Cyber-attacks in the healthcare sector are patient safety risks with real business impact

Over the past 12 months there have been numerous cyber-related attacks on the NHS and they are always reported as an IT issue. While factually true, a cyber-attack has the potential to be so much more dangerous than an isolated IT issue. Worst case scenario could result in patient safety incidents caused by technology itself. 

While that may seem extreme, allow me to explain the thinking behind that statement. If an incident happens at work where technology stops working as expected, it may stop normal day-to-day operations for a couple of hours at most with minimal impact on employees. This is certainly not the case for cyber-attacks as history has shown that most cases take months to restore standard operations. A failure of this magnitude in the healthcare sector impacts more than just employees and operations – it causes a wide ranging impact for patients.

Wide-ranging ramifications of a cyber attack

To understand the threat of a cyber-attack on an NHS institution, you must map out all the ways that it could impact the organization. The most obvious and immediate damage will be to productivity of staff across the board. For already stretched IT teams, they will be on the front lines trying to deal with the immediate result of such an attack. In order to mitigate as much damage as possible, they would need to get support from other trusts and wider Public Sector IT teams to secure defenses and prevent the attack from reaching further public organizations. While the IT team fights the fires, corporate and clinical staff will be unable to conduct their jobs to full capacity, limiting their productivity immeasurably. From a clinical point of view, the damage could be deadly. Already problematic waiting times will get worse as clinicians will be unable to access test results and patient notes, which will result in appointments and operations cancelled.

Alongside the immediate impact there is the long-term damage to the Trust’s reputation that needs to be considered. No Trust wants to be the lead story on the 10 o’clock news, and no one wants to expose patient data to criminal gangs. This can lead to fines from the Information Commissioner’s Office (ICO) due to GDPR breaches and the potential loss of contracts. Alongside fines, Trusts will have to factor in unplanned spend to fix the issue which will have severe impact on budgets that are already under severe pressure. 

Overconfidence in Traditional Security 

So now we know the ramifications of a cyber-attack, the next question should be how do they occur and, more importantly, how do we stop it? Many NHS trusts in the UK rely on traditional cybersecurity infrastructures to combat bad actors. Firewalls, VPNs and flat networks are still the norm for most NHS institutions, which means they rely on the concept of preventing attackers from breaching their outer layer of security. The easiest metaphor for this technique is to imagine the organization’s network as a castle and the walls and moat is the cybersecurity architecture. Everything inside the castle walls is perceived to be safe and everything outside is a danger. 

While that technique worked well in the past, the current shift to working from anywhere and applications being based in the cloud means that company data is no longer safe behind the castle walls. Defenders of the castle are struggling to manage all the disparate entities outside their borders. Older technologies, such as VPNs and firewalls, have been proven to increase a company’s attack surface and eventually allow bad actors to breach the walls and have free reign to move laterally within the network, stealing whatever data they deem appropriate. To get in front of this new wave of attacks, IT teams must reduce the attack surface by implementing new security architectures that are built with the concept of Zero Trust as the standard.

The Zero Trust Revolution 

Zero Trust is a security model that assumes no user, device, or system should be trusted by default, even if they are inside the network. It requires strict verification of identity and permissions before granting access based on policies, ensuring users only get the minimum access needed to applications to complete their tasks. This approach of the least privileged access minimizes the attack surface and helps prevent unauthorized access, lateral movement, and data breaches.

The move to a zero trust way of working with a cloud security platform like the Zscaler Zero Trust Exchange allows IT teams in the healthcare sector to do more with less resources by enabling cross function working between the security and infrastructure teams and delivers a more secure environment for the medical teams to operate in based on the following five principles to prevent cyber attacks:

1. Zero Trust Security: Verifies users and devices, giving minimum access to reduce risks.
2. Threat Protection: Blocks malware, phishing, ransomware, and zero-day attacks using AI and real-time tools.
3. Data Safeguards: Prevents sensitive data leaks and insider threats.
4. Secure Remote Access: Protects users and apps without needing vulnerable VPNs.
5. Smart AI based Monitoring: Tracks activity, detects threats instantly, and helps respond fast.

NHS organisations who want to test how their current defenses might fare in today’s threat landscape, can test it here: https://www.testmydefenses.com/.