The UK Centre for the Protection of National Infrastructure (CPNI) unsurprisingly names healthcare as one of the sectors critical to the functioning of the UK and this has proved pertinent during the recent coronavirus outbreak where we have relied heavily on our healthcare heroes and key workers. For this prominence, it faces a range of cyber threats on a daily basis and during the global pandemic, its risk has increased. After all, it plays a significant role within society and hosts some of our most sensitive personal information which must be protected. Data gathered within the healthcare system is subject to GDPR regulations as is any personal data of EU citizens, and therefore requires the appropriate protections.
We often think of the healthcare sector as a single entity in the UK thanks to the NHS. Yet in reality, it is a complex set of organisations, each with independent IT systems and governance in place – from doctors’ surgeries to local hospital and health boards, each hosts a variety of protected individual information which requires a system to handle this. Patient data of course has the potential to fall victim to criminal hackers, especially those looking to steal personal information to be sold. In April this year, some 450 World Health Organisation email addresses and passwords were leaked online, and it also put those associated with the coronavirus response task force at risk.
Although on this occasion the information was out of date and therefore did not impact security, we must remember that whether organisations are targeted through ransomware, crypto mining malware or something else entirely, it has the potential to cause catastrophic issues within wider healthcare networks and services. This will become ever more problematic as technology becomes further ingrained in healthcare practices. For example, any biomedical devices or systems which depend on the network may be compromised, affecting quality or efficiency of treatments, putting the safety of patients at risk.
This is why the NIS directive was initially introduced in August 2016, bringing cybersecurity into the limelight to encourage EU member states to reconsider their critical networks. All member states were required to transpose the directive into their national laws by 9 May 2018 to ensure that they were appropriately equipped to handle risk. Under this regulation, the healthcare service was named as an Operator of Essential Services, placing a hefty responsibility on the sector to comply. As such, other countries across the world have also introduced similar structures for continued compliance. For example, in the US, the HIPPA Act obligates health organisations and insurance entities to protect their patient data against cyber security and other threats.
Yet, despite the implementation of these regulations, some organisations will be unsure of where to start when it comes to combatting these issues. Often, much of the protection needed can be offered through good, secure network design and continued assurance can be achieved through automated testing as offered by products such as Titania’s Nipper. Ultimately, this means undertaking configuration and vulnerability audits against appropriate cyber security standards, helping to ensure that basic cyber hygiene is implemented and maintained across the network. Performing this at scale and on a regular basis can help organisations to take a layered approach to cyber security, which is key to mitigating risk.
Titania Nipper helps to scale accurate auditing against a range of relevant healthcare risk management frameworks and security benchmarks. For example, by consuming the NIST National Vulnerability Database, Nipper assesses network firmware and software versions against the latest known vulnerabilities to identify where patching needs to take place to remediate the problem across the enterprise. Additionally, with the launch of Titania Nipper version 2.7.0 in May 2020, audits will be run against the latest security findings, ensuring network devices are protected against all publicly known vulnerabilities.
Quite simply, by having confidence that your networks are configured correctly and all known vulnerabilities have been mitigated, healthcare organisations can focus on more advanced threats to the data.
For more information, visit: https://www.titania.com/.
About the author – Keith Driver
An accomplished professional with over 30 years’ experience in technology and software engineering across the telecoms and security industries, Keith Driver joined Titania in early 2019 as chief technology officer.
A distinguished speaker at global conferences, Keith has worked across numerous sectors including commercial, defence and government. He prides himself on providing exceptional support to the clients he works alongside and the businesses he immerses himself within both as a thought-leader and board member.