The healthcare sector, defined broadly as healthcare providers, research organisations and pharmaceutical companies, is possibly the most critical of national infrastructures. That makes it a great target for criminal groups and state-sponsored hackers. Future innovations in healthcare that will safeguard our health, such as precision medicine and rapid vaccine development, are increasingly reliant on an even greater application of data analysis upon sensitive personal data. Improved cyber resilience in the healthcare sector will be crucial as, ultimately, this depends on patient consent for primary data analyses. This could severely limit the collaboration amongst industry participants required to improve health outcomes for us all.

 

In the firing line

The reasons hackers target healthcare organisations so aggressively are twofold. For one, unscrupulous ransomware gangs know that the more time-critical the systems they attack, the greater the pressure on victims to pay up faster. No healthcare provider wants lives at risk due to system outages. Secondly, the level of personal detail in healthcare records also make them more valuable than most other datasets. Indeed, ISTARI’s analysis, conducted in conjunction with DarkOwl, found that healthcare records can fetch a price tag seven times higher than the equivalent financial records because of their specificity. As ransomware gangs establish new revenue streams through multiple extortion tactics – such as selling the stolen data or scamming those whose data they have stolen – the more they extract profits from data.

Allowing specialists to collaborate

The development of numerous COVID-19 vaccines across the world, in months as opposed to years, is an excellent example of the data sharing and analysis and collaboration that will underpin the future of healthcare. In each vaccine development effort, multiple specialist organisations were involved: government agencies, university researchers, clinical trial experts, and pharmaceutical companies, or companies found themselves collaborating. This is increasingly the norm in a sector where multiple specialists focusing on core competencies have replaced the traditional vertically integrated ‘big pharma’ corporations. However, this model of collaboration and data sharing cannot, and will not, be sustainable unless cyber resilience becomes a foremost priority of this complex ecosystem. For that reason, leaders across these healthcare organisations need to make cyber resilience a priority for 2022.

Why cyber resilience needs to be the focus

Throwing technology at this problem is not the solution. Cyber resilience is not found in technology alone but in a culture of vigilance and an understanding of risk. Constantly questioning whether the right technology is in place to combat the latest threats from cyber criminals means that organisations are always operating reactively. This means they are always a step behind. Instead, as a first step, those responsible for cyber security need to think about their organisation’s risk profile. Identifying the parts that store the most valuable data, and are thus most at risk, allows cyber security leaders to start thinking more strategically about their approach. Then, teams connected to these parts of the business can receive specialist training and analysts can assess the relevant supply chains in even greater detail to ensure they are secure. Further, organisations should ensure that there is a plan when – not if – a breach occurs. This might be a new way of leading for many cyber security professionals, but taking a long-term strategic approach to people, processes, and capabilities will reinforce a culture of cyber resilience that enables innovation instead of stymieing it.

Healthcare organisations need to make shifting to a mindset of cyber resilience a top priority for 2022 to avoid starting from a reactive posture and playing catch-up. For many industry leaders, continued efforts to combat strains of COVID-19 will create additional rafts of highly sensitive, valuable data – on top of data already produced by the day-to-day running of our healthcare systems. Sticking to the status quo could hinder improved healthcare outcomes for everyone, delaying precision medicine. Future innovations in medicine, built on collaboration between multiple specialist organisations and sophisticated data usage and targeted at rare diseases or with a high fit to an individual’s profile, cannot occur without robust cyber security practices in place. Continuing as-is would be unconscionable, resulting in major privacy concerns. It could also be reputationally disastrous for the whole sector when something inevitably goes wrong. But if healthcare organisations can get it right, they will ensure that cyber resilience advances the future of public health and improves the delivery of medicines and services.

This article was first published on 13 December 2021 by InformationAge.