Technology and data are critical to providing effective care to patients, but as healthcare systems become increasingly digitized, organizations find it difficult to protect their medical devices, services, networks, and the information located on them from cyber attacks. In England, and on an international scale, there have been several cyber incidents that have disrupted patient care, leading to safety risks and significant financial losses. With an estimated daily 950,00 general practice appointments, 45,000 major accident and emergency (A&E) department attendances, and 137,000 imaging event records — according to the UK Department of Health and Social Care — the potential impact a cyber attack could have on this sector, both directly and indirectly, is huge. That’s why the UK government has established a cybersecurity strategy for reducing cybersecurity risk, protecting patient, service user, and staff data, and implementing measures to ensure swift recovery from cyber incidents if they do occur.
What is the NHS Cybersecurity Strategy?
The UK government has set-out to protect the National Health Service (NHS) from attacks by providing a plan to promote cyber resilience across the healthcare sector by 2030. This strategy has defined five key ways to build cyber resilience and to protect the health functions and services that the nation depends on. Achieving national health security requires that organizations are prepared for, protected from, and resilient in the face of attacks with consequences to patient safety and medical device effectiveness. Here are the five strategic objectives organizations should follow in order to effectively prepare for, respond to, and recover from healthcare emergencies:
identifying the areas of the sector where disruption would cause the greatest harm to patients, such as through sensitive information being leaked or critical services being unable to function.
uniting the sector so it can take advantage of its scale and benefit from national resources and expertise, enabling faster responses and minimizing disruption.
building on the current culture to ensure leaders are engaged and the cyber workforce is grown and recognized, and relevant cyber basics training is offered to the general workforce
embedding security into the framework of emerging technology to better protect it against cyber threat
supporting every health and care organization to minimize the impact and recovery time of a cyber incident
As we know, technology is transforming the way patients access healthcare services and information. According to the UK Government, over 40 million people are in possession of NHS logins, helping them book appointments, track referrals, and order medications online. Similarly, over 50% of social care providers use a digital social care record, which helps staff share vital patient information. As these devices and systems are being improved, it is critical that healthcare organizations have the tools they need to implement the NHS cybersecurity strategy. Next, we’ll dive into the factors that led to the development of this strategy, and how it is intended to address both current and future challenges.
3 Factors Driving NHS Cybersecurity Implementation
In recent years, cyberattacks to healthcare systems and hospitals have increased dramatically, comprising patient health information (PHI), disrupting patient care, and in some cases, causing direct harm to patients. There are several challenges in the industry that have caused this increase in attacks and led to creation of the NHS cybersecurity strategy. Here are three factors that we’ve found to be the greatest threats to healthcare organizations:
1. Growing reliance on digital technology
New digital data and technology has transformed the healthcare sector. The use of artificial intelligence to accurately diagnose complex conditions, connected devices for accurate remote monitoring and drug dosages, robotic surgery for more precise procedures, and improved communications have immensely supported more effective patient care.
However, as healthcare organisations rely more heavily on these newer technologies, and devices become further interconnected, the risk of cyber incidents has also significantly increased. NHS organisations also tend to rely on legacy technologies that have outdated software and operating systems, and may no longer receive regular security updates and patches. This creates security vulnerabilities, allowing cybercriminals to exploit known vulnerabilities to gain unauthorized access to the devices and systems.
These two factors have become significant drivers in the creation of the NHS cybersecurity strategy because they understood that technology is not safe for patients unless it is secure. As new technologies are developed, and the NHS continues to use unsupported or end-of-life systems, healthcare providers require minimum standards for security. By implementing NHS cybersecurity risk management strategies and a strong incident response and recovery plan, organizations can mitigate risk associated with reliance on technology, and ensure the continuity and safety of their health services.
2. High-profile cyber attacks
The 2017 global ransomware attack, WannaCry, affected more than eighty NHS trusts and disrupted services, displaying their vulnerabilities and inadequate ability to respond to attacks. The attack affected one-hundred-fifty countries and devastated the NHS by blocking key systems. This blockage prevented staff from accessing patient data and critical services, leading to thousands of appointment and surgery cancellations, and in some cases, care diversions to other hospitals.
The wreckage of this attack brought cybersecurity to the forefront of the NHS’ attention and highlighted the need for better healthcare cybersecurity practices. Shaping much of the NHS cybersecurity strategy, WannaCry led to an increase in cybersecurity investment, and displayed the importance of allocating resources to enhance cybersecurity infrastructure, implement stronger security measures and improve incident response capabilities. It also led to an increased focus on patch management and updates, creating a process to ensure critical patches are deployed promptly to protect against known vulnerabilities.
3. Evolving regulatory requirements
In the healthcare industry, regulatory requirements are complex and frequently evolving. Many organizations have faced challenges when it comes to keeping up with regulations and understanding specific requirements. One regulation that has had a significant impact on the NHS cybersecurity strategy is the General Data Protection Regulation (GDPR). This regulation has introduced stringent data protection requirements for organizations that handle personal data. Implementing regulations like GDPR can require significant resources, including financial investment, skilled personnel, and technology infrastructure, which healthcare organizations typically lack.
Meeting regulatory requirements requires enterprise-wide buy-in, and without resources and proper training and awareness, healthcare organisations will find they are unable to properly protect themselves from threats. The NHS cybersecurity strategy has attempted to meet this challenge by guiding organizations in the implementation of robust security measures and controls to protect personal data. They have also recognized the importance of training and awareness programs to promote a culture of cybersecurity. Their comprehensive framework is essential for organisations to implement in order to ensure compliance with GDPR and other industry requirements.
The oversight and governance of cybersecurity and risk needs to be streamlined and simplified for organizations to properly protect their internet of medical things (IoMT) ecosystem from increasingly sophisticated and widespread attacks. The NHS cybersecurity strategy provides a strong foundation for originations to safeguard themselves from cyber threats, but it can be difficult to know where to begin in the implementation process. That’s where Claroty comes in. We provide NHS organizations with the tools they need to streamline compliance, boost efficiency, and protect their cyber-physical systems (CPS), all while enhancing cyber and operational resilience.
How to Ensure NHS Organizations are Protected
The health and wellbeing of the people in the United Kingdom rely on the NHS. But, in order to provide quality care to patients, and ensure cyber and operational resilience, organizations must overcome the cybersecurity challenges plaguing the healthcare industry. Claroty can help NHS organizations tackle these challenges by:
1. Streamlining DSPT compliance
The Data Security and Protection Toolkit (DSPT) is an online self-assessment tool that enables organizations to measure and publish their performance against the National Data Guardian’s 10 data security standards. Organizations are required to use this toolkit to provide assurance that they are practicing good data and security and that personal information is handled correctly. Claroty simplifies compliance through our healthcare cybersecurity platform, Medigate. Medigate delivers the IoT and IoMT device discovery, vulnerability management, network protection, and other controls and capabilities that enable the NHS to meet nearly all DSPT requirements via a single, easy-to-use solution.
2. Lowering costs & boosting efficiency
As we’ve mentioned, NHS organizations tend to rely on legacy devices which introduce various challenges and vulnerabilities. Many organizations continue to use these end-of-life systems as medical devices are increasingly expensive to purchase and maintain. Claroty reduces these costs by granting insight into where and how efficiently existing devices are used, their current lifespan, and how to safely extend that lifespan. These insights enable NHS organizations to better allocate their hospital resources, defer or avoid replacement purchases, and even negotiate lower maintenance fees.
3. Keeping CareCERT front & center
The NHS Digital Care Computing Emergency Response Team (CareCERT) program provides proactive advice and guidance regarding digital threats and cybersecurity best practices to NHS organizations. Claroty recognizes the need to ensure this information is accessible and actionable, so we have integrated and centralized CareCERT alerts within our platform as a curated source of threat intelligence. As a result, NHS customers can easily view and utilize this guidance in the context of their own unique environments.
4. Driving the full cybersecurity journey
The journey to achieving cyber and operational resilience is not an easy one. But, Claroty helps NHS organizations support use cases across the entire healthcare cybersecurity maturity journey — including device discovery, vulnerability management, network protection, threat detection, device management, and lifecycle management. We also give NHS organizations the flexibility, scalability, and expertise needed to carry out this journey according to their own unique needs, preferences, and priorities.
The NHS provides functions and services that citizens depend on, and is home to a wealth of confidential patient data, including medical records, PHI, and financial details. If the devices and networks patients depend on are breached, they may cause more damage than significant financial loss. Without a comprehensive cybersecurity strategy in place, attacks to NHS organizations could cause disruptions to patient care or even safety risks. Lucikly, Claroty helps NHS organizations to strengthen visibility, protection, compliance and ROI for all IoT, IoMT, and other connected devices that are critical to care delivery.
