Healthcare was one of the three most attacked industries in 2022, with the average cost of a breach exceeding $10 million. Alongside the onslaught of COVID-19 and a series of economic difficulties, the latest barrage of cyberattacks is leaving the healthcare sector facing one of its biggest challenges in decades.
Concerning issues continue to face an already struggling global healthcare industry.
The challenges are grimmer for the UK’s health and social care sector, as the NHS faces one of its biggest funding crises and overwhelming service demand in recent history. Amidst these critical issues, the potential threat of increasing cyberattacks can cripple the entire sector. In response to such concerns, the UK government has released a new cybersecurity strategy to safeguard the NHS and social care against this growing rate of cyberattacks. But while the strategy is a welcome step in the right direction, it lacks the substance and detail seen in other national directives.
Understanding the Government’s new cybersecurity strategy
With cyberattacks an inevitable reality of this digital era, healthcare providers must be able to withstand and quickly recover from any security incident to keep their services functional. This is defined as cyber resilience.
The new strategy acknowledges that with over a million patients accessing important healthcare services every day, enhancing cyber resilience is the only way to ensure that such vital services are always available and accessible to the wider communities.
While the latest cybersecurity strategy is definitely a step in the right direction, there are notable omissions and limitations that I would hope to see addressed in the more detailed plan expected this summer. The increasing adoption of cyber-physical systems and dependency on digital services means that successful healthcare attacks can, and already are, significantly disrupting patient care facilities. So, it’s critical that we see timely and actionable targets to bolster cyber resilience across the industry.
Positive elements of the new cybersecurity strategy
One of the positive aspects of this new strategy is its very foundation. The strategy is based on five distinct pillars that identify the drawbacks of the current cybersecurity approach. The strategy also outlines a wide range of cumulative efforts to transform the sector’s outdated security infrastructure. These pillars include: focusing on the greatest risks, defending as one, people and culture, building security for the future, and emphasising effective recovery and response.
The inclusion of people and culture as a fundamental pillar of the strategy is significantly commendable. The government wants healthcare organisations to recognise cybersecurity as a team effort. It emphasises that organisations have to develop a cyber workforce where all members have the basic cyber skillset and knowledge required to ensure shared responsibility.
This is a very important step, as a large part of healthcare workforces today still lack basic security awareness. In fact, research from last year showed that 24% of healthcare workers do not receive any security awareness training at their workplace.
Another positive aspect is that the strategy recognises ransomware and supply chain attacks as some of the most prominent threats in the sector and engages businesses to develop a better understanding of these threats. This is a crucial step because ransomware alone cost the sector over $92 billion globally last year. The strategy also urges organisations to consider supply chain vulnerabilities as a critical threat when developing or optimising their security infrastructure. Going forward, this consideration can bring effective visibility across the combined IT, OT (Operational Technology), and IoMT (Internet of Medical Things) environments.
Does it go far enough?
The new cybersecurity strategy sets up a good foundation for building resilience and aims to achieve resiliency across health and social care by 2030 – a timeline that aligns with the broader national cybersecurity strategy. However, this is perhaps too long-sighted and unrealistic given the industry’s dynamic nature. Healthcare and medical tech are evolving rapidly, as are the threats facing them. It’s highly likely that the threat landscape will look very different from what it does today.
The strategy does outline the critical challenges of ransomware, but it doesn’t mention any specific technology, solution, or security practice that organisations must leverage to proactively address these challenges. Most importantly, it doesn’t mention Zero Trust at all – a proactive security model that is fundamental to achieving cyber resilience and mitigating ransomware threats.
Based on the principle of “never trust, always verify”, a Zero Trust security model assumes that all access attempts are potential threats.
Its importance is already well-established and widely recognised across industries. Last year, the US government released a mandate for federal agencies to adopt Zero Trust by the end of 2024. So, it is rather surprising that the new NHS cybersecurity strategy does not emphasise or even mention Zero Trust as a part of its agenda.
The new strategy also does not outline any measures related to securing cyber-physical systems, most notably IoT and IoMT networks This is surprising because IoMT has increasingly become a common part of modern healthcare technology in the last few years as the sector rapidly adopts Industry 4.0 type connectivity. This has led to the proliferation of remote diagnostics, cloud-based end-to-end digital patient care systems, and interconnected medical devices. These systems are potentially the most desired targets for ransomware attacks, as compromising them can allow threat actors to disrupt critical services and patient care facilities.
However, it’s important to acknowledge that the government will announce an implementation plan based on the new strategy in the coming months. This plan will set out specific activities for the next 2-3 years. So, it will be interesting to see whether the government addresses some of the discussed limitations and omissions in the upcoming implementation plan.
How can the government improve on this new cyber strategy?
While the government’s 2030 vision is commendable, it’s important that interim and short-term milestones are set throughout this seven-year timeline.
Cyberattacks on healthcare surged by 38% last year, and it looks like the sector will be even more vulnerable this year. The sector needs an immediate push towards cyber resilience, which cannot be achieved with such an extended deadline. Regulators must also plan for more urgent actions within a 6-24 month timescale, similar to those we saw recently announced for critical national infrastructure.
Also, there should be a clear indication of which security measures and practices healthcare organisations must adopt. Undoubtedly, Zero Trust should be encouraged and mandated just like the US federal initiative, as well as a clear focus on breach containment strategies to mitigate risk and reduce the impact of attacks. For instance, the all of its pipeline operators implement network segmentation, attack surface monitoring, and regular patching to achieve cyber resilience. The NHS should also follow in similar footsteps.
Overall, the new cybersecurity strategy lays down a good foundation for protecting the NHS and social care. However, I hope to see the full implementation plan include some of the more urgent measures needed to boost cyber resilience in healthcare. Ultimately, compromising patient services in the face of a cyberattack puts lives at risk, so we need to quickly get to a point where healthcare providers have the confidence that an attack won’t disrupt patient care.
Trevor Dearing, Director of Critical Infrastructure Solutions at Illumio.
