The Coronavirus pandemic has caused chaos and uncertainty among us. However, one thing’s for certain – cybercriminals are targeting the healthcare sector at a higher rate than ever before. David Higgins, EMEA Technical Director, CyberArk, discusses the importance of building a resilient healthcare sector for the country’s future success.
Earlier this year, the Secretary of State for Health and Social Care announced that better technology is no longer a ‘nice to have’ for the NHS, but should be considered vital. His announcement came in January, prior to the pandemic, and has undoubtedly proven true since, although perhaps in ways none of us could have foreseen back then.
When Mr Hancock made the announcement, he made it clear that AI and Machine Learning will become a key priority in patient care from now on. While this progress will have a profound effect on the quality of our healthcare, it isn’t without a catch. The catch is that our increased reliance on technology is attracting more and more unwarranted attention from cybercriminals.
Our most recent threat landscape report – a study reviewing the main cyberthreats the world faces today – discovered that healthcare organisations are being targeted at a higher rate than ever before. In fact, cyberattacks affected 50% of healthcare organisations within the three years preceding the study. It’s not only the theft of data that is accounting for this trend either. A recent cyberattack in Germany indirectly led to a death after a hospital’s computer systems were deactivated and a patient had to be redirected to another hospital for treatment. The UK’s National Cyber Security Centre has also identified a raised threat level across the healthcare sector since the start of the pandemic in March, serving further evidence that healthcare is under increasing pressure from cybercriminals.
Out of all the healthcare organisations we studied in our recent report, almost one-in-five identified privileged users – accounts with access to sensitive data and assets – as the highest priority security threat. Prompt action must be taken and emphasis must be placed on protecting personal health information that is so often targeted.
Clouds gathering over healthcare
Healthcare organisations are prime targets for attacks because they possess a plethora of sensitive and potentially valuable information — much of it located in the cloud. Recently, the NHS announced its intent to create a nationalised approach for the digitisation of millions of GP records as part of the government’s ‘cloud first’ policy.
The transition to cloud in the healthcare sector has been extensive. Our data indicates that 43% of all healthcare organisations surveyed deploy or store patient data, including data subject to regulatory oversight, in the cloud. Nearly half (46%) are deploying or storing cloud-based business critical applications, including revenue-generating customer-facing applications, in the cloud. Furthermore, 45% of healthcare organisations are deploying critical business applications on Software-as-a-Service (SaaS) offerings – including customer facing applications, Enterprise Resource Planning (ERP), customer relationship management (CRM) and financial management software.
As more and more functions are moved to cloud and hybrid cloud environments, the security risks only increase. To clarify, the use of the cloud is not problematic in and of itself, rather some troubling cloud-related habits exist among those organisations that are adopting cloud-based strategies, which may be to blame. For example, 35% of healthcare organisations are fully depending on their cloud provider’s built-in security to secure assets, despite not believing it is sufficient. Even more disturbing, a good number of healthcare organisations admit they didn’t notify their customers when their sensitive data had been compromised as a result of a cyberattack, and 37% said they would prefer to pay a penalty or fine for non-compliance with regulations instead of substantially changing their security strategy.
In fact, complying with data privacy regulations appears to be a major challenge for healthcare companies, with only 40% saying they were prepared for a potential General Data Protection Regulation (GDPR) breach investigation.
As healthcare organisations continue to embrace Digital Transformation, they need to modernise their security programmes to suit this new landscape.
Privileged access management shining through
Another key security concern for the healthcare industry is privileged access management. A large majority of organisations (86%) think IT infrastructure and critical data are not fully protected unless privileged accounts, credentials and secrets are secured. Yet 38% of healthcare organisations do not have a privileged access management strategy in place for cloud infrastructure and workloads, and 44% do not have a privileged access management strategy in place for business-critical applications – including customer-facing applications.
The oversight when it comes to privileged access management is likely due to a limited understanding in the healthcare sector of where privileged accounts, credentials and secrets can exist within an IT environment. Only 24% of organisations recognised that privileged accounts and credentials exist within containers and only 30% said they exist within continuous integration/continuous delivery (CI/CD) tools. That being said, more than one quarter (28%) of all planned security spending in the healthcare sector in the next couple of years will go towards preventing privilege escalation and/or lateral movement, according to the study.
Protecting the future of our health
The risk profile of an organisation is influenced by every single employee, application and technology it employs. So, as healthcare organisations such as the NHS look towards a fully-fledged Digital Transformation post-pandemic, IT and security teams must look to understand the impact these efforts have on the security of an organisation’s assets. Once the impact has been recognised and understood, practices can be adapted to suit necessary requirements.
To build a resilient healthcare sector for the country’s future success, critical adjustments to the current cybersecurity practices are imperative. This may require new talent, skillsets and tools, but they are nonetheless vital in protecting assets from advanced threats in the current landscape.
Updating tools and managing access to privileged accounts and credentials reduces a cybercriminal’s moves considerably and constricts their path. In a sector with so much at stake, it is key that every piece of the cybersecurity puzzle is in place to completely secure a targeted network. All stops must be pulled out to maintain the critical functions of our most needed establishments.