How to mitigate the continued cyber risks facing the health sector
Chris Deverill, Sales and Marketing Director, Orange Cyberdefense UK
Healthcare organisations have been under enormous pressure in recent years, primarily resulting from the global pandemic which stretched resources to breaking point.
These pressures have been worsened by the growing threat of cyber criminals who have brazenly targeted the critical systems of hospitals and surgeries, disrupting medical processes as well as the lives of patients and medical professionals.
The Orange Cyberdefense Cy-Xplorer 2024 recorded 69 cyber extortion attacks on healthcare businesses in Q1 of this year, up over 100% from Q1 2023. This supports findings from the Orange Cyberdefense Security Navigator 2024, which found that while for most industries the majority of incidents we detect are triggered internally, we attributed 75% of healthcare incidents to external actors like criminal hackers and APTs (state-backed threat actor groups).
This was the case in a recent incident impacting major hospitals in London. In early June it was reported that a critical incident had been declared after a cyber attack had led to operations being cancelled and emergency patients being diverted elsewhere. King’s College Hospital, Guy’s and St Thomas’, as well as primary care services were among those affected. Hackers had targeted a third-party provider of pathology services, leading to more than 800 planned operations and 700 outpatient appointments being rearranged in the week immediately after the incident. To date, more than 7,000 outpatient appointments and 1,5000 elective procedures have been postponed.
This latest attack follows a string of incidents impacting UK healthcare organisations. Earlier this year criminals focused on the IT systems of NHS Dumfries and Galloway, gaining access to a large volume of patient and staff-identifiable data. The hackers subsequently published more than three terabytes of data, with staff warned that they would be at increased risk of identity theft.
These attacks speak to a moral tipping point for bad actors. What makes healthcare different to other industries is that previously attackers had always been explicit in avoiding healthcare due to a moral compass and fear of political blowback. This has gone out the window this year.
Why healthcare?
One of the primary reasons that hackers have now turned their targets towards the healthcare sector is that organisations hold vast quantities of private or sensitive patient data. The impact can become devastating if critical activities are interrupted, let alone prevented, by a software outage. These implications may encourage healthcare organisations to consider paying larger ransom demands to decrypt their data, stop it from being released on the dark web or prevent downtime that may stop them from continuing business as usual.
Secondly, the healthcare system represents a broad attack surface for criminals. The NHS in England directly employs 1.7mn people, and when you consider that human error is one of the leading causes of cyberattacks, you can understand why the sector is a growing focus of criminal intent. People are invaluable to the success of any healthcare organisation, but many employees are simply unaware of the security risks they pose.
An ecosystem approach to resilience
The latest incidents highlight the importance of incorporating resilience into the security approach of all healthcare organisations. In this sector more than any other, a defence-in-depth approach to security is required, enabling business operations to remain up and running even in the face of a live cyberattack. However, as in the case impacting the London hospitals, sometimes looking internally can only take you so far. Organisations are increasingly taking an ecosystem approach to security, thinking about the problem in terms of third-party risk management.
The challenge of third-party risk is that it is difficult for an organisation to apply its own policies, procedures and controls to protect data within an external environment. This makes it a problem of collaboration, cooperation and risk management as much as it is about technology deployment – which has often been the first port of call for a security issue.
If an organisation is dependent on third parties but only looks to ensure cybersecurity internally, then it has failed to take sufficient steps to protect itself from cyberthreats and left itself open to risk. Businesses need to ensure any third party they trust with one of their most valuable assets is taking every step to be as secure as possible, such as enlisting the support of a SOC or MDR services that can provide constant security and remediation.