Data Privacy and Security

UK: 3 security roadblocks to health sector transformation

This is a contributed piece by Ryan Orsi, Director of Product Management at WatchGuard Technologies

As the NHS rolls on towards a full, seven day service, setbacks to transformative programmes such as Tim Kelsey’s resignation from highlight the growing challenge presented by the maturity of today’s cyber threats.

Headlines this year have reflected not only the continued vulnerability of NHS systems, but also the determination of hackers to exploit any and all weaknesses they can find, even if only to use a hospital’s email server to send spam emails advertising illegal goods on the dark web.

Admittedly, the healthcare sector is a particularly enticing target for bad actors. It’s well-known amongst hackers that public service websites, apps and data centres have vastly insufficient defenses compared to their private sector equivalents. The legacy protections in place are also defending a growing digital estate with far more intricate security needs as more and more pieces of equipment are linked up to the internet.

Trying to tackle every possible vulnerability at once simply isn’t an option. To stand a hope of reducing the disparity between threats and protections in healthcare, IT professionals should prioritise the areas where significant technological efficiencies are being lost to the threat of a breach.

As a starting point, three of the greatest roadblocks to the transformation of healthcare processes are:

Employee-owned devices increasing attack surface

The math is simple. More entry points into a healthcare or affiliate network will exponentially increase the attack surface of a healthcare organisation. Therefore it makes sense that mobile devices significantly increase the chances of a security breach.

Mobile phones are also becoming an increasingly popular target for hacks. Not only can hackers gain access to personal information on the phone, but they can also use the phone as a means to evade internet firewalls by launching backdoors from the phone onto the user’s connected networks.

Unintended risks in the IoT

Before the IoT wave, medical equipment was not intended to be on a network so they weren’t built with much, if any, cyber security protection. They ran desktop/server operating systems such as Windows XP or Unix/Linux with well-known vulnerabilities. Way too often, the administration guides for these types of devices instruct IT personnel to maintain default passwords in order to avoid breaching support contracts. As a result, and with the help of popular hacking resources, it is easy for cyber criminals to find a particular medical device on the internet and gain backdoor access to a healthcare network.

Healthcare IoT devices can be patched for known security vulnerabilities just like personal computers and corporate servers. Additional layers of security and full defense in depth are necessary practices to help protect devices and networks.  For example, layering modern advanced firewall packet inspection services such as anti-malware and intrusion prevention into network edge entry points should be considered at a minimum.  Not only will these security layers help to prevent attacks, they will also slow an attacker and produce a volume of security log data that raises the attention of IT security administrators and allows them a window of time to react to suspicious activity.

The criminal value of health information

Many people enjoy the convenience of accessing their health data through cloud services or their mobile phone with apps such as ‘Patient Knows Best’.

Although this access is convenient and the applications feel similar to other services for video, gaming and social networking, people still need to be mindful of their security practices when accessing personal health information. Cyber criminals can make 10 times more money on the black market selling medical Personally Identifiable Information (PII) than they can with credit card details.

We recommend you implement some sort of two-factor authentication to make logins even more secure. This ensures that even if they have your password, they can’t use it without the second factor.

We cannot allow technology adoption in healthcare to outpace cyber security defenses. Technology will continue to change, and as it does, security researchers, network security vendors and healthcare leaders will need to come together to find a balance between technology and security to effectively protect the healthcare industry.


« Windows 1.0 hits 30 and Microsoft can look back fondly


Software robots are here to help us, not take our jobs »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?