Bad actors present an “advanced persistent threat” to the security of healthcare data in this country, the Health Leaders’ Summit 2023 at Barberstown Castle heard yesterday (23 February).
Healthcare settings face the biggest challenges because of the sensitivity and availability of their data, and their use of some equipment that is run on outdated software.
Healthcare was seen as an easy touch, said Tony McKeown (Bons Secours Health System), and the sector now needed strategies purely focused on cyber-crime and its new threats and initiatives.
The cost of cyber-insurance renewal was now eye-watering, which was an inhibitor of business, the conference heard.
While the HSE attack was an eye-opener, the anxiousness levels of insurers rose in turn, McKeown said.
Insurance costs had risen exponentially and “demands from insurers are sometimes unreachable, no matter how hard you try,” he added.
Maintaining the confidentiality, integrity and availability of all information assets needed continuous staff education, innovation, and responsiveness, particularly in an era of remote work and ‘elastic perimeters’, the conference heard.
McKeown said that his organisation had put in place a security-incident and event-management system, which monitored all servers and databases, continuously looking for suspicious patterns
Every person working in healthcare was a privileged user with access to sensitive data at all times, he added, and this meant that continuous user education was required about protection of patient information (POPi).
In a recent one-year period, staff in the organisation reported 48,730 suspicious emails, of which 7,116 were actual cyber-attack phishing events.
The response has been a zero-trust mindset.
Trust no one
“Trust no one, not even yourself,” McKeown advised. He also urged elimination of all unnecessary shared access to data that was no longer wanted or needed, which he called “rot”.
“Rot exaggerates the impact of ransomware,” he added.
Cyber-crime was worth US $1.6 trillion each year, and exceeded the value of illegal narcotics, the conference heard.
Ronan Murphy of Smartech 247, which in December floated on London's Alternative Investment Market (AIM), said that chief information officers faced constant waves of pressure.
What reached the news about ransomware was simply the tip of the iceberg, he said.
“There are literally hundreds of attacks happening every single day,” Murphy stated.
“Putin has taken the gloves off, he has told his trolls to go gangbusters, to hit Europe everywhere, and in every industry, as hard as they possibly can,” he said.
“Be under no illusion, we are now at war, full-blown war,” he stated, and the hacking of software would be an element in the conflict.
Technology sprawl
Murphy said that there was a huge skills shortage in cyber-security, and a huge amount of technology and engineering needed, which added more risk, and was called ‘technology sprawl’.
The escalating volume of attacks adds to the precarious situation.
He described Russian attacks as blunt-force trauma, while China specialised in advanced persistent threats.
Staff could not solve these problems, and organisational controls were necessary, though artificial intelligence might provide some solutions, he said.
Staff transience
Mike McCann (chief information officer, Blackrock Health) said that the transience of healthcare workers was a challenge in establishing awareness of the challenges and dangers of cyber-attacks.
“AI is how to start to solve that, and bridge the gap,” he said.
Business continuity plans had been tested for the eventuality of an attack, McCann explained.
Med-tech innovations must be tested rigorously to keep control of what software was introduced to a hospital, he said. Security and trust must be embedded in the launch of new ideas, he added.
A robot had done 42 full knee replacements in Blackrock Health over the past year, he said, with CT scans stored in the cloud.
HSE chief information security officer Puneet Kukreja said that an “assumed breach” mentality would focus on the response plan.
However, healthcare breaches could lead to loss of life, he warned.
“If ransomware is a threat in 2024, and it’s been there for ten years, then we must be doing something wrong, or they are doing something right,” he said.
The “burning platform” of the HSE hack woke up the nation to the fact that we now lived in a hyper-connected world.
“Layered security absolutely sometimes causes complacency and confusion,” he said.
Attack vectors
Four key attack vectors were phishing attacks, compromised credentials, ‘zero-day’ vulnerabilities, and poor third-party cyber-hygiene.
End users need continual training, particularly in an era of remote work and elastic networks, where patient records may be accessed in home offices.
What really mattered was that critical services were not denied, and that there was protection against extortion, he said.