For a recent HTN Now panel discussion, HTN was joined by experts from the cyber security, privacy and governance field to discuss the most significant cyber security threats currently facing health and social care organisations, how organisations can prioritise their resources to address emerging threats, the outlook for the next 5-10 years, and more.
Making up our panel were Michael Abtar, CEO of IG Smart, and Dr Saif Abed, cybersecurity expert and d
Michael shared his experience as CEO and founder of IG Smart, saying, “we’ve been running about 15 years now, but prior to working in this space I was a lawyer. My first client was an NHS organisation, and we’ve since worked with NHS England, NHSX, the DHSC, and we led the legal and information governance workstreams for the development of the national contact tracing application. As well as data privacy and cyber security we cover clinical systems safety.”
“I’m formerly an NHS doctor,” said Saif, “and I’m now a partner at the AbedGraham Group, which focuses on cybersecurity and compliance for technology companies of all sizes and also government agencies, which is where my particular focus is. I’m an expert advisor to the European Commission, I’ve worked previously with the British Government, and WHO commissioned me to develop an analysis on the impact of ransomeware on public health during COVID-19.”
Key highlights
- Michael and Saif noted the need for increased oversight and monitoring of the whole supply chain, with Saif also noting the imperativeness of putting in place mechanisms to enforce compliance. “Be part of the response,” Saif urged, “when things go wrong, it’s how you address them so that the risk to patient safety is minimised”.
- Getting buy-in at C-suite level and ensuring that training is in place to secure the human element of those on the frontline of health and care delivery is integral, Michael shared, with Saif agreeing that “it’s about getting into the culture of the organisation”.
- Looking at the short-term, Michael suggested measures such as independent audit and gap analysis to look at policy, procedure, processes, governance, penetration testing, and vulnerability scanning, which can be adopted as “part of the continuous improvement journey”.
- Michael pointed to “an over-reliance on the fact that a supplier is a big global brand”, with millions invested in their security, saying, “a system is only as secure as the way it’s configured… healthcare organisations choose suppliers that do meet minimum requirements and then feel as though the job is done, but the configuration is still important”.
- Saif noted that whilst “often there’s intelligence about a planned attack 40-50 days in advance, there’s no clear mechanism when it comes to approaching suppliers with that information and putting things in place to address that ahead of time”.
- As healthcare organisations move increasingly toward virtual care, seeing patients submitting data from outside of the hospital and utilising a variety of different tools to collect and manage that data, Saif said it’s important to “get that acceptance that the threat landscape is increasing”.
- The financial aspect is a concern, Saif told us, and “it’s how we make sure the government is allocating sufficient resources that can trickle down where they need to trickle down to manage this threat. This is effectively a national security issue, it’s a public health issue – we need a Health Select Committee, and when things happen we need a public enquiry.”
- What’s needed is a mindset shift, Michael shared, “and understanding that we need to prioritise cyber security as a fundamental component of healthcare delivery. It’s not something that is a back-end function that needs to be supported by some people in a basement; it’s now part of frontline care delivery.”
The current threat landscape for health and social care organisations
Talking about the current outlook as far as cyber security for health and social care organisations, Saif noted his “relatively privileged position” working alongside private sector intelligence agencies providing Tier 1 intelligence to agencies like Europol.
As part of that, Saif continued, “I get briefed on the current activities of ransomeware gangs and APT groups, and I’m seeing an evolution in their sophistication and their maturity”. These groups actively target healthcare, according to Saif, “but more importantly, they’re targeting the supply chain, which is not just third party healthcare providers or lab service providers, it’s your network infrastructure providers, it’s cybersecurity companies, as well as your health IT companies”.
Agreeing with this point around the supply chain, Michael added concerns about IoT and internet-connected devices, “which are now in all care settings from the home to pharmacies and acute settings”. This has led to geographic and organisational boundaries becoming “increasingly blurred”, with increased multidisciplinary ways of working and different levels of understanding of cybersecurity risk.
“Now patients themselves are interacting with clinicians using their devices, from home or from different settings, and there’s that broadening of the landscape in terms of risk and awareness levels,” Michael said.
On how healthcare providers can prioritise their resources and tackle some of these challenges, Saif talked about a “big part of the solution” being improving the nature of the contracts and contractual clauses that exist with suppliers in the NHS, “holding suppliers to account and setting standards”.
There’s the potential, Saif went on, “for suppliers not just to sell technology, but to be part of the response – when things go wrong, it’s how you address them so that the risk to patient safety is minimised”.
“I would agree from a due diligence perspective,” Michael said, “and ensuring these contractual provisions are in place as organisational control measures is fundamental. How that is audited and monitored in practice I think is sometimes ranging from very good to very bad, across different organisations, and I think there’s a slight danger if we rely on thinking we have a robust contract in place with a supplier, that that is the end – I think it’s very much the beginning of a journey.”
The majority of data breaches happen within the health and care space as a result of human error, Michael shared, “so building a robust human firewall through training and awareness as a first point of defence would be a great place to start, particularly when you have limited resources, because training can be low cost, or even free”.
Saif also acknowledged this point, saying, “clinicians are not trained or prepared in what to do when they lose access to their critical digital systems, and that’s when clinical risk happens. The human response is important from a patient safety perspective.”
Short term actions to enhance cybersecurity
“As far as I’m concerned, there isn’t a short term fix – you can’t just put a bandaid on cyber,” Saif shared, “because it’s a complex issue, and many of the steps Michael already touched upon, like training, but it’s also getting into the culture of the organisation, getting top-level buy-in.”
Whilst there might not be a short term fix, Michael said, “there are short term measures which can be adopted as part of that continuous improvement journey, like the independent audit and gap analysis, which is critical, to look at policy, procedure, process and governance, but then a technical aspect through penetration testing, vulnerability scanning, and so on.”
Once those are identified, Michael continued, “it’s then working to address those high and medium risks, both from a technical and a human standpoint. There is no such thing as 100 percent secure – it’s showing you’ve gone through a robust process to look at what the reasonably foreseeable risks are and that you’ve put appropriate controls in place.”
Saif pointed to challenges around working with public sector organisations, saying that “very often, the stakeholders bringing you in to do the audit haven’t necessarily had the engagement from the C-suite – we need to get security managers with line of sight at the board level, so when they come and present the analysis that’s been done they can bring to the table the findings and the business case for rectification.”
If a number of critical risks have been identified, Saif continued, “we need to be looking at those today, not in the next financial year, so at least for NHS organisations, if these audits can be initiated from the top level we have a better chance of getting a faster response.”
Michael suggested that one of the “levers” that can be used toward this is GDPR and the duty of the data protection officer to report to the highest management level, “so in terms of reporting a risk which relates to the security of data, there’s a legal duty to have that line of reporting”.
The role of suppliers and ensuring standards for health organisations
Speaking to the need for a stronger regulator and more clarity around what is expected from suppliers, Saif said, “we need to make it clear that if suppliers wilfully choose not to comply with standards, there needs to be a stick, because lives are on the line”. He also talked about the upcoming Cybersecurity and Resilience Bill and his hopes that this can help in this regard, particularly around holding suppliers responsible for upholding standards.
On the other hand, Saif continued, “we need to highlight those who are doing it well, make procurement easier for them, so it is a worthwhile trade-off.”
Michael agreed with this, saying that sometimes there’s an “over-reliance on the fact that a supplier is a big global brand”, who may have invested millions in their security. “A system is only as secure as the way it’s configured,” he went on, “and what I see a lot of the time, particularly in the cloud space, is healthcare organisations choosing suppliers that do meet minimum requirements and then feeling as though the job is done, but the configuration is still important”.
Saif noted that whilst “often there’s intelligence about a planned attack 40-50 days in advance, there’s no clear mechanism when it comes to approaching suppliers with that information and putting things in place to address that ahead of time”. Having a mechanism in place to go about that in a proactive way would be “really important”, he added.
Getting those insights out of reports is also something to consider, Michael said, “as in the case of a healthcare organisation I worked with, who invested in getting a report done, which produced lots of meaningful information, but they then had to employ a team who could work with those reports and get that meaningful stuff out of them.”
Partnerships between academic institutions and the NHS could help with this, he continued, “as there is a gap between the cyber security demand and the availability of cyber security experts and specialists, and if we used those partnerships we could develop that talent pipeline. There are nuances in the healthcare sector that mean we need to develop NHS-specific programmes so we can have a future workforce that will be robust enough to meet that demand.”
Assessing maturity in healthcare organisations
Saif told us that from his experience, as the digital maturity of an organisation increases, cyber security maturity often does not keep pace, “and it’s that gap between digital maturity and cybersecurity that attackers take advantage of”.
Whilst HIMSS EMRAM or similar can be used in assessing digital maturity, for cyber security “it’s a bit more difficult”, he continued, “and in the past I’ve used NIST frameworks, but very often I do it in the most clinical way possible”, which is going in and saying, “OK you’re HIMSS Level 7, let’s shut everything down in a simulation tabletop exercise and see what happens next, and if everything falls apart and nobody knows what to do, you’ve answered your cyber security question in about five minutes”.
It’s about “what is our ability to deal with risk today, in a worst case scenario”, Saif considers.
“It’s the level of conscious awareness,” Michael agreed, “not only with your C-suite, but also those delivering on the frontline. There’s also something called the Common Vulnerability Scoring System for cyber, so technical security risks, and when conducting penetration tests or vulnerability scans there are different approaches you can take, but the most common is to look at what the main security threats are and how they’re impacting your systems.”
Developing a model that fits your organisation is integral, Michael went on, “and that’s where I think having subject matter experts to guide and advise you is key, because things like ISO27001 will look very different for a start-up compared to an acute trust, for example”.
“Research from the HHS in the US showed the most common route in to cause a ransomware attack against a hospital during COVID was a VPN,” Saif shared, “so as much as we like to talk about the exciting technologies like IoT, I’m not seeing ransomeware gangs getting excited about hacking CT scanners as a way into the hospital. They’re looking for the really weak, misconfigured infrastructure.”
Asked by one of our live audience about the potential of a threat from AI, Saif considered that “the most potent use of AI at the moment is the use of it to craft these fantastic phishing emails – in terms of being part of that tool bag, it is being used, undoubtedly”.
Ensuring patient privacy with new technologies and increasingly complex IT infrastructure
Given the emergence of new technologies such as machine learning and AI, Michael noted that there are a number of key considerations to maintain patient privacy, such as transparency, accountability, bias and fairness – whether the training data being used is representative of the health and care population.
“In order for patients to give informed consent, they also have to have access to that level of information,” he added, “and ensuring the segmentation and encryption of that data is key to ensuring the privacy aspect, so clinicians who need to identify the individual patient can see that data at an individual level, but researchers completing a longitudinal study can have access to data in a pseudonymised form.”
As healthcare organisations move increasingly toward virtual care, seeing patients submitting data from outside of the hospital and utilising a variety of different tools to collect and manage that data, Saif said it’s important to “get that acceptance that the threat landscape is increasing”.
The first step in managing that increased risk is “whenever you add something to that landscape, you need to have the right contracts in place, and that understanding across all parties involved, as well as relationships whereby you can monitor what is going on locally, regionally and nationally. We need to join this whole fabric together a lot more in order to properly understand the risk profile.”
Having mechanisms in place for regular audits of risk, compliance and incident reports is important, Saif told us, “whilst at a technical level, there are many things to consider – multi-factor authentication, role-based access, the configuration of cloud instances – a huge number of things that can be done technically to give you increased resilience, but for me there’s a much greater focus on that regular auditing and the collaboration aspect. That’s much more important in managing a complex environment.”
Michael agreed with Saif, adding, “all of that technical work around multi-factor authentication, role-based access, and so on is essentially forming a zero-trust architecture, whereby data is encrypted and accessed on a needs only basis with real-time monitoring.”
Endpoint detection and response is also key, Michael said, “as endpoints could be a wearable watch, or a pacemaker, or an iPad, so it’s so broad we need to have those detection and response mechanisms in place.”
Looking ahead
On the future of cybersecurity for health and care, Michael and Saif considered what kind of risks and developments might be on the horizon over the next 5-10 years.
“It’s not as much to do with the next 5-10 years as it is to do with money,” Saif told us, “as public sector organisations are resource-constrained, and it’s how we make sure the government is allocating sufficient resources that can trickle down where they need to manage this threat. This is effectively a national security issue, it’s a public health issue – we need a Health Select Committee, and when things happen we need a public enquiry.”
If we don’t give this the attention and resources it needs, Saif went on, “it’s putting the smallest of bandaids on a huge problem”.
Michael agreed with this sentiment around the lack of resources available for cyber security in health and care, saying that “there’s a realisation now of just how detrimental to the UK healthcare system a ransomeware attack could be, and the increased attack surface we’ve touched upon with new remote ways of working, medical devices and so on, means we need to make sure investment is made, and targeted to where those attacks are likely to come in.”
Once attackers have access to the NHS’s “spine”, Michael continued, “it then opens up the different ports through which those threat vectors can access national infrastructure and critical patient data, so ensuring that protections are extended across the supply chain is going to become increasingly critical.”
What’s needed is a mindset shift, he concluded, “and understanding that we need to prioritise cyber security as a fundamental component of healthcare delivery. It’s not something that is a back-end function that needs to be supported by some people in a basement; it’s now part of frontline care delivery.”