Cyber security challenges in healthcare and how to fix them

Data security and cyber resilience are top priorities for healthcare organisations
A reliance on legacy infrastructure and an increase in attack surfaces are revealing growing vulnerabilities
Getting the basics right in cyber security lays the foundations for innovative technologies

Healthcare’s attitude to cyber security has changed.

Since the WannaCry attack hit 80% of NHS Trusts in 2017, data security and cyber resilience are top priorities for many healthcare organisations.

Despite this, healthcare organisations have a long way to go to become genuinely cyber secure.

Increased attack surfaces, new remote working practices, and a reliance on legacy infrastructure are revealing growing vulnerabilities, and healthcare leaders often need help figuring out where to start when shoring up cyber defences.

We sat down with Vodafone specialists to get their expert opinion on the challenges providers face and how they can overcome them.

The cyber security challenges facing healthcare providers

Bigger attack surfaces cause bigger problems

Many cyber security challenges that healthcare organisations face involve dealing with larger attack surfaces, coming from remote working and new integrated care systems.

“The NHS transformed after COVID,” explains Yasmin Mansour, Vodafone's Health Programme Manager and previous NHS Transformation Manager. “We went from working almost entirely onsite, with strict security measures in hospitals to protect staff and patient data, to vastly increased remote working, including more remote consultations and home visits with nurses out in the community using smartphones and laptops in their work.

“The NHS, councils, the voluntary sector, and others are working together to bring care closer to home through the development of Integrated Care Systems.

“Joining up care leads to deliver better services based on local need. As the health system becomes more complex, cyber security is becoming increasingly important to enable large amounts of data to flow safely and securely.”

“What this means is that the attack surface has increased exponentially,” Emily Browne, Vodafone’s Pre-Sales Security Consultant, adds.

“The potential for a data breach therefore has also grown. It’s how we manage those risks and protect against those cyber-attacks that makes the difference.”

This issue in healthcare is indicative of a broader problem across all industries. A study by IBM found that 67% of organisations saw their attack surfaces expand in the past year.

Focus on innovation means basics can be forgotten

Much of this has led healthcare organisations to invest in innovation, but our experts feel getting the cyber security essentials right could be a better investment.

“Another big problem we’re finding in healthcare organisations is their IT infrastructure,” Emily tells us. “We’re very innovation focused at Vodafone, but healthcare organisations must first have foundational cyber security in place. Using outdated legacy systems and processes can delay their response to vulnerabilities.”

“In terms of legacy systems, so many providers still rely on outdated systems while putting money into new technologies,” Yasmin agrees. “When we talk about prioritising investment, healthcare organisations need to get their foundations right before building on them. Updating infrastructure comes before innovation.”

These basics become even more critical when you consider just how many attacks healthcare organisations face. In 2022, there was an average of 1,463 per week, up 74% compared to 2021.

“All the innovation in the world isn’t worth anything if, for example, a criminal can spot a password in a book and use it to gain access. Getting the essentials right first always pays off.”

Steve Knibbs

Vodafone Business Security Enhanced Director,

Vodafone UK

People are the largest weakness and the best defence for organisations

To fight back against this rising tide of cyberattacks and fraud, finance leaders need a mindset shift.

Security shouldn’t only be viewed as a bolt-on to protect front-end services. Business solutions throughout the organisation should be secure by design.

When strong security controls are seen as a way to protect core business stability and revenue, it’s much easier to see the value a dedicated partner can bring to the organisation.

“Many people don’t understand the full value of cyber security. This works in cyber criminals’ favour. They’re pinning their hopes on people being too busy to focus or too uncertain to act.”

Steve Knibbs

Vodafone Business Security Enhanced Director,

Vodafone UK

What providers can do

Compliance brings everyone together for better attack surface security

“When I worked in the NHS, we had compliance requirements, such as GDPR and data protection, already in place. However, the steep increase in decentralised healthcare provision, such as remote working and consultations, have made the fulfilment of these requirements much more complicated,” says Yasmin.

“I really think compliance is the main driver to push organisations and their supply chains to start taking cyber security seriously.

“That means getting everyone, both the people in your organisation and other multi-integrated care providers, on the same frameworks and strategies, so that there’s a unified approach to protecting the bigger attack surface,” Emily adds.

One framework to look at is GovAssure, the new cyber security strategy introduced by the government in 2023. Compared to previous cybersecurity frameworks for UK government bodies, the main change has been the adoption of the NCSC's Cyber Assessment Framework (CAF).

CAF provides a systematic and comprehensive approach to assessing the extent to which the organisation responsible manages cyber risks to essential functions. “Having everyone on a framework like GovAssure would make it easier to coordinate attacks and collaborate with different care partners,” continues Yasmin.

Getting the basics right sets the stage for innovation

On the issue of innovation-focused investment, Emily believes organisations must focus on the foundations.

“Foundational cyber security must be implemented before you think about investing in new technology. That means ensuring multi-factor authentication is practised across the organisation, updating legacy equipment and improving vulnerability management.”

“I’d also include things such as regular patch testing,” says Yasmin. “Updating and patching software is a basic thing that includes antivirus software, endpoint detection, and response systems, but these can easily get lost amongst everything already on healthcare providers’ plates.

“This is where healthcare providers need to start, and then they can build from there. Healthcare providers must prioritise the basics before it adds more innovation.”

Explain the impact of weak cyber resilience

If you want to improve staff engagement with cyber security, Yasmin believes the best way to do so is to explain what happens if you get it wrong.

“It’s about highlighting the impact: showing the consequences on organisations and data when you do not have robust cyber security systems in place.”

One of the most vivid ways to do so is by showing how a cyberattack can interrupt continuity of care. “Cyber criminals either don’t think or don’t care that losing patient data could cause actual, physical harm to patients whose pathway of care has been interrupted as a result. That’s why it’s worth explaining to your staff what cyber security really means.”

“You can do that as part of their training – which brings us back to getting the essentials right. Training is one of those essentials, especially if implemented alongside the NCSC Cyber Security Framework.”

Learn more about how we help healthcare organisations leaders combat cyber-attacks with our cyber security solutions.