Exclusive: The continuing dilemma of securing healthcare facilities

Philip Ingram MBE analyses the range of complex security threats facing the global healthcare sector.

Healthcare is big business, whether provided by a government, insurance-based systems or privately funded, the numbers are eyewatering. The business research site ResearchAndMarkets.com, predicted that the “compound annual growth rate (CAGR) in global healthcare is expected to be 8.9% in 2022, lifting the global value to nearly US$11,908.9 billion, that is US$11.9 trillion, with the US remaining the single biggest market.”

There tends to be a direct correlation between threats and risks and value of a business area and that risk increases again if there are multiple touch points for criminal enterprises to exploit the market. However, when you look at healthcare security on any search engine you would think it is all about cybersecurity and that cyber risk is the only threat facing healthcare. This isn’t helped by physical security and cybersecurity being two completely separate entities often delivered by different organisations, for example in the NHS, the NHS trust is responsible for its physical security with little to no national coordination, but cybersecurity is provided through NHS Digital across multiple trusts.

Workplace violence

Cyber is by far the biggest risk so I will touch on it later, however, no article on healthcare security would do the subject justice if it didn’t bound the whole threat and therefore security landscape. US Federal data said in 2018 healthcare workers faced 73% of all non-fatal injuries from workplace violence in the US. Last year “nearly 15% of NHS staff in England suffered physical violence from patients, their relatives or the public,” according to the NHS Staff Survey National Results.

Paul Sarnese, who has just finished his term as President of the International Association for Healthcare Security and Safety (IAHSS), said: “Many studies show healthcare workers are much more likely to be victims of aggravated assault than workers in any other industry.” Collaboration is key to ensuring common standards in education, certification and peer to peer support and networking which is what IAHSS is all about and they have just announced a formal collaboration with the UK-based National Association for Healthcare Security (NAHS). 

Nicholas Reed, NAHS Chief Operating Officer said: “NAHS and IAHSS have informally collaborated for some time, but we are delighted to formalise this relationship in a way which will allow joint working on projects and sharing of knowledge across our memberships. Whilst we operate in different geopolitical environments, many of our challenges are common and our goals are aligned. This Memorandum of Understanding makes perfect sense, especially in our increasingly international world and digital ways-of-working.” 

“The IAHSS and NAHS collaboration is an opportunity to advance common healthcare security and safety goals across the global security sector,” added Paul Sarnese.

We must recognise that hospital complexes are like small towns littered with vulnerable people, expensive equipment, drugs and valuable, extremely sensitive data and this attracts not just ‘normal’ crime but as many seen to think, the greatest threat is in the cyber environment. Dean Armstrong QC, the Head of Chambers with the renowned 36 Group based in London, says: “Data, personal data is the new oil and is hugely valuable.”

Counting the costs

In late 2020 the United States was hit by the largest cyber attack aimed at healthcare in its history. Universal Health Services’ approximately 400 hospitals and facilities were held hostage to a massive ransomware attack and formally reported: “An estimated pre-tax “unfavourable impact” of US$67 million because of a cyberattack that led to a network shutdown throughout its US facilities.”

Nicole Perlroth, a Staff Writer with the New York Times, in her new book, “This is how they tell me the world ends,” describes the impact of the attack: “Hundreds of clinical trials were being held hostage – including the crash effort to develop tests, treatments and vaccines for the coronavirus – after a ransomware attack hit the company whose software is used to manage those trials.” What is clear is a cyber-attack on healthcare does not just affect administrative functions but can have a direct impact on clinical care, thereby putting lives directly at risk. 

This was by no means the first cyber-attack that affected healthcare, in 2017 a ransomware attack called WannaCry shut down computers in more than 80 NHS organisations in England alone, resulting in almost 20,000 cancelled appointments, 600 GP surgeries having to return to pen and paper. Some hospitals were having to divert ambulances, unable to handle any more emergency cases. It is only by luck and the skills of the clinical staff that the attack where healthcare was merely collateral damage, did not result in deaths.

The attack was blamed on North Korea and speculation around it being an accidental release of a cyber weapon aimed at collecting additional cryptocurrency revenue for North Korea, a standard tactic, but it highlighted the dangerous nature of weaponised cyber-attacks in that they can escape into the wild that is the World Wide Web and have massive unintended consequences. This was a nation state attack and unlike any other methods of warfare, there are no international rules similar to the Geneva Conventions, limiting what can and what cannot be targeted by nations.

The UK Department of Health and Social Care (DHSC) has estimated that: “WannaCry cost the NHS £92m in direct costs and lost output and the incident affected services at one-third of NHS trusts and approximately 8% of GP practices in England.” A phenomenal cost in one country for a supposed accidental release.

Peter Sheppard, Director Digital Assurance with TIAA summed up some of the remaining challenges: “Since WannaCry, the healthcare sector has continually struggled with getting robust assurance in cyber. We’re seeing more managerial demand to ensure that new IT deployments, cloud services and applications have rigorous scrutiny and due diligence, but it’s not clear how this is co-ordinated or even evidenced. If we are serious about embedding cyber assurance from the outset, it needs building into procurement along with contractual requirements for long term security patching and updating. Legacy IT in healthcare can be very hard to bring up to current cybersecurity standards.”

What is clear is there is work to be done with healthcare security to enable it to be looked at from a holistic risk perspective, but those risks are diverse, in some cases unique and the attack surface is huge. The skills needed to keep our healthcare providers secure from threats ranging from individual physical attacks, right up to nation state instigated incidents are equally huge and challenging. As healthcare grows and value increases those challenges will expand as well.

For more information, visit: www.researchandmarkets.com

This article was originally published in the February 2022 edition of International Security Journal. Pick up your FREE digital edition here.