Out-Law Analysis | 18 Jun 2021 | 2:48 pm | 8 min. read
Growth in telemedicine and other digital care services has been accelerated as a result of the Covid-19 pandemic and is expected to continue rising. This means there is a greater need than ever for healthcare businesses to take steps to protect themselves.
The recent cyber attacks on Ireland's Department of Health and Health Service Executive (HSE) were a reminder of the cyber risk healthcare providers face. The attacks were the most significant known attacks on critical infrastructure in the country's history and resulted in delays in treatments, cancellation of non-emergency procedures. Similar incidents have been reported across Europe where the failure to safeguard health systems and data brings risk.
International healthcare specialist, LIT Healthcare
The role of the clinician and their patient interaction will never be lost, but virtual patient innovations are testing cybersecurity capability. While patients and clinicians continue to embrace virtual care, care providers and policymakers are encouraged to proactively support this fast-growing enabler of care
On 14 May 2021, the HSE was impacted by a human-operated ‘Conti’ ransomware attack. Malicious cyber activity was detected on the Department of Health’s network. This severely disabled a number of HSE systems and necessitated the shutdown of the majority of its other systems.
As a precaution, the HSE made the decision to turn off its IT systems to limit the impact of the attack. This has had far-reaching implications for the public and the HSE. In particular, services which relied on digital processes, such as scans, referrals and diagnostic services, have needed to be operated manually, causing delays. This has brought cyber threats and security to the forefront of business, media and the public’s attention in Ireland.
Over the last decade, the Irish government has put cyber on its agenda. Ireland has had a national cyber security strategy in place since 2015, aiming to allow it to “safely enjoy the benefits of the digital revolution and to play a full part in shaping the future of the internet”. In 2011, the National Cyber Security Centre of Ireland (NCSC) was established, with primary focus on securing government networks and securing critical national infrastructure. The NCSC is assisting the HSE and An Garda Síochána, the Irish police force, with the investigation into the recent attack.
Healthcare organisations should ensure that appropriate security measures, as well as the procedural means of managing a cyber event, are in place and well ‘drilled’.
While the HSE attack was on a large organisation, cyber risk is a major threat to all healthcare businesses, irrespective of size or brand. Organisations in the healthcare sector need to ensure that cybersecurity is prioritised as a board level issue, as it is in most other sectors.
The HSE recently hired an information security manager to drive the cyber security strategy and it has been reported that the HSE was in the process of remediating a number of risk points in its security identified on its corporate risk register before the attack occurred. The recent attack highlights the need for organisations to act now to ensure they are properly equipped to deal with a material cyber event.
The risks of failing to take cybersecurity seriously can be very damaging to a business and can result in theft of patient or customer data, intellectual property or scientific research data; business disruption; financial theft or fraud; loss of revenue; costs associated with restoring operations and improvements to cybersecurity defences; regulatory fines; legal liability, and reputational damage. In addition, there is a risk of litigation from affected individuals, who are becoming increasingly aware of their data protection rights. The threats are constantly evolving and attackers are using increasingly sophisticated measures.
As technology advances and healthcare businesses become more digitally connected, the potential risk of a cyber incident will increase. Healthcare organisations should ensure that appropriate security measures, as well as the procedural means of managing a cyber event, are in place and well ‘drilled’. What is appropriate will depend on the organisation in question and the level of potential risk. Such measures could include technical safeguards such as encryption, anti-virus software and firewalls, access controls, cyber incident management plans, and employee training.
Healthcare businesses need to resource their security measures properly and ensure workers, suppliers and other stakeholders are engaged in protecting the businesses.
The NHS was one of the most high-profile organisations affected by the 2017 ‘WannaCry’ ransomware attack. More than a third of English NHS Trusts were disrupted by the attack, and almost 7,000 appointments were cancelled. The National Audit Office identified that WannaCry was “a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice”. The WannaCry attack took advantage of a software vulnerability and the fact that many of the NHS devices affected were reliant on unpatched systems.
It is hoped that lessons were learned from WannaCry. As would be expected from one of the world’s largest healthcare providers, the NHS has a significant cyber capability. NHS Digital provides support to the NHS in delivering digital services, such as NHS 111 online, and the NHS app, and collects, processes and publishes data and information from across the health and social care system in England. NHS Digital’s cyber security team helps protect the NHS and leads on cyber response. It blocks approximately 21 million threats each month. The cyber and data security function of NHS Digital provides a mechanism for incident reporting, up to date cyber alerts, and guidance on cyber threats. A particular focus is on cybersecurity for procuring and deploying connected medical devices.
As one of the world’s largest employers, there are a significant number of potential opportunities for human error within the NHS. Human error is a common reason why cyber attacks succeed. NHS Digital provides training and phishing resources to raise awareness of cyber threats.
The health sector faces particular cyber challenges given the sensitive nature of patient medical data, and due to the fact that the health sector is at the forefront of scientific innovation, and is therefore an attractive target to cyber criminals, cyber terrorists and nation state attackers.
According to the German federal government, the number of successful cyber attacks on German health service providers deemed to be operating critical infrastructure more than doubled in 2020, compared to 2019. An incident in September 2020 made the headlines: 30 servers of the Dusseldorf University Hospital were held to ransom, scheduled surgery had to be cancelled and the emergency room was closed. Reportedly, a woman died because her ambulance had to be redirected to another hospital.
Germany has been comparatively slow in adopting digital health technology, with public discourse revolved around the protection of personal data. The introduction of a centralised system for health data was controversial and held up for years. Public health insurances have only been required to offer full electronic health records since January 2021, though use by the insured person is only voluntary.
The Act on Patients’ Data Security, which was passed in October 2020, introduced new features for the electronic health record as well as new regimes of guidelines, certifications, controls, and reporting obligations in Germany’s social security law. The reforms affect medical practitioners, hospitals and the provider of the centralised system for health data, gematik.
Previously, statutory obligations on IT security had only existed for certain critical infrastructure such as large hospitals. All other hospitals will now be required to introduce IT security measures by 1 January 2022. The measures smaller hospitals will need to apply are different, but larger hospitals deemed to be operating critical infrastructure and subject to the existing guidelines that apply will also be required to meet the separate obligations under the social security laws. Other groups of users will have guidelines specific to them, such as the guidelines developed by the Federal Association of Physicians.
Against this background, damage claims for bodily harm or for infringement of data protection laws, and damage claims for the non-performance of contracts – such as with patients or insurance providers, for example – are still the predominant legal risk that comes with the virtual healthcare world. Healthcare businesses need to ensure IT security at all times in accordance with the latest technologies available and, where applicable, any guidelines under statutory obligations.
The French media reported 27 major cyber attacks against health institutions last year. Ransomware is one of the main threats facing providers this year, and we are seeing almost one attack per week of this nature.
The unprecedented wave of ransomware attacks, such as on the Villefranche hospital, is resulting in French hospitals losing control of their IT systems for weeks. Cybersecurity is now directly impacting patients' lives. Organisations in the digital health market in France are now adapting to new security standards.
Hospitals and health institutions are targeted specifically because of a successful ransomware attack presents a risk to public health and the attackers believe this will make it more likely that they will receive a ransom payment to liberate health systems and patient data.
The French government announced recently that it will invest €350 million in cybersecurity to protect health infrastructure. Some of this money will be spent on cybersecurity audits and in initiating partnership with a national agency of digital in health.
The recent attacks have highlighted that cybercriminals are often familiar with their targets’ human and IT weaknesses. Health businesses must promote a high standard of “digital hygiene” among their staff, and comply with security standards set by the French Cybersecurity Agency (ANSSI).
The Spanish healthcare sector has been and continues to be one of the sectors most affected by cyber attacks during the pandemic. The cyber risk was present from the earliest stages of the public health crisis.
On 23 March 2020, the national police reported that attackers had sent emails containing a "very dangerous virus" to health workers, with the aim to "break" the computer systems of medical centres.
Throughout 2020, attacks on the health sector were regularly identified by Spanish authorities – up to 50,000 harmful attacks against organizations were reported in the health sector, of which 375 were successful. It appears that this trend will continue during this year.
In January 2021 alone, Spain’s health sector suffered 626 attacks per week on average per organisation, compared to the 430 in the last months of 2020. Although attacks take a variety of different forms, from hijacking to botnets, remote code execution, and distributed denial of service (DDoS) attacks), ransomware is the one with the largest global increase and the one that poses the greatest threat. Studies suggest Spain is one of the countries in the world where ransomware is the most prevalent.
To curb this situation, on 25 May 2021, the Council of Ministers in Spain agreed to launch a package of urgent actions on cybersecurity. The objective is to immediately strengthen cyber defence capabilities in the public sector as well as within those that supply technologies and services to it.
The approved agreement includes the adoption of a cybersecurity shock plan, the update of the national security scheme and the promotion of measures to increase the level of cybersecurity of technology providers in the public sector. These actions will effectively reinforce the capacity to prevent, detect, protect, and defend against the materialisation of cyber threats. The agreement also seeks to ensure that organisational and technical security measures proportionate to the risks go in hand with digital transformation, which should help build confidence in the use of digital technologies by businesses and the public.
The growing risk of ransomware and other forms of cyber attacks in Europe’s health sector emphasises the importance of being prepared. We have found that organisations which have taken steps to consider cyber risks are typically best placed to respond when they happen. Organisations with well-developed incident response plans, which have been tested and rehearsed, are best able to react quicker and more effectively.
Cyturion is a one-stop-shop cyber response tool offered by Pinsent Masons which enables clients to develop a cyber incident response plan tailored to their needs, which sets out what to do, who does it, how they do it, and how the response is managed. Cyturion can help businesses mobilise quickly in response to a ransomware attack, or any other cyber incident.