Poor security practices are putting patients at risk, unnecessarily. While clinicians, quite rightly so, focus on patient care and not cybersecurity, many users implement ‘workarounds’ out of practical necessity and these ‘workarounds’ often go unnoticed and make the vulnerable even more so.
In a recent research paper by The University of Pennsylvania, Dartmouth College, and The University of Southern California, IT security workarounds were found to be standard practice for most medical staff. Healthcare workers acknowledge that security controls are important, however, often trying to navigate the technologies, clinicians cannot do their job properly and their duty of care to patients overrides their cybersecurity responsibilities. In this paper, it was found that healthcare professionals were found to write down passwords, whilst others defeated timeouts by requiring a junior member of staff to press the spacebar on the computer within certain time limits.
In the UK, a shocking 93% of healthcare professionals stay logged in to systems to speed up their jobs, according to recent research by Bomgar. Additionally, 69% write down and tell colleagues their passwords, whilst 84% download sensitive data onto personal memory sticks. Although the reasoning behind these workarounds is typically well intended, does hastening patient care by using cybersecurity shortcuts really benefit patients in the long term?
The human cost
The UK witnessed one of the largest cyberattacks on the NHS in May of this year. 45 NHS sites were affected by the WannaCry ransomware attack, denying employees access to their systems. Affected trusts suffered ongoing issues in the week following the attack, halting or delaying the treatment of many patients.
Bart’s health trust in particular had difficulties in treating cancer patients, as certain types of chemotherapy require computer access. It was reported that planned appointments were cancelled, chemotherapy appointments were pushed back and patients were unsure of when their next, potentially life-saving, appointment would be.
Additionally, trusts were advised to isolate their computer systems from the wider NHS network, which left them unable to access patient records. Prescriptions were unable to be processed, no test results could be obtained, and even relatively routine procedures such as x-rays could not be undertaken.
Although the WannaCry attack was not down to employee negligence, it shows how the lives of many individuals can be effected if cybercriminals gain access to computer systems. It’s imperative that the NHS and private healthcare providers alike quantify the human cost of poor cybersecurity practices.
A change in culture
The NHS isn’t going to stop being a target for cybercriminals any time soon. In fact, Bomgar’s research discovered that almost 70% of healthcare organisations have either seen or expect a security breach in the next 12 months. It’s common knowledge that healthcare institutions are easy targets as they typically run on outdated and vulnerable legacy systems. Not only this, but these organisations hold a wealth of valuable and sensitive information on many individuals, coupled with the government potentially backing to pay any ransom the cybercriminals pose. With clinicians using unapproved workarounds to serve patients more quickly, a targeted attack becomes more likely and easier to execute.
What exacerbates the problem further is that the attack surface stemming from insiders isn’t just limited to staff working ‘in the office’. Many healthcare professionals are out in the community providing care offsite and logging into systems remotely. This external ‘off network’ connection is then another potential point of entry for an attack.
In addition, the variety of interconnected devices and IoT-enabled medical devices that are used both on and offsite pose a huge risk if the clinicians using them are not aware of cybersecurity best practice. Even an internet-enabled insulin pump can be hacked, providing an entry point to a vulnerable network and effectively putting patients’ lives at risk.
Healthcare organisations need to implement security solutions that are non-disruptive and consider employees before implementation. Access to systems should be granted in seconds, while providing all of the checks and balances to mitigate threats. This approach needs IT and security teams to involve clinicians and other end-users in the early stages of designing new policies or selecting new solutions.
There is no doubt that technology makes providing care easier and more efficient but it is only one part of the entire solution. It’s here that these institutions must also prioritise addressing employee attitudes and behaviours towards cybersecurity and make them understand the wider issue of poor security practices. Each employee needs to understand how their day-to-day actions can help protect the organisation and its patients from threats, and that sacrificing network security for speed of care is less helpful than they might think.
By Stuart Facey, VP EMEA at Bomgar