Organisations across all sectors have never been more reliant on technology to conduct their day-to-day business and provide the products and services they offer. However, with increasing technological development and reliance comes a progression in the abilities of cyber criminals to conduct often devastating cyber-attacks. As such, it is imperative that organisations across all sectors implement effective and robust cyber security measures, and healthcare providers and suppliers are no exception to this.

Healthcare Providers and Suppliers as a Key Target for Cyber Attacks

In the last several years, there have been many high-profile cases of organisations which provide healthcare services being subject to cyber attacks, leading to significant data breaches and system failures. The 2017 ‘WannaCry’ attack, which cost the NHS £92 million and led to 19,000 cancelled patient appointments, is perhaps the most prolific of these, however there have been countless incidents in the years since which have also had devastating consequences. A May 2021 attack on the Health Service Executive (HSE), Ireland’s equivalent to the NHS, resulted in a loss of access to many patient records, disruption to services, cancelled appointments and even the disabling of some medical equipment. Meanwhile, in August 2022, the NHS’ 111 telephone advice service, as well as GP surgeries and some specialist mental health trusts, suffered a major ransomware attack, leading to significant disruption.

Why, then, are healthcare providers so frequently targeted by malicious actors? The answer to this lies with the potential value of stolen health data to cyber criminals. Compared to almost every other form of personally identifiable information (PII), personal health information is some of the most lucrative data to steal in terms of its black-market value. Some experts have even suggested that medical information can be worth 10 times more on the deep web than financial information, such as credit card details. 

Technological Vulnerability

Aside from the considerable financial gain hackers stand to make from stealing data processed by healthcare providers, the sector is often an easy target for hackers due to the widespread use of outdated systems. According to some estimates, around 30-50% of IT services in many NHS organisations are comprised of legacy systems, many of which were designed more than 20 years ago and haven’t been updated in a decade. Naturally, the capabilities of malicious actors who would see those systems compromised have advanced significantly since then, leaving many organisations vulnerable to attack.

Mitigating the Risk of Cyber Attacks with Cyber Essentials

Since the risk of cyber-attack for healthcare providers is so great, and the potential consequences so dire, it stands to reason that implementing effective cyber security measures should be of the greatest priority for these organsiations. To do so, one of the best places you can start is certification to or alignment with Cyber Essentials (CE), a government-backed cyber security scheme aimed at preventing 80% of the most common cyber threats.

The scheme focuses on the implementation of 5 key technical control areas – firewalls, secure configuration, access controls, malware protection, and patch management. The scheme offers two levels of certification; CE, which is assessed by a self-assessment questionnaire (SAQ), and Cyber Essentials Plus (CE+), which involves a technical audit of the systems that are in scope of the assessment, providing greater levels of assurance to stakeholders of your successful implementation of the controls. Certifications of both levels must be facilitated by an accredited certification body.

Organisations that have certified to CE or CE+ need to renew their certification on an annual basis. As a healthcare supplier or provider, this allows you to revisit your security controls every year to check that they are still operating as intended, and ensure that you continue to maintain security in your delivery of vital, often life-saving healthcare products and services to your clients and patients.

The technical controls that organsiations certifying to or conforming with CE need to implement are also highly applicable to healthcare providers. Access controls, for example, can help prevent unauthorised individuals, including individuals internal to your organisation, from accessing sensitive patient information unless necessary for the performance of their job role. Meanwhile, the patch management control requires you to apply software patches within 14 days of release when the vulnerability addressed is categorised as ‘high risk’ or ‘critical’, meaning the time available for attackers to exploit these vulnerabilities is reasonably limited.

Potential Challenges

We do, however, recognise that not all healthcare providers and suppliers are the same, and some organisations may struggle to implement the technical controls than others.  In some cases, compliance with the requirements of CE may require fundamental changes to your IT infrastructure, your organisation’s structure, or require some expenditure to redevelop a legacy application.  Particularly for organisations in the public sector, challenges may arise from budgetary constraints, aversion to the risk associated with changing systems that are currently functional, or having no structure that would allow for every new high risk or critical patch to be quickly and safely tested so that they can be deployed in the production environment within 14 days.  Meanwhile, dependence on legacy systems that would prevent you from achieving CE certification may be a necessity. 

However, there are options available that can help you achieve the security level provided by the CE scheme requirements (if not for all of your organisation, at least for part of it) while still being able to go on with close to business-as-usual operations.  For example, following analysis of your current situation, you may be able to scope a smaller subset of your organisation that has more flexibility to make changes and comply with the CE requirements.

Defining your scope may also be somewhat tricky if your organisation, like many in the healthcare sector, relies on a mix of systems.  While some systems may be owned and managed by your organisation, others may be third party systems that you use but have no ownership of, or systems that are managed on your behalf by third parties (e.g. managed service providers), but for which you are still responsible and would need to ensure the third party adopts the necessary security controls.  If you are unsure about what systems you are responsible for, it could be useful to liaise with the relevant third parties and service providers, as they may be able to provide some clarification.   

Closing Thoughts

While organisations across all sectors and industries should consider their cyber security posture and what they can do to strengthen it, healthcare providers and suppliers have arguably the greatest obligation to do so. With patients dependent on them for the continued provision of medical care and the protection of their personal medical information, healthcare providers have a significant responsibility to ensure that they are doing everything they can to prevent cyber-attacks.  While we recognise that not every healthcare provider will have the resources necessary to obtain CE certification, aligning your organisation’s cyber security practices with the CE technical controls as far as is feasible will allow you to take an initial and highly effective step on your cyber security journey, and help you maintain the security of important systems and records.

 By achieving Cyber Essentials certification, you can take an initial and highly effective step on your cyber security journey, helping to maintain the safeguarding of important systems and records.