The future of healthcare security in the UK

Trevor Dearing at Illumio asks whether the new government strategy on healthcare security will be enough to keep the sector safe

 

The cyber-threat facing healthcare providers has increased drastically. Research indicates that healthcare is now one of the three industries most impacted by cyber-attacks, with the volume of attacks globally increasing by 38 percent in 2022 compared to the year before. 

 

In response, the UK government recently announced a new cyber-security strategy to improve resilience in the sector. However, while the initial strategy is a welcomed step in the right direction, there are some notable omissions and key areas that I hope to see addressed when the full plan is published this summer.

 

A more flexible approach to changing technology and key models like Zero Trust will be essential for the strategy to have a real impact.  

 

A solid foundation against a severe threat  

A national effort to create a cohesive healthcare strategy is a positive step, and there are many positive factors in the initial outline.  

 

The five pillars that underpin the new strategy will provide a good foundation. In particular, it’s encouraging to see the inclusion of security culture and responsibility as key elements of the strategy, as these human aspects are often overlooked in favour of technology and processes.

 

Further, the strategy also focuses heavily on ransomware and supply chain threats, two of the biggest dangers to the sector.  

 

Disruptive attacks like ransomware are the threat actors’ weapon of choice against healthcare. Callous criminals are willing to threaten the provision of patient care and potentially endanger lives, as a bargaining chip to gain a large ransom pay out. Most healthcare providers must also manage complex IT environments with many Internet of Medical Things (IoMT) and a complex web of suppliers.  

 

In March, one of Barcelona’s leading hospitals suffered a major ransomware attack that cancelled 150 non-urgent operations and over 3,000 patient check-ups. 

 

Another case in the UK highlighted the vulnerability of the extended healthcare supply chain and providers. An attack on the IT provider Advance impacted several critical healthcare systems, including ambulance dispatches and NHS 111 calls. 

 

Nevertheless, while the initial strategy is encouraging, there are shortcomings that will need to be addressed.  

 

The need for a more forward-looking approach  

The strategy’s timeline is one potential issue that needs to be accounted for. Meaningful, strategic change on this scale is a huge undertaking, so the far-reaching goal of 2030 is a sensible approach on paper.

 

That said, medical technology is currently developing at an astounding rate, and the field will likely look very different by the end of the decade.  In this changeable environment, such a long-term deadline can be a risk as threats and needs will change, so it’s important that the full implementation plan includes more staggered time limits and plans, similar to what we saw in last year’s TSA directive in the US. 

 

The strategy needs to focus on the next decade of technology, not the last, to be effective. This means moving away from older approaches like network access controls and firewalls and towards technology like micro-segmentation and Endpoint Detection and Response (EDR).  

 

While it is good that there is emphasis on protecting patient data, maintaining patient care should be the overriding priority. This means a strong focus on system resilience is essential.  

 

It’s also critical that we don’t look too far ahead and we fail to protect against the most immediate current threats, such as ransomware. Research shows nearly half of healthcare professionals believe ransomware has impaired patient care, so we need to place more urgency on introducing breach containment strategies and technologies that can limit the impact of attacks and enable providers to keep critical systems running while under attack. 

 

The absence of Zero Trust  

It’s also notable that the strategy includes no mention of Zero Trust. This contrasts sharply with other national approaches worldwide, such as the Biden Administration’s executive order mandating Zero Trust for governmental bodies.  

 

Zero Trust is a strategic approach built on a “never trust, always verify” model. No user or system is implicitly trusted with system access, and is instead continuously validated at each stage using a risk-based approach. 

 

This is an increasingly important strategy for improving resilience and containing threat actors attempting to access and exploit IT infrastructure. Further, as it is a strategic model rather than a prescriptive set of technology, it can be adapted as medical IT continues to evolve into 2030 and beyond.  

 

Balancing budget and security  

Perhaps more than any other sector, it is essential that healthcare providers invest in cybersecurity strategies and solutions that can provide a high level of return on investment. While the new strategy provides a solid framework for strengthening resilience in the long-term, when deciding where to invest now healthcare providers should start with their biggest risks – ultimately the inability to deliver patient care. 

 

Providers should prioritise investments in technologies that can build resilience while also accelerating transformation, such as containment technologies like Zero Trust Segmentation that can provide immediate security benefits through greater visibility and control over complex IT environments, while also reducing risk from a growing attack surface as new medical devices connect to the network.   

 

Overall, the government’s strategy overview is a solid start in shoring up national healthcare security.

 

However, it’s important that action is taken sooner than 2030 to give the industry the best chance of defending against increasingly ruthless attackers. The framework will need to be flexible enough to accommodate changing IT and medical technology, as well as evolving threats, in the years to come.

 

At the same time, it must couple long-term goals with a more immediate focus on imminent threats like ransomware. Finally, without the inclusion of Zero Trust, the strategy will struggle to achieve meaningful cyber resilience.  

 

---

 

Trevor Dearing is Director of Critical Infrastructure at Illumio   

 

Main image courtesy of iStockPhoto.com