The UK governement will be offering hundreds of the country’s vital healthcare firms benefits from government funding to boost their cyber security. The Digital Infrastructure Minister Matt Warman announced this yesterday, as part of London Tech Week.
The move comes after the National Cyber Security Centre (NCSC) identified a heightened cyber threat to the UK health sector in relation to the pandemic, with cyber crime groups attempting to steal sensitive intelligence, intellectual property and personal information from pharmaceutical companies and medical research organisations.
Here’s the reaction of security professionals:
Javvad Malik, security awareness advocate at KnowBe4
This comes as very encouraging, and much-needed news.
Globally, healthcare and pharmaceuticals are very sensitive industries, protecting patients personal information as well as medication manufacturing and intellectual property. It’s been of particular interest in recent months, as many organisations which have been researching COVID-19 vaccines have been targeted by state-backed criminals. The NCSC and the NHS released an advisory in July warning UK, US, and Canadian organisations of WellMail and WellMess which are delivered through spearphishing campaigns against COVID-19 research and development organisations.
Spearphishing is a particularly effective tool used by criminals, and according to KnowBe4’s 2020 phishing benchmark report, healthcare and pharmaceuticals were among the most at-risk of falling for phishing attacks across small, medium, and large organisations.
In small organisations (under 250 employees), 44.7% were likely to fall for a phishing email. In medium (250-999), 49.2%, and in large (1,000+) 49.3% would click on a phishing email.
However, with a security awareness program, in just 90 days, these numbers dropped to 15.9%, 15.7%, and 17.5%.
After a year of continuous security awareness training, the percentage of staff likely to fall for a phishing email in healthcare and pharmaceuticals across small, medium, and large organisations fell even further to 4.3%, 3.9%, and 5.2% respectively.
It’s therefore vital that the healthcare industry, like other industries, invest in appropriate security controls, in particular against phishing, which includes technical controls, as well as security awareness training for employees. These attacks from foreign states and organised criminals show no signs of slowing down, and therefore it’s imperative that organisations take full advantage of the government scheme and invest it wisely in security controls.
PJ Norris, senior systems engineer at Tripwire:
To ensure patients’ care and safety, healthcare organisations must ensure that their environment is duly protected against unauthorised changes and misconfigurations, which can make their environment susceptible to a cyber-attack. Given the increased cyber-attacks against healthcare organisations, it is simply no longer sufficient to be merely be compliant with security frameworks. When retaining this kind of data, it is critical to choose an encryption solution that not only protects the database instances, but also provide protection for data in transit and at rest. This funding scheme will be extremely welcomed as protecting patients data is part of the overall duty to patient care.
Given the size of the sector and the level of the threat, this is a nice idea but it is woefully under-funded.
Warren Poschman, senior solutions architect at Comforte AG
It is fantastic to see the investments being made here as the healthcare industry may be the most vulnerable of all industries to cyber-attacks. It’s about the data healthcare operators have access to. The security challenge for healthcare operators is extremely difficult, especially when data is stored in different locations and accessed through various technologies. However, we may be seeing a shift in approaches from ‘secure the technology,’ to ‘secure the data,’ which will reduce the threat of data loss and exposure when (not if) a cyber-attack happens. While it is not always possible to prevent malicious access, sophisticated data protection is a must when processing and storing sensitive information – especially PII and healthcare records. These are core requirements of data privacy regulations like HIPAA and GDPR and here might be fines coming up for this.