The digitisation of the NHS is in full steam, with nearly 50% of all healthcare providers relying on digitised resources and cyber technologies. As a consequence, cyber-attacks are on the rise and cybersecurity has become a major concern for the NHS.
The NHS remains one of the UK’s largest public sector organisations, which means the impact of a successful cyber-attack can be enormous. Yet most sections of the NHS have been slow to transition, and this has left them exposed to cyber-attacks.
Successful cyber-attacks against the NHS are occurring with increasing frequency, which indicates how crucial it is that the NHS evolves its cyber resilience provisions. NHS leaders, and their third-party partners, need to anticipate and prepare for increasingly complex cyber-attacks and mitigate against any potential breaches. And this is only possible with a comprehensive understanding of their unique cyber risk profile and a tailored cyber security package. A one-size-fits-all solution is insufficient.
There is a general acceptance that cyber risk can never be fully mitigated, and structural weaknesses will always exist. So, it is essential to have the right strategy to deal with the fallout of a potential cyber-attack where leaders can respond to the organisation’s unique needs.
A cyber resilience profile is vital across many businesses, of course, but it has particular resonance in relation to the NHS, and its digital stores of over 40 million citizens’ personal information. This represents an extremely attractive target for cyber-criminals. A single structural weakness in the NHS’s cyber resilience can have implications for other parts of the NHS and its partner organisations.
In July this year, ransomware group BlackCat claimed responsibility for an attack stealing over seven terabytes of personal data from the NHS Barts Health Trust, which services over 2.5 million patients. And only a month earlier, an unknown cybercriminal successfully stole over 1 million patients’ NHS numbers, addresses and trauma records from the University of Manchester.
These incidents are demonstrative of the rising complexity of cyber-attacks, with sensitive data vulnerable to theft through subtle access points in the public sector, such as universities.
As the NHS has come to rely on cyber technologies, it has exposed itself to new potential risks. Yet there is often a lack of awareness of that vulnerability.
For instance, Armis Security, a US-based cyber security firm surveyed 150 NHS trusts in England and found that cyber security software on equipment such as security cameras was generally outdated, with one in six devices on the network being completely unmonitored. Shrewd cybercriminals are able to use these as entry points to access the central cyber network and cause operational and financial damage.
Such an example demonstrates how cybercriminals are finding increasingly complex methods of attack – and just how comprehensive the NHS’s cyber risk profile needs to be to thwart them. Clearly, it is vital to identify potential entry points before they are breached and prioritise resource allocation based on the severity and likelihood of attacks.
A strong cyber resilience strategy should integrate values such as risk acceptance, mitigation, and risk transfer (insurance) to ensure the NHS can respond to an attack without impacting its ability to deliver value. Planning for an incident is an essential part of a bespoke cyber resilience package. NHS leaders need to have a cyber resilience plan that is prepared for an attack on its most crucial networks. It must also identify how these attacks might occur in advance.
As the NHS continues to adopt new technology, the opportunities grow for cybercriminals to take advantage, which means the need for cyber resilience becomes ever more important.
Ultimately, the NHS needs a cyber security plan that is constantly evolving and proactive. To manage cyber risk, it is essential for the NHS to be able to quantify its value at risk in order to correctly prioritise critical assets and implement the appropriate countermeasures.
Decision makers would do well to be proactive with their cyber resilience strategy before it’s too late.
Si West is director of customer engagement and cyber advisory lead at Resilience