Due to the COVID-19 pandemic, telehealth usage has increased massively. But, at the same time, the healthcare industry has become a major target for cyber criminals. Here, Kieran Bamber, healthcare cyber expert at Tanium, looks at the challenges this creates and how they can be overcome
Telehealth systems are now used more than ever, but they provide an avenue for cyber criminals to access data
The pandemic caused a surge in the use of healthcare technology and digital health solutions as health organisations looked for ways to deliver care safely.
And remote consultations became the go-to solution to overcome the barriers of accessing face-to-face care.
According to the Nuffield Trust, registrations to the NHS App increased by 111% at the start of the pandemic, and while usage of telehealth technologies has remained relatively stable since June 2020, remote consultations remain a popular option for many.
At the same time, the NHS has been prioritising the transition to Integrated Care Systems (ICSes) to centralise healthcare across public organisations and governing bodies to tackle population health challenges.
As part of the NHS’s Long-Term Plan, every region of England is now covered by one of the 42 ICSes.
Amid this transition, digital health solutions have provided an opportunity for care to be more tailored to the needs of patients and will remain a prominent driver of how healthcare is provided in the future.
But the rush to deploy these services at a mass scale has resulted in a set of overlooked cyber security and privacy challenges.
It is well known that healthcare can be slower to adopt digital solutions than other sectors and faces challenges managing the legacy technology that is in place.
This, combined with the fact that healthcare organisations and clinicians handle incredibly sensitive and high-value patient data, means that the industry has always been ripe for attack.
In 2021, 81% of UK healthcare organisations suffered a ransomware attack.
Due to the criticality of hospital networks, attackers know that many healthcare organisations will pay high ransoms because they simply cannot afford any network downtime that could ultimately result in life-and-death consequences.
Legacy systems and devices cause a different issue, with a huge amount of global frontline healthcare providers still using medical equipment with a legacy OS, which can create security vulnerabilities.
The pandemic has only made healthcare an even bigger target.
Many healthcare organisations are still stretched thin as a result of a surge in patients — and IT and cyber security understandably took a back seat due to the additional focus that had to be placed on critical patient care.
Digital health and remote consultations add even more risk and complexity to the picture.
And, while organisations and care providers are quickly trying to formalise best practice, there’s a steep learning curve. In fact, 30% of telehealth providers admitted that some of their clinicians have had patient data compromised when conducting remote telehealth sessions.
As this process is playing out, attackers may very well see an opening to exploit potential weaknesses.
The Nuffield Trust has shown that 99% of GP practices have switched to using remote consultation platforms to triage patients before offering them an appointment to fit their particular needs. But the greatest challenge with remote consultation and digital health is that it decentralises the hospital network.
It was already a demanding move to secure a single, centralised hospital environment. But, with patients adopting remote consultation solutions across multiple devices, the hospital has moved to ‘the edge’ — and into people’s homes.
This distribution and dispersion makes it harder for healthcare IT teams as the attack surface is now much more expansive.
With new devices and applications being used across hospitals, the cloud, and now in homes, there are significantly more potential entry points for attackers.
What’s more, patients are also using their own smartphones, tablets, laptops, and routers to access hospital online resources and communicate with healthcare professionals.
This hardware is often unsecured, and hospitals lack the visibility and control needed to effectively manage and secure those devices.
In 2021, 81% of UK healthcare organisations suffered a ransomware attack
Ultimately, securing digital health is not just a security and operations issue — to make it as secure as possible, it’s going to take an ecosystem of partnerships.
Healthcare clinicians – including health IT staff, but also chief executives and board members, must establish a single point of risk, control, and governance.
Part of the solution comes down to the basics, such as establishing visibility, ensuring good cyber hygiene, prioritising asset management, and having solid remediation plans for when issues arise. But, more importantly, we need to start pulling clinicians into this cyber security conversation so they can ensure they practice safe security practices and understand how they can unknowingly act as attack vectors.
Additionally, prioritising the development of the ICS NHS bodies will help to improve services. By using data and digital capabilities, they will be able to develop a plan to meet the health needs of the population within the area – allowing them to better understand local priorities, track delivery of plans, and drive continuous improvement in performance and outcomes.
Medical device manufacturers – Healthcare devices are implemented with Internet of Things technology – the network of physical objects embedded with technologies such as sensors and software to connect and exchange data with other devices – to improve patient outcomes.
Medical IoT devices, such as patient monitors or insulin pumps, are a huge part of healthcare technology. However, the persistent problem with IoT is that devices are often rushed to market so eager vendors can make a money grab, which has ramifications that we’ve seen time and time again.
Once an attacker can hack one IoT device, they can move laterally throughout a network, potentially gaining access to highly-sensitive medical information.
This is why it’s so important healthcare clinicians vet the medical devices they purchase and IT teams monitor the devices for any suspicious movement.
Moving forward, there needs to be greater requirements and regulations mandating that medical device manufacturers design their products with cyber security in mind.
Patients – There are small-but-impactful things that patients can do to make healthcare technology more secure, such as staying up to date on patching their devices, using multi-factor authentication, and educating themselves on cyber security hygiene.
However, it may be difficult to incentivise patients to do those things and take responsibility, so it is important to figure out a way to engage them in this conversation, whether that’s through providing insurance incentives, or just making the technology easier to use.
The transition to ICSes will result in a greater number of opportunities for technology suppliers to work with the public sector, allowing the NHS and local authorities to put smart digital and data foundations in place to connect health and care services.
This will completely transform healthcare to put the patients at the centre of care.
Overall, the pandemic highlighted the need for technology services and has reshaped healthcare in the last two years.
And, due to the benefits of healthcare technology, it is no surprise that it will remain a permanent fixture of our care system moving forward.
It has given staff the opportunity to work flexibly and remotely, and patients are more empowered to take control of their own care.
However, it is critical that we establish and plan best practices for cyber security in the healthcare industry now so that hospitals and patients can be protected moving forward.