29 November 2024
The growing cyber threat in the healthcare sector is changing the nature of the risks it faces and intensifying pressure throughout the healthcare ecosystem. Our cyber, transformation and counter-fraud experts offer guidance to help healthcare executives to reassess the key risks facing their organisations.
Escalating impact of cyberattacks
We have seen a huge impact of recent cyberattacks against the NHS and third parties, with a range of significant consequences. NHS England confirmed that nearly 83,000 medical records were stolen from a breach involving an IT provider in 2022. More recently, a ransomware group posted a trove of sensitive information as part of approximately 380 GB of stolen data. This has an immediate effect on the delivery of patient care, with nearly 2,000 day cases and inpatient treatments postponed, including cancer and transplant surgeries. Additionally, over 10,000 outpatient appointments were postponed, and it is estimated that the blood test schedule will take over three months to get back on track.
Cyberattacks have become a matter of national security, with nation-state-backed hacking syndicates reportedly behind the targeting of NHS providers. Their primary objectives included both financial gain and destabilisation.
Above all, cyber threats within health and care settings not only have a devastating operational and reputational impact, but they can also directly impact patients’ lives. Tragically, a cyberattack could mean a life-or-death outcome for affected patients.
As cyber criminals increasingly target the healthcare sector, the nature of risks impacting healthcare organisations is rapidly evolving. This means health executives must re-assess their risk exposure through the cyber lens.
Assessing risk through the cyber lens
At RSM, our risk advisory specialists work with healthcare organisations across the public and private sector, where we consistently see the following five principal risks at the top of our risk radar:
- Patient safety
- Workforce
- Finance and performance
- Digital and transformation
- Working with partnerships or third parties.
Our experts examine each of these risks in light of the growing cyber threat and highlight key recommendations for healthcare executives to consider.
Patient safety
Cyberattacks have a very real impact on patient safety, with attacks resulting in the cancellation and postponement of crucial treatment. Furthermore, network-connected medical devices that often run on vulnerable legacy software are a key concern. Impacts can range from devices being unavailable to provide medication deployment or support in the operating theatre, to the potential manipulation of devices, affecting integrity and trust in essential devices crucial to delivering patient care and outcomes.
Healthcare providers store an enormous amount of sensitive patient information that, if stolen by threat actors, poses a very real risk to patients as they could become targets and victims of discrimination, extortion, fraud, identity theft and scams.
Healthcare organisations should ensure they have robust cyber security foundations in place through:
- Network security.
- Robust access management, including Multi-Factor Authentication.
- Endpoint controls across user workstations and server infrastructure.
- Protection of patient information and data security through encryption.
- Well-considered segmentation of devices and critical infrastructure.
- A robust software update regime.
- An ability to monitor technology environments for suspicious activity.
As part of procurement, organisations should ensure that medical devices comply with the principles of ‘secure by design’ and ‘secure by default’, along with an understanding of how these devices will be maintained by suppliers to keep pace with evolving threats.
Organisations should also adopt proactive cyber security methods, such as penetration testing, to validate control effectiveness. This should be aligned to relevant cyber threats, adopting common threat actor tactics, techniques and procedures (TTPs) to apply a real-world cyberattack lens to identify areas of material exposure and support effective prioritisation of control improvements and investment.
Workforce
As cyber criminals continue to target the sector, it’s essential to consider your level of risk exposure from both a cyber fraud and cyber-enabled fraud perspective. Cyber fraud can be defined as cyber dependant, in that it requires computers or other technology to take place. Cyber-enabled fraud on the other hand is not dependant on technology, however technology has allowed the scale and potential impact of the fraud to be increased.
We have observed increasingly sophisticated types of cyber-related fraud risks across the healthcare setting. For example, patients can be targeted by fraudsters after their data has been sold on the dark web, or employees may have their salary diverted after clicking on a malicious link in an email.
Cyber-related fraud can have a long-term impact on victims. Emotional turmoil can contribute to stress, anxiety, and amplification of health issues. Incidents may also go unreported, contributing further to the suffering of victims, who may be too embarrassed to speak up.
Finance and performance
Finance teams can be approached by fraudsters posing as a genuine supplier and requesting that the supplier’s payment details be changed to their own.
It is important to remember that these types of attacks are sophisticated and often target vulnerabilities or apply unnecessary pressure to their targets.
Victims can include those directly impacted, as well as those who may have enabled fraud to take place by being duped into clicking on links or approving unsolicited requests.
Digital and transformation
We are seeing instances of cyber fraud and cyber-enabled fraud increasing exponentially, as there is growing reliance on digital technology and data across the whole of the healthcare value chain, to enhance patient care and improve operational efficiency.
To effectively reduce and manage cyber related fraud risks, organisations should aim to align their cyber security and anti-fraud strategies, taking advantage of collaboration opportunities, such as detection exercise and education and awareness campaigns, empowering all stakeholders who could be targeted by fraudsters to understand the potential consequences of security breaches, their role in preventing them, and how they should report their concerns. Balancing risk mitigation against user concerns around functionality and practicality will require collaboration. It will take the combined effort of IT professionals, organisation leaders, health care professionals and clinicians to ensure the successful mitigation of cyberthreats and the protection of patient data, creating the trust and secure environment necessary to realise the potential of digital transformation in healthcare.
Working with partnerships or third parties
The prevalence of third-party attacks is on the rise. This global trend was reported to account for at least 29% of all breaches in 2023, with healthcare emerging as one of the most heavily impacted sectors. Additionally, our cyber security special report published in Q1 2024 supports this, with 68% of respondents working with a third party having been victims of a cyberattack. Of those, 26% suffered direct financial, operational or reputational impacts as a result.
Healthcare settings have a significant dependency on technology, third-party services and supply chains to provide effective patient care. These services are often directly or inadvertently targeted by threat actors due to the aggregate value of a successful compromise. As a result, recent cyberattacks have shown that healthcare providers—and therefore patients—can suffer significant impacts regardless of whether they were the intended target or not.
NHS England relies on numerous strategic partnerships at a local and national level to deliver business and is supported by a number of national NHS and third-party organisations. While this is a sensible approach, healthcare providers need to consider these relationships as part of their cyber footprint and expanded threat landscape.
Organisations must focus on third-party and supply chain security to ensure that appropriate controls are in place relevant to the services being provided. Through partnerships, they must understand the risks associated with an expanded attack surface.
With the vast extent of third parties, suppliers and partners, organisations must consider a pragmatic approach to identifying critical third parties by establishing a criterion that includes cyber risk.
This drives an appropriate approach to due diligence, regular assessments and monitoring of changes to their threat and risk landscape.
How we can help
At RSM, we work with healthcare and life sciences organisations, providing hands-on practical experience and support across people and HR, IT and processes, data and finance, transactions, and business and operations.
This includes our technology and cyber risk assurance team who specialise in providing independent DSPT assessments and cyber penetration testing to healthcare organisations and NHS partners, including NHS trusts, ICBs, companies and IT suppliers.
In addition, our fraud risk services team advise organisations across the NHS and wider healthcare ecosystem.
To understand how these risks may affect your business, please contact Clive Makombera, Stuart Leach or Andrea Deegan.