Budget black holes, an aging population, overcrowded A&Es, bed shortages and changing public expectations – some of the issues currently facing the NHS in one of the most challenging periods in its existence. Unfortunately, news for the UK healthcare sector didn't improve in 2017 following the January publication of the quarterly review from the Information Commissioner Office (ICO) for the period July to September 2016, which revealed that healthcare is now facing the most cyber-attacks since records began.
The latest from the ICO - healthcare cyber-attacks are rising
Since the ICO started keeping records in 2015 more than 1330 data security incidents have been reported by the health sector. During Q3 2016 (July to September), the NHS and other UK health providers disclosed the second highest number of data security events on record (239). Furthermore, UK healthcare organisations experienced nearly four times as many attacks as any other sector (local government 62, business 56, education 40) during the same period. But, what are the ramifications of these data breaches?
You just need to look at recent cyber-attacks on the NHS to see that the implications of compromised or lost data and/or system downtime can be vast. While clinical risk and the impact on patient care is undeniably the most critical factor, there could also be significant financial repercussions, negative effects on staff morale, confidence and, ultimately, retention, and lastly, reputational risk to a hospital.
The attack on North Lincolnshire & Goole NHS Trust in November 2016 is one such case. Following a malware infection, the hospitals infrastructure was down for four days resulting in the postponement of 2,800 non-urgent appointments and operations, as well as delays within accident and emergency departments across the region. Furthermore, just last month it was reported that Barts Health NHS Trust, the largest NHS Trust in England, had been hit by a Trojan malware infection that could affect thousands of files across at least four London hospitals. Barts has since confirmed that patient data was not compromised in the attack, but that it had taken a number of drives offline as a precaution.
The seriousness of this worrying trend is not lost on the government. Back in February 2016, Health Secretary, Jeremy Hunt, earmarked £1 billion of the £4.2 billion allocated to health IT to go towards improving cyber-security in the NHS – validating a real and present threat to healthcare organisations.
What can healthcare organisations do to limit their vulnerability?
First and foremost, healthcare providers need to change their thinking. Data protection is an on-going concern that requires a continuous process; it's not simply a product you buy.
One of the most effective actions healthcare organisations can take is to replace out-of-date software and retire obsolete legacy applications. Hospitals operate hundreds of applications in the background for the preservation of historical data or for legal/compliance reasons, but these legacy systems are fraught with security loopholes and running them carries significant risks. The industry must prioritise the retirement of unsafe legacy applications and out-of-date servers and operating systems, if they hope to tackle cyber-crime.
Attacks will happen, but what can you do to recover?
Unfortunately, even with the best protection in place, cyber-attacks will continue to happen. What is crucial is that healthcare organisations recover quickly with as little impact on patient care as possible. A well-designed and, crucially, well-tested backup and disaster recovery plan is critical to surviving a security or ransomware attack.
In the specific case of ransomware attempts, disaster recovery is an essential part of any cyber-security policy. Trusts must ensure that they have a robust data backup - whether via secondary datacentres, cloud, tape, or a combination – and, more importantly, a robust recovery strategy for both physical and virtual machine environments to ensure that patient data remains available and accessible to clinicians regardless of the nature of the breach.
Cyber-attacks on healthcare will only increase – act now
We anticipate that healthcare organisations will see increasing threats from ransomware and phishing attacks and there's a reason for this - with high-profile cases of other hospitals around the world having paid ransoms in the past, healthcare is now seen as a ripe target. Much like any other sector, the NHS and other UK healthcare organisations need to make sure they have measures in place to close security loopholes as well as robust data recovery strategies for when an attack is successful – the stakes are too high not to in a National Health Service already feeling the strain.
Contributed by Chris Welch, product manager, RAPid, BridgeHead Software