Combatting the Threat of Cyber Attacks in Healthcare
Technological advances are making huge improvements to healthcare, providing new therapies, enhancing existing procedures, enabling greater patient centricity, and reducing financial costs. The growth of technology in this industry, from robotics and 3D printing through to digitisation of health records, brings about new challenges; one of the biggest of these is cybersecurity. In recent years, there has been a substantial rise in cyber-attacks in healthcare1 for a number of reasons, including relatively weak security, and the high value that healthcare data has in comparison to information from other industries, even banking.2 New forms of threats have emerged in recent years that are particularly relevant to this sector; the most publicised of these is ransomware, which is used by cybercriminals to threaten harm, such as blocking access to a computer system unless payment is made. With innovative technologies becoming ever more sophisticated in healthcare comes the possibility of making even greater forms of cybercrime that could potentially occur in the future. In this article, we take a brief look at trends and challenges in cybersecurity in healthcare, and in the context of the UK’s National Health System (NHS), the sort of actions that have and need to take place in order to combat such issues.
Vulnerability of Healthcare
In a modern hospital, facilities and systems are becoming increasingly connected, ranging from drug pumps to bedside terminals. This means cyber-attacks on hospitals have the potential to be especially devastating, with the attack surface area increased with every new device that is added to the system. A recent survey found that over 20% of healthcare IT professionals reported their network had in excess of 5,000 devices connected to it, and this figure rose to 37% in organisations with more than 500 employees.3 In recent times there has been a strong emphasis towards digitising patient records, including in the UK’s NHS.4 In addition, there has been a huge growth in healthcare apps and devices that patients can use to manage conditions and generally improve their health outside of a hospital setting, such as the tracking of data through Fitbits. These are areas in which sensitive patient information are vulnerable to cyber-attacks. Patient health records are believed to be of particular value to cybercriminals; for example, stolen medical identities can be used to obtain medical services or prescription medicines.2
With technologies becoming more sophisticated, cyber-attacks have the potential to be correspondingly more advanced. Technological devices that are directly connected to the patient, such as pacemakers and drug infusion pumps, offer possible targets, with the rather chilling prospect of these sorts of instruments being remotely manipulated to alter operation or even send fatal drug doses.2 A related potential future issue that has also been discussed by experts in this field is ‘brainjacking’. Here, advances in brain implant technology, such as deep brain stimulation, provide excellent tools for the treatment of a range of neurological and potentially mental health conditions. Such devices enable neurosurgeons to take precise control over the human brain and wireless control of stimulators in order to alleviate distressing symptoms. Unfortunately, this opens up the possibility of cybercriminals hacking into the system to alter stimulation settings, for example by inhibiting movement in Parkinson’s patients. There are even more futuristic possibilities, like inducing behavioural changes in the patient.5 While thankfully there has been no such cases to date of the above occurring, experts warn that this is a distinct future possibility. Another form of malware already in existence is called Medjack (Medical Device Hijack), which can infect medical devices including therapeutic and diagnostic equipment, moving through hospitals undetected.6
In the present, infections with ransomware is the most concerning issue for hospitals, with numerous well-documented attacks in recent years that have had major implications for the care of patients. One example is that of a California hospital, which agreed to pay a substantial sum of money to hackers in order to regain control of its hospital network following an attack in 2016.7 Another more widespread case was the global WannaCry attack in May 2017, which affected more than 200,000 computers across at least 100 countries.8 In the UK, this particularly impacted the NHS, with at least 80 of the 236 hospital Trusts believed to be infected, in addition to another 603 primary care and other NHS organisations. Although the damage was not as harmful as it might have been due to the relatively quick discovery of a kill switch that stopped WannaCry locking devices, thousands of appointments and operations had to be cancelled and, in some places, patients were forced to travel further to accident and emergency departments.
In his presentation entitled ‘What Happens When Ransomware Kills’ at this year’s Digital Health Technology Show at the Excel, London, Dr Saif Abed posed a scenario even more alarming than the locking of a hospital computer system. He asked the audience to imagine being a Chief Information Officer (CIO) of a hospital and receiving a phone call from a cybercriminal saying that the hospital’s network has been breached and if payment is not made, patient medications will be mixed up. He said: “Now you can multiply those scenarios in your own mind and the infinite combinations and permutations you can reach, and you can see there is a serious threat that at this moment in time we haven’t even started to consider.”
So what measures need to be taken to minimise the risk of such potentially devastating scenarios occurring? Well, from the UK’s NHS perspective, it would certainly appear that WannaCry was a huge wake-up call; there is now an acknowledgment that urgent action is required to improve cybersecurity. Previously, this was not a major focus of the health service, and generally amongst staff there was limited awareness of the dangers posed. While reports warning that action needed to be taken in this regard were published by the National Data and the Care Quality Commission (CQC) in July 2016, the Department of Health did not publish its formal response to these recommendations until July 2017, following the WannaCry incident.
In his presentation, Dr Abed emphasised the need for a proactive approach to cybersecurity, ensuring that the necessary systems and structure are put in place to prevent attacks occurring as much as possible. He argued that it needs to become a regular item on the agenda in the health service and include the continuous review of procedures and regular staff training on the issue. “It’s like healthcare, the best way to make your population healthy is to prevent the conditions from happening,” he stated.
Up-to-Date Security Software
The investigation into the incident by the National Audit Office found that NHS hospitals could have prevented the attack by following basic IT security best practice.9 An example of this is ensuring that operating systems are up-to-date, such as all computers being run with Windows 10 software rather than earlier unsupported versions. The Department of Health recently announced a deal with Microsoft for this very reason.10
Other initiatives in this respect in recent months have included a 3-year strategic partnership between NHS Digital and IBM for new services that enhance the ability of NHS Digital to monitor, detect, and respond to a variety of security risks and threats.11 A Cyber Security Programme has also been developed to ensure that the necessary security actions are being taken and that various NHS bodies are fully aware of their responsibilities in this regard. For example, they aim to make sure actions related to critical CareCERT alerts are completed;12 CareCERTs offer advice and guidance to support health and social care organisations to respond effectively and safely to cyber security threats.13
In terms of reacting to situations where a cyber-attack has taken place, a new ‘Cyber Handbook’ has been produced to articulate the actions that need to be taken by NHS England, NHS Digital, and NHS Improvement in the event of an attack. This was in light of the report into WannaCry, which found that this lack of preparedness was because there had been no rehearsal for a national cyber-attack and there was a lack of clarity about who should be taking responsibility for leading the response.14
Therefore, understanding who is accountable and responsible for cybersecurity at individual hospitals is critically important. In the ‘Lessons learned Review of the WannaCry Ransomware Cyber Attack’ report,14 the need for particular board members to be responsible for areas including reviews of existing security systems, regular maintenance of critical systems and equipment, ensuring that CareCERT alerts are actioned, and commissioning new IT systems was emphasised.
Another area that needs constant attention is the training of NHS staff. With such sensitive data held in the computer systems of NHS institutions, it is vital that staff are adequately trained to handle personal data confidentially. Bad practices that often occur in workplaces in general include leaving password details lying around and remaining logged into computers that are left unattended. Ensuring these basic security rules are followed by hospital staff as a minimum can make a fundamental difference to the security of patient data.
Cybersecurity is becomingly an increasingly pertinent topic in healthcare, with the potential threats that hackers can pose in this industry only now starting to receive significant attention. Ransomware has struck hospitals in several high-profile cases in recent years, leading to major implications for patient care. With healthcare technology becoming increasingly sophisticated, the potential for the types of cyber-attacks that could be mounted are more sinister in nature. The WannaCry ransomware attack of 2017 was a major wake up call to the NHS to improve cybersecurity measures, and a lot more money and initiatives have been invested into doing exactly that. There is no doubt that this needs to be a continuous process; procedures, equipment, software, and training require constant reviews and updates to minimise the risks of breaches to this extremely confidential area.
- Jay J. Healthcare sector suffered more than half of all cyber-attacks in 2017. 2018. Available at: https://www.scmagazineuk.com/healthcare-sector-suffered-half-cyber-attacks-2017/article/1472744. Last accessed: 1 August 2018.
- Coventry L, Branley D. Cybersecurity in healthcare: A narrative review of trends, threats and ways forward. Maturitas. 2018;113:48-52.
- Infoblox. Cybersecurity in healthcare: The diagnosis. 2017. Available at: https://www.infoblox.com/wp-content/uploads/infoblox-report-cybersecurity-in-healthcare-diagnosis.pdf. Last accessed: 1 August 2018.
- NHS England. Paper-free at the Point of Care: Guidance for Developing Local Digital Roadmaps. 2016. Available at: https://www.england.nhs.uk/digitaltechnology-old/wp-content/uploads/sites/31/2016/11/develp-ldrs-guid.pdf. Last accessed: 1 August 2018.
- Pycroft L. Brainjacking – A new cyber-security threat. 2016. Available at: https://theconversation.com/brainjacking-a-new-cyber-security-threat-64315. Last accessed: 1 August 2018.
- Freedman LF. Medical Device Malware Medjack.3 Poses Threat to Hospitals. 2017. Available at: https://www.dataprivacyandsecurityinsider.com/2017/03/medical-device-malware-medjack-3-poses-threat-to-hospitals/. Last accessed: 1 August 2018.
- Dobuzinskis A, Finkle J. California hospital makes rare admission of hack, ransom payment. 2016. Available at: https://www.reuters.com/article/us-california-hospital-cyberattack/california-hospital-makes-rare-admission-of-hack-ransom-payment-idUSKCN0VS05M. Last accessed: 1 August 2018.
- National Audit Office. Investigation: WannaCry cyber attack and the NHS. 2018. Available at: https://www.nao.org.uk/wp-content/uploads/2017/10/Investigation-WannaCry-cyber-attack-and-the-NHS.pdf. Last accessed: 1 August 2018.
- Hern A. NHS could have avoided WannaCry hack with ‘basic IT security’, says report. 2017. Available at: https://www.theguardian.com/technology/2017/oct/27/nhs-could-have-avoided-wannacry-hack-basic-it-security-national-audit-office. Last accessed: 1 August 2018.
- Department of Health and Social Care. Plans to strengthen NHS cyber security announced. 2018. Available at: https://www.gov.uk/government/news/plans-to-strengthen-nhs-cyber-security-announced. Last accessed: 1 August 2018.
- NHS Digital. Cyber security boost to the NHS as NHS Digital joins forces with IBM. 2018. Available at: https://digital.nhs.uk/services/data-security-centre/data-security-centre-latest-news/cyber-security-boost-to-the-nhs-as-nhs-digital-joins-forces-with-ibm. Last accessed: 1 August 2018.
- NHS England. Cyber security. Available at: https://www.england.nhs.uk/digitaltechnology/info-revolution/health-and-care-data/cyber/. Last accessed: 1 August 2018.
- NHS. What is CareCERT? Available at: https://www.igt.hscic.gov.uk/CyberWhatIs.aspx. Last accessed: 1 August 2018.
- Smart W. Lessons learned review of the WannaCry Ransomware Cyber Attack. 2018. Available at: https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf. Last accessed: 1 August 2018.