Poor digital hygiene will lead to headaches for the healthcare sector
May 2019 by Harry Thompson Senior Account Executive
Research reveals that the healthcare sector is still not prioritising cybersecurity despite the disastrous ransomware attack on the NHS in 2017
According to a recent case study from Imperial College London, the NHS’s lack of security of preparedness and poorly defined responsibilities in the face of a cyber-attack leaves the health system at risk of major reputational and financial loss. Despite this, the attitude towards cyber hygiene within healthcare remains poor, with only 42% of healthcare IT leaders providing dedicate cybersecurity awareness training to their staff. This is according to Webroot’s ‘Size Does Matter’ report, which examines the challenges facing UK SMBs in the healthcare sector, in a time of rapid political, economic and social change.
Recently, healthcare records have become one of the most valuable commodities on the dark web, containing far more personal information than financial records. The information that attackers can glean from healthcare records provides a more comprehensive data set about an individual than can be found in financial data. Hackers can utilise this data to enhance the effectiveness of social engineering attacks involving the impersonation of friends and colleagues.
The reality of this situation has been highlighted by several high-profile cybersecurity breaches, most notably the infamous WannaCry incident that occurred two years ago this month. That attack saw ransomware encrypt data and files on almost a quarter of a million computers in 150 countries, crippling the NHS for almost a week.
If the healthcare sector is to protect itself against such attacks, it must first identify the vulnerabilities that can lead to a data breach, such as over-worked employees and a lack of education across the in-house departments.
Healthcare highlights from Webroot’s SMB research:
73% of IT leaders say that employees inadvertently create security risks through lack of knowledge or understanding
66% say profits would take a hit as a result of cybersecurity incidents
60% of IT leaders believe that they can do more to fully understand the right practices for their organisation
60% agree that if their organisation suffered a data breach/cyberattack, their business would be at risk of closure
In addition to the report, Webroot created a list of cybersecurity tips for healthcare SMBs, designed to reduce risk and protect sensitive data in an increasingly targeted sector:
Always educate. Security awareness training can’t be a simple tick-box activity for SMBs. It needs to be continual so cybersecurity stays top-of-mind and user error is minimised.
Take a layered approach. SMBs need to leverage both next-generation endpoint protection, network protection and user training to ensure they are covering the gaps that cybercriminals and hackers deploy to compromise businesses.
Know the signs. Phishing is a favourite technique among cyber attackers. Make sure employees can confidently identify signs of phishing by implementing security awareness training that incorporates phishing simulations, before it’s the real thing.
Assess your risk profile. Every business has different risk factors. If you don’t have the expertise, get an independent security audit or your MSP to help assess your security posture. Work to develop a plan for adequate ongoing risk mitigation. Look at your GDPR exposure and follow guidelines to ensure the appropriate mitigation criteria are met.
Plan for the worst. Create a data breach response plan that identifies specific security experts to call and a communications response plan to notify customers, staff and the public. Have a backup and recovery strategy.
As shown in the report, attacks on healthcare SMBs can disrupt an organisation to the point of bankruptcy. To avoid calamitous outcomes, protection must be put in place, both online and in the form of employee training to increase awareness of attacks such as phishing. This approach reduces the risk of a successful cyberattack, ultimately protecting valuable patient data.
This survey of 501 IT decision makers in companies with 1-500 employees was conducted by Censuswide in January 2019. This data has been pulled from the overall survey, Size Does Matter, to include only respondents self-identifying from the financial sector.