An industry under attack 

Between 2022 and 2023, the global healthcare sector saw over 11 million ransomware attempts and over 271 million intrusion attacks. Unfortunately, it is estimated 46% of UK businesses experienced a cyber-attack in 2023, with the average cost of cybercrime to the UK to be £27bn per annum.  

When analysing the healthcare infrastructure in the UK, most data is contained and processed centrally. Therefore, it is not unimaginable for a cybercriminal to gain unauthorised access or exploit these systems from a human error, which would potentially lead to the entire network being compromised.  

Many institutions rely on the data collected by healthcare organisations, as such analysis and research can help to uncover new treatments and remedies. With that said, these third-party partners are also a security risk to healthcare institutions. A prime example was when the University of Manchester suffered a ransomware attack, resulting in computer systems being compromised. It was significant because the attack impacted over one million NHS patients across 200 hospitals, as the University was collecting hospital data for research. 

CNI Warning

The most notorious cyberattack against the UK healthcare network was WannaCry in 2017. This ransomware attack effectively brought a halt to the entire NHS system, crippling 200,000 computers, services, appointments, surgeries, IT equipment and costing €92 million. More recently, the NHS emergency services were brought to their knees in July 2023, in an attack that targeted two ambulance trusts resulting in staff falling back on analogue systems to carry out their work.  

The healthcare system of any country is critical to the survival and operation of the population, hence why it is part of the critical nation infrastructure (CNI). CNI’s around the world are regularly under threat from nation-state actors like Russia, China, North Korea and Iran. So, in 2023, the NCSC issued a warning to all UK CNI organisations regarding this emerging threat which included healthcare, energy, food, government, utilities, telecommunications and transportation.  

Given this warning, and the barrage of threats swirling around the healthcare sector, what can this under-prepared industry do to swat these threats away and prevent and recover from potential incidents? 

When examining some of the most prolific cyberattacks, the techniques used by the cybercriminals are not uncommon and they are certainly preventable. Social engineering attacks like phishing are widely reported as being the most used method to gain unauthorised entry into a system. Other common methods include exploiting unpatched vulnerabilities and system configuration errors. Thankfully, these incidences can be prevented and remediated if healthcare organisations follow security best practises and reduce the likelihood of human error. 

Security awareness training is key 

According to Verizon’s latest report, 74% of data breaches are caused by human error. This highlights the importance of security awareness training and why it is integral for healthcare organisations to implement this for all staff members. Utilising security awareness training methods such as simulated phishing can effectively establish a human firewall as well as cultivate a security culture within the workforce. Elevating the overall security knowledge of staff members enables healthcare organisations to empower employees with the optimal tools to make informed and secure decisions regarding cybersecurity. 

Moreover, ensuring the continuous updating of systems and adhering to cybersecurity best practices, healthcare organisations in the UK can potentially avert disastrous malware attacks. While prioritising the preservation of lives remains paramount in healthcare, the rising threat of cybercriminals targeting vital healthcare institutions necessitates the recognition that lives are at risk when computers are incapacitated, equipment becomes inoperable and emergency rooms are forced to shut down. Ultimately, these institutions have a responsibility to provide the best possible care to patients and protecting their data and privacy is a necessary requirement.