Everything a CCIO needs to know about Cyber Security
The risk of a cyber-attack in healthcare has grown dramatically over the past 20 years with many, such as WannaCry and Log4J, affecting the NHS directly. As a result, the question is now when, and not whether, a cyber-attack will ever happen to you!
Are cyber-attacks growing?
Since the introduction of Electronic Patient Records (EPR), the risk and severity of cyber-attacks has increased. Although EPRs improve transparency and patient care, they have the downside of increasing digital exposure and reliance on digital processes.
Cyber-attacks on healthcare organisations can come in a variety of guises. For example:
- A direct cyber-attack on a specific NHS Trust, such as removing connectivity to a network or system. This may be done using malware, such as ransomware.
- A cyber-attack that spreads across multiple organisations preventing access to devices that become infected with malware.
- A cyber-attack on a product supplier, impacting multiple systems across multiple organisations that may include health, social care or both.
- A cyber-attack against systems to steal data for the purpose of extorting funds.
- Cyber-attacks that involve the hijacking of business processes to redirect funds from valid financial transactions to attacker’s accounts.
Cyber-attacks can have a huge impact
As cyber-attacks are a risk and not a certainty, it can be easy to deprioritise them in favour of higher-priority pressures. These might include an infection outbreak or needing spend money on a new medical device.
However, if you’re thinking that, you should consider the question, ‘what happens if all our Health IT suddenly becomes unavailable?’
Will:
- You know which patients are due to attend for appointments?
- You be able to admit or discharge patients and see their previous clinical records?
- Reporting be available to show operational pressures?
- There be visibility of your hospital beds and who is in them to manage patient flow?
- You be able to access diagnostic tools for critical healthcare interventions?
If digital workflows become unavailable, this impacts every process – from clinical work to finance, with a major impact on patient safety. Being vigilant and aware of the threat posed by poor cyber security, and keeping systems safe, is everybody’s responsibility.
Why do attacks happen?
But why do people carry out cyber-attacks, and why attack your healthcare organisation? There are several possible reasons, with the most common being financial, or a desire to disrupt systems and core services.
The most common motivation for attackers is gaining wealth at your expense; by stealing your data, holding your systems to ransom, or hijacking your processes to divert funds. These attackers are often well-organised criminal groups with well-established ways of working, and they can act quickly.
Where funds are not the goal, the most likely motivation is disruption. Disruptive attacks can be undertaken by anyone interested in causing harm, and can include hacktivists, or anti-governmental organisations. Hacktivists tend to be less well-organised and impactful.
Cyber attacks – are you ready?
Someone will always press on a ‘dodgy link’ in an email, and we need to engage and train staff to prevent this. However, we also need to adequately fund and support robust infrastructure. It’s essential to consider clinical safety when implementing any process involving access to clinical information.
Key points that should be considered include:
- Are staff adequately trained to reduce the chances of a cyber-attack? Ongoing awareness activities are needed to keep everyone alert to the risks they face.
- Are staff ready to respond appropriately when a cyber-attack happens? The period where an incident is being managed is generally the worst time to try to devise new actions.
- Are all your products up to date with patching to prevent an attack?
- Is your desktop estate fit for purpose? There should always be a plan and a budget to replace devices. Machines can become extremely slow and along with causing frustration for staff, this potentially creates vulnerabilities.
- Can your software update with new patches? Windows 7, for example, is no longer supported by Microsoft and can’t be patched if a vulnerability is found. This makes it easy for an attacker to get into your systems.
- Do you have the appropriate technologies to defend your organisation, such as firewalls, anti-virus and anti-malware products?
- Are Business Continuity Plans (BCP) in place and rigorously tested? Testing is vital to ensure your plans are functional and can support your organisation through periods of unavailability.
- Have full timescales been considered from recovery to business as usual (BAU)? Do your plans cover up to six months of unavailability? It has happened before and will happen again.
- Do your recovery plans account for data accumulation outside of your digital platform? If you have 6 months of data collated on paper for an entire EPR system, how long will that take to repatriate back into the system and what administrative resource would that require? The sheer volume of data created from one week of BCP means paper is not the solution. Options may include a failover data center, a simple eforms platform, or even the ability to revert to a backup.
- Have you assessed how vulnerable your organisation is to phishing attacks? Tools are available to audit the likelihood of a staff member pressing a link by, for example, sending a deliberate phishing email.
- Do you have your data backed up?
Taking things forward
As senior management, it’s never been more important to prevent cyber incidents and to know what actions to take if one occurs.
Whether you’re working to achieve CCIO status or an experienced CCIO already, you need to have the defence and resilience required to ensure the safety of data and – more importantly – the clinical safety of patients.
After all, in this ever-evolving digital world, patients still lie at the centre of everything we do.