Simple housekeeping can ensure healthcare IT systems don’t fall foul of cyber failures
5 September, 2024
The recent issue surrounding Crowdstrike cybersecurity software, and how a missed IT update can cause havoc, shows how vital our computer systems are to the everyday operation of systems we all rely on.
In the middle of July, one glitch in the software caused worldwide problems, hitting, among others, trains, shops, airports and pharmacies – with airlines forced to cancel flights and some GP surgeries in Britain affected.
While this technology was introduced to enhance efficiency, it is only when things go wrong, and the failures impact millions of people, that we ask serious questions about how good the systems really are.
Although the Crowdstrike problem wasn’t a criminal issue, it did show how a problem with vital computer systems – either through criminal intent or expert oversight – can have a major impact.
For our health systems, making sure they are free of problems is vitally important, and one that needs to be taken incredibly seriously by those who operate them.
As one commentator noted about our increasingly connected world: “The Internet of Things (IoT) is integrated with medical devices, enabling improved patient comfort, cost-effective medical solutions, quick hospital treatments, and even more personalised healthcare.”
Great as this is, this connectedness also causes many concerns, which were put into sharp focus by a statistic which was recently revealed by a systems expert.
According to Yaroslav Goortovoi, a Technical Writer at software specialist Altoros, 46% of medical IoTdevices have a vulnerability.
This means that almost half of the machines which we may rely on for our medical safety could be at risk from hackers, who could access our data, impact our wellbeing, or affect the operation of our healthcare systems.
It would be great if this 46% figure just painted a picture of a worse-case scenario – but, unfortunately, we have seen what impact that malign influences can have on healthcare systems.
In May 2017, in what is known as the WannaCry attack, major issues were caused by a ransomware attack on the NHS - when a criminal group encrypted healthcare systems and files, then demanded a ransom in exchange for details of how to return the systems to normal functioning.
This impacted more than 80 of the UK’s NHS Trusts and, just like the recent Crowdstrike issue, involved the failure to carry out a software update, which was then used by hackers as a way to get into the systems.
According to an NHS spokesperson “due to the unpatched operating system, this has infected more than 230,000 computers in at least 150 countries”. It led to an estimated cost of £92 million to fully recover.
Further hacks have seen phishing emails used to access healthcare systems, with others leading to the cancellation of potentially life-saving operations, patient data sold for profit on the dark web, and thousands of appointments cancelled.
The need for those operating in the healthcare sector to take systems security seriously is there for all to see, but some research has suggested that the warnings are not heeded.
Statistics from Capers found less than half (43%) of health practices say they always change default passwords on connected medical devices, and less than a third (32%) always update them when a patch is available.
These figures highlight that there is large part of the healthcare sector that is not actioning basic security recommendations, which ultimately leads to increased vulnerabilities and susceptibility to cyber-related attacks.
By following these basic security mechanisms – such as regular updates, using patches, changing default passwords, carrying out regular audits, risk assessments, regular training, and competence testing of every employee using the devices – those who use these systems will further enhance the security of the industry and help to protect it against the dangers of widespread failures.
The Wannacry attack and the recent Crowdstrike debacle show how vital it is to learn lessons from these episodes, otherwise we’re bound to repeat them.
by Rachael Medhurst, Senior Lecturer in Digital Forensics and Cyber Security at the University of South Wales.
This article was written for Business News Wales. You can read the original here.