As the digitisation of the health service picks up pace, experts are warning healthcare providers that cybersecurity is everyone’s responsibility.
Human error remains the primary contributor to cybersecurity breaches. A 2024 Cyber Readiness Report by the global business insurance company Hiscox found that 74 per cent of Irish organisations experienced an increase in cyberattacks in the previous year – the highest in Europe. Almost half of all organisations that came under cyberattack reported that an employee was the first point of entry. The three most common ways that criminals gain access to an organisation’s database are through stolen credentials, exploiting vulnerabilities, or phishing (where attackers deceive people into revealing sensitive information or installing malware).
Speaking at the Technology in Healthcare Summit on 20 February, Ms Eilish O’Connor from digital consultancy firm Viatel said: “Every person in the supply chain of healthcare services is potentially a vulnerability. People forget that. There’s a big focus on securing data at the HSE level, but everybody who accesses that data is potentially a target. So we all have a role to play to up our cyber resilience because you’re only as strong as your weakest link.”
Healthcare is a high-value target for cybercriminals. On the black market, protected health data is now 50 times more valuable than financial information. And there are several reasons for that, Ms O’Connor said.
“Healthcare usually features as the top or the second most targeted industry in the world for attacks because of the lack of technical knowledge, the lack of cyber resilience, and the focus mostly on delivering care.
“You’re in the business of delivering patient outcomes. That’s what your focus is on. You’re not necessarily a technology expert. You’re not a cybersecurity expert. We all know that budgets are constrained so if you have money to spend and on one hand you can spend it on improving the patient experience or adding more beds and on the other hand you can spend it on cyber resilience against something that may or may not happen. When you’re trying to make the case for those two things, I would suggest or expect that a lot of people will choose patient services because they don’t necessarily have the technology or security experience and they don’t necessarily understand the risk,” she explained. “And cyber criminals know this.”
She added that there are unique features of the healthcare workforce and infrastructure that add further risk. “For example, in a small business or even a medium-sized business, in general, staff turnover is relatively low. The number of vendors and suppliers that need access to your data is very low as well. So controlling access through things like identity access management is pretty straightforward and can be done quite easily.
There’s a big focus on securing data at the HSE level, but everybody who accesses that data is potentially a target
“However, in healthcare settings, this is much more complicated because you have all the tele-devices, you have tablets, mobiles, you have legacy PCs and so on that all need access. The number of vendors that are used in the delivery of healthcare and suppliers is also huge and sometimes they will also need access, not to mention things like medical devices. Agency staff are used quite extensively throughout the delivery of care services as well. And the staff turnover is very high so efficient onboarding and offboarding of identity is really, really challenging,” Ms O’Connor said.
“Every point of access to a patient’s data is a potential vulnerability so everyone needs to take their responsibility very seriously in order to really, truly build cyber resilience,” she said.
Leave a Reply
You must be logged in to post a comment.