healthcare sector has been extensive. Our data indicates that 43% of all healthcare organisations surveyed deploy or store patient data, including data subject to regulatory oversight, in the cloud.
Nearly half (46%) are deploying or storing cloud-based business critical applications, including revenue-generating customer-facing applications, in the cloud. Furthermore, 45% of healthcare organisations are deploying critical business applications on software-as-a-service (SaaS) offerings – including customer-facing applications, enterprise resource planning (ERP), customer relationship management (CRM), and financial management software.
As more and more functions are moved to cloud and hybrid cloud environments, the security risks only increase. To clarify, the use of the cloud is not problematic in and of itself, rather some troubling cloud-related habits exist among those organisations that are adopting cloud-based strategies, which may be to blame.
For example, 35% of healthcare organisations are fully depending on their cloud provider’s built-in security to secure assets, despite not believing it is sufficient. Even more disturbing – a good number of healthcare organisations admit that they didn’t notify their customers when their sensitive data had been compromised as a result of a cyber attack, and 37% said they would prefer to pay a penalty or fine for non-compliance with regulations instead of substantially changing their security strategy.
In fact, complying with data privacy regulations appears to be a major challenge for healthcare companies, with only 40% saying they were prepared for a potential General Data Protection Regulation (GDPR) breach investigation.
As healthcare organisations continue to embrace digital transformation, they need to modernise their security programmes to suit this new landscape.
Prioritising privileged access management
Another key security concern for the healthcare industry is privileged access management. A large majority of organisations (86%) think IT infrastructure and critical data are not fully protected unless privileged accounts, credentials, and secrets are secured. Yet, 38% of healthcare organisations do not have a privileged access management strategy in place for cloud infrastructure and workloads, and 44% do not have a privileged access management strategy in place for business-critical applications – including customer-facing applications.
The oversight when it comes to privileged access management is likely due to a limited understanding in the healthcare sector of where privileged accounts, credentials, and secrets can exist within an IT environment.
Only 24% of organisations recognised that privileged accounts and credentials exist within containers and only 30% said they exist within continuous integration/continuous delivery (CI/CD) tools. That being said, more than one quarter (28%) of all planned security spending in the healthcare sector in the next 24 months will go toward preventing privilege escalation and/or lateral movement, according to our study.
Future-proofing for the post-pandemic world
The risk profile of an organisation is influenced by every single employee, application, and technology it employs. So, as healthcare organisations such as the NHS looks towards a fully-fledged digital transformation post-pandemic, IT and security teams must look to understand the impact these efforts have on the security of an organisation’s assets. Once the impact has been recognised and understood, practices can be adapted to suit necessary requirements.
To build a resilient healthcare sector for the country’s future success, critical adjustments to the current cyber security practices are imperative.
This may require new talent, skillsets, and tools, but they are nonetheless vital in protecting assets from advanced threats in the current landscape. Updating tools and managing access to privileged accounts and credentials reduces a cyber criminal’s moves considerably and constricts their path. In a sector with so much at stake, it is key that every piece of the cybersecurity puzzle is in place to completely secure a targeted network. All stops must be pulled out to maintain the critical functions of our most needed establishments.
By David Higgins, EMEA Technical Director, CyberArk