Over the past two years digital adoption within healthcare has picked up pace and more and more healthcare companies aspire to act like agile startups. However, along with progress, we are beginning to get a glimpse of the perils of adopting tech mantras like move fast, break things in a sector better known for proceed with caution.
Adopting new technologies without the proper checks and balances has left healthcare organisations vulnerable to attack. There has been a marked increase in healthcare companies experiencing cybersecurity attacks with an 30% increase in Europe by the first quarter of 2021. In the UK this translated to a staggering 81% of UK healthcare organisations describing a ransomware attack in the last year, according to a survey of 100 cybersecurity managers in the health sector by Obrela Security Industries.
The study found that 38% of UK healthcare organisations had chosen to pay ransom demands. However, 44% revealed that their refusal to pay had resulted in lost healthcare data.
The impact of cyberattacks go beyond financial; almost two-thirds of respondents described cancelling in-person appointments because of an attack and more concerningly, the same number believed such cyber-attacks could lead to a loss of life.
However, when we think about data security breaches, we must not only think of external attackers, as the problems may be closer to home. Only weeks ago Kapersky released results of their research with global healthcare providers, which revealed that a staggering 30% have experienced cases where their employees compromised patient’s personal information during remote consultations.
The scale of the problem is hardly surprising given some of the activity we see reported. For example, 54% of global healthcare organisations report their clinicians are using proprietary solutions such as WhatsApp, Facebook messenger and Zoom to conduct remote consultations.
In a sector now hungry for even greater reserves of highly sensitive health data, what could we be doing more to protect patients?
Most healthcare organisations need to carefully review and update their cybersecurity policies. The policies should reflect current risk behaviours and include guidance on using external providers. Policies should go beyond being drafted and agreed, but implemented with rigour.
Mitigate the impact
There appears an inevitability at times to a cybersecurity breach, so planning your response will remain key to limiting the impact of such a breach. Have your processes carefully and regularly drilled. Ensure that all key staff are trained and respond with scripted accuracy and that this becomes as critical a part of your organisation’s culture as putting patients and clinical safety first.
Most security breaches occur through a window of time, the slower your response, the greater the loss of data. A stealthy and well orchestrated response minimises data losses and patient care can continue to be delivered at safe, if interrupted levels. This will often include getting back ups to your electronic health records up and running quickly and prioritising urgent activity over routine appointments, which can be rescheduled.
Communicate with management
Executive management teams often focus on the fiscal impact of security breaches. Concerns around clinical downtime, reduced productivity and service disruption will often take precedence over reputational risk, as breaches seldom break cover.
It will come down to the cybersecurity managers within an organisation to take a fresh approach to engage and educate their executive management. This often requires a change in language from vulnerabilities, alerts and threats, to simple and well understood terms like risk. Play out the ‘What if?’ scenarios. ‘What if your acute care services went offline for 12 hours? What if your chemotherapy or dialysis suites went down for a day?’. Then work back from there and offer options which don’t just plug holes, but demonstrate how you intend to change your organisation’s cybersecurity posture using well thought out investment. One thing for sure, you shouldn’t be lacking case studies.