Could cyber security be the next big healthcare emergency?

The coronavirus pandemic has led many people in healthcare to think differently about emergency resilience. But what will the next major emergency be?

Having recently completed his tenure as chief executive of University College London Hospitals NHS Foundation Trust, Professor Marcel Levi said earlier this year that it was an “illusion” to think organisations can “precisely prepare for what is coming our way”. He was speaking to veteran commentator Roy Lilley in March at an Institute of Health and Social Management meeting, in which the suggestion emerged that the next big disaster facing healthcare might even be global cyber-attack.

Growing cyber threats facing healthcare

Such concerns are apparently not unjustified. Many people will remember the impact of the 2017 WannaCry ransomware attack that infiltrated NHS systems throughout the country. And despite its impact, this attack was reportedly not specifically targeted at healthcare organisations.

According to cyber security expert Leif Nixon, attacks facing healthcare across the world are now on the rise. He remarked in an article this summer that in the US, for example, there has been a “steady stream of flash messages from the FBI, the Department of Homeland Security and other security organisations about increased threat levels against healthcare systems”.

In the UK too, threats continue to be taken seriously as vulnerabilities in systems continue to be identified. For example, NHS Digital continues to issue cyber-security alert notifications to health and care organisations, ranging from weekly threat bulletins to immediate high-severity alerts. At the time of writing this article, during 2021 alone some 230 alerts have been featured on a dedicated page on the organisation’s website. This includes six “high” severity alerts, the latest of which was issued in September 2021, and several of which describe work to resolve “critical vulnerabilities” in a number of well-known technology suppliers’ systems.

The 2020 annual review from UK’s National Cyber Security Centre (NCSC) also detailed the extent of some of the threats facing healthcare. Eleanor Fairford, the organisation’s deputy director for incident management is quoted in the document, stating that the NCSC “actively redirected our efforts to defend the health sector and because it was such a priority, it rose to our second most supported sector”. The centre said it had deployed experts to support NHS trusts through cyber incidents they had faced, and that around a quarter of incidents the organisation responded within a year were related to coronavirus.

A matter for leaders

The threat to healthcare organisations from increasingly sophisticated cyber adversaries is very real.

The security of patient information is one serious area of risk, with patients’ medical records containing highly sensitive personal information. But more than that, as Nixon points out in his analysis, healthcare organisations need to think about how to safeguard their systems from a range of threats. This might mean thinking about the security of administrative systems, medical devices, and even the systems that control the infrastructure of the hospital – such as power and lighting. With the potential to impact on operations and other aspects of healthcare provision, exploited cyber weaknesses could in some circumstances directly impact on patient care.

These are just some of the things that NHS leaders might consider as they prioritise cyber security. In fact, leaders of integrated care systems and other healthcare organisations in the NHS were issued with a new reminder in September to ensure that all digital projects and programmes are “cyber secure by design”. This was set out in the What Good Looks Like framework from tech unit NHSX. The framework, which advises leaders what they should do to support successful digital transformation, goes on to mention ‘cyber’ no fewer than 18 times throughout the document.

Could vendors help?

Even equipped with guidance and government support, the evolving threat might seem like an insurmountable challenge for many, especially for smaller organisations in healthcare that might have limited resource.

But those organisations are not alone. Since the WannaCry attack hit headlines four years ago, an appetite to accelerate cloud strategies has accelerated in the NHS and UK public sector more widely. This has been complemented by public cloud vendors bringing more offerings to the market and bandwidth becoming accessible at more manageable price points.

The significance of this is that moving some applications to the cloud could alleviate some or the burdens on pressured NHS IT and security teams. Technology providers can lend their expertise more easily in some instances and ensure that systems are patched without delay. Consistent deployment approaches achievable through the cloud for some solutions, could also help to avoid local mistakes and variation that could create vulnerability risks.

This does not remove responsibility from trusts entirely. Cloud deployments need to be correctly configured to be secure, with appropriate resilience put in place. And there are varying degrees of responsibilities that NHS organisations might choose to outsource through the cloud to vendors. But the benefits of removing complexity from on-premise solutions is appealing for many in the health service – with the added benefit of being able to draw on the often far more extensive security expertise and resource of large cloud providers.

Only a few years ago, placing a solution like a picture archiving and communication system (a platform used to examine crucial patient imaging) into the cloud, was a niche idea for trusts. Now, we are seeing the reverse, with cloud a key requirement in many major regional procurements.

Preventing supply chain weaknesses

Procurement in itself is an area where more and more NHS organisations are starting to pay even closer attention to cyber threats and resilience in the supply chain.

Diligent organisations in the NHS have long required that suppliers meet a range of necessary standards, whether that’s the ISO27001 international standard on how to manage information security, or meeting Cyber Essentials Plus tests, for example. If a vendor is certified in these kinds of areas, then confidence can be gained that the vendor is serious about cyber security. Companies meeting the requirements for these standards are usually known for making sure infrastructures are as secure as they possibly can be against outside influences, and that penetration testing is done to a required cadence.

But it is only more recently that some procurements are starting to ask similar questions of the wider supply chain of a prime contractor.

I have been stunned by the amount of vendors operating in the UK space that do not have the key standards.

This is something many responsible companies do routinely check of their own subcontractors. Sectra has an approved supplier process for example, in which we are not allowed to include vendors in our solutions that don’t meet minimum requirements. And if we find vendors are not compliant, they either address the requirement or are removed from the process. But the existence of some companies in other supply chains, suggests this may not be a consistent approach across all prime contractors.

It is welcome to see the NHS now asking these questions more routinely as part of the procurement process. When it comes to cyber security, you are only as strong as your weakest link. Where this is built into the process, the opportunity for assumption of checks being done is removed.

Diligence is key, but not a guarantee

Diligence at different levels of organisations from leadership down is a fundamental requirement. This article has covered only a small fraction of considerations in facilitating a cyber secure NHS. But there are no guarantees that any approach to cyber resilience will be successful, however well designed. Attackers can still find and exploit weaknesses, and in the case of healthcare the consequences for loss of data or loss of service can be severe for providers and for patients. Just as Professor Levi observes, it is not possible to prepare for every scenario. Organisations must have contingency plans for when things do go wrong.