Ransomware and business email compromises are the two most common cybersecurity threats the healthcare sector faces.
Health data is a prime target for malicious actors – a fact that should come as a surprise to no one. But according to Mater Private Network’s first-ever chief information and security officer (CISO) Joe Brady, the healthcare sector is “one of the most attacked industries, if not the most attacked”.
Consisting of extremely sensitive information, including medical histories, clinical treatment and genetic information, healthcare data enjoys special legal protection under EU’s GDPR, with up to millions in fines at stake for hospitals which are found non-compliant with its strict regulations.
Still, it took a severe attack on Ireland’s public healthcare system in 2021 to jolt the sector into investing in and improving its data security. The significant ransomware attack which came during the height of the Covid-19 pandemic affected the Irish Health Service Executive’s IT system, rendering patient records vulnerable. The attack was said to be the most serious cyberattack to ever hit the State’s critical infrastructure.
“Ireland was not in a particularly good place going back a couple of years ago. I would say the major incident that happened with the HSE woke a lot of people up,” Brady says and other experts agree. Since then, there has been a significant improvement in the Irish healthcare industry’s cyber resilience.
Changes have been made in the private sector as well, with Mater hiring Brady as the hospital network’s first CISO. While the private healthcare provider has also made a “multimillion euro investment” over a three-year programme of work to build up security controls across its group of hospitals.
The network has four hospitals, three clinics and two satellite radiotherapy centres across the country.
An escalating race
While archaic, paper data is generally safe from data breaches when compared to digitally stored information. Although, digitally stored data has its many perks. It allows the healthcare sector to evolve its services, make data more accessible to both workers and patients, and allows for healthcare workers to conduct data-driven analysis.
Mater has undergone a “huge” digitisation programme over the last number of years, Brady says. “Now, across the entire Mater Private Network, we have a single electronic health record.”
The company has brought more than half of all its health records into a “single source” which includes patient records, imaging data and reports. This means that people can go to any of Mater’s sites and immediately have access to their data, he explains.
However, the risks are high too. Brady says that a cyberattack in the healthcare sector has “terrible” consequences. “A, you can lose access to systems [and] b, your data can be stolen, exported or exfiltrated, sold, ransomed.”
According to the Mater CISO, the two most common types of cybersecurity threats facing the healthcare industry are ransomware and business email compromises – where sensitive information such as invoice payments is redirected by a malicious actor.
To protect the hospital’s systems, the cybersecurity team at the Mater has deployed 24X7 ‘suck’ and ‘honey pots’ – a security mechanism that detects, deflects and counteracts attempts at unauthorised access – deployed around the network to identify any potential malicious actor trying to map the hospital’s networks.
“We’ve built a framework [and] we’re making sure that we’re holistically addressing everything rather than just focusing in on those one or two things,” Brady explains.
“It’s a constant escalation – like an arms race almost, you know. You put a solution in now, [and] there’s a new AI-driven attack vector and then you have to get another solution to try and address that.”
Brady previously held senior cybersecurity positions in a number of different industries, including as the director of cybersecurity at Eir Evo and as the chief information officer at Ervos Technology Group. He was appointed to the Mater six months ago.
“So coming into healthcare in the last year, it’s interesting to see … how attacked it is and the I’m seeing the level of phishing – focused phishing emails or spear phishing emails – that I haven’t seen across many other industries.”
Although, Ireland’s healthcare bodies don’t get attacked as much when compared to other countries such as the US, he argues.
“Like if you look back at kind of significant healthcare breaches over the last 12 or 18 months. There’s a lot in the US. There’s several in the UK.
“I don’t want to say there’s none in Ireland, but I can’t think of any significant breaches in Ireland over the last 18 months.” However, the Mater itself has “come fairly close” to a cyber incident “once or twice”, Brady says, without divulging the details.
People and tech, a twin defence
Healthcare workers often don’t see IT as a part of their job, even though they deal with large amounts of sensitive data on a daily basis, says Brady. “It’s an area where if you speak to 90pc of the workforce, they wouldn’t see themselves as being IT workers.“
He explains that this is different in other industries, such as insurance or finance, where workers “fully acknowledge” that IT is a key part of their role.
A lack of comprehensive data security training leads to increased human-error led data breaches. Last year, a series of parliamentary questions highlighted that Irish Government departments suffered from nearly 7,000 data breaches over the last decade, most of which were attributed to human error.
To solve this issue, Mater is building a “culture of IT security”, Brady says, by tying data privacy into patient care. In order to do this, the cybersecurity team at the network is training all hospital staff. “That’s one of the big changes I think that we’ve brought in.
“We’ve built a whole cybersecurity awareness, cybersecurity culture kind of programme in the hospital whereby we do phishing simulations to try and train people on what phishing emails might look like.
“We do online security awareness training, we do in-person security awareness training – particularly for the high risk groups.”
In addition to this, Mater has an internal platform for communicating where the team puts up educational content in relation to data security, as well as quizzes and hosting security champion and employee recognition awards.
“We’re really coming at this from every direction to try and make sure that it’s just top of mind for staff all the time,” he explains.
However, according to Brady, data breaches are often a result of a combination of a failure of the security system as well as human error. He explains that while the human worker does click on a malicious such as in a phishing email, it’s often a technology-based error that lets a malicious email get through the system in the first place.
That’s why, along with amping up cybersecurity mechanisms, it’s important to train workers, he says. “If you can train your people, you can make them into an extra defence as opposed to an extra weakness.”
Although, hiring the right cybersecurity experts is a difficult task according to Brady. He says that even though it’s one of the most attacked industries, “there’s still not enough being invested, there’s still not enough people”.
“There’s such a shortage of cybersecurity skill sets in the marketplace. Like it’s a huge challenge.”
Brady says that while there are many entry-level cybersecurity staff, including those who have recently finished a master’s degree in the field, its hard finding leaders or employees with more than five years of experience in the sector.
Thankfully though, time and the right supports can fix that issue.
Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.
