Despite healthcare increasingly becoming a target for cybercriminal activity, investment in cybersecurity continues to be viewed as a necessary evil for those with the onus of stumping up the cash. This is reflected in the high demand for solutions and services to ensure regulatory compliance and the relatively low demand for more strategic, forward-thinking endeavours. COVID-19 has the potential to change this mindset, says GlobalData.
Building on findings from GlobalData’s recent cybersecurity survey, along with demand analysis and commentary on market dynamics, GlobalData’s report, ‘UK Health & Social Care – Cybersecurity’, notes that, in the event of a pandemic, the speed at which a nation responds is crucial to learning more about the threat and ultimately taking measures to minimise or, if possible, eradicate it. Data plays a pivotal role in this scenario and so we have seen examples of information governance policies being relaxed to enable collaboration and promptly transmit data in the fight against COVID-19.
Jonathan Cordwell, Principal Health & Social Care Analyst at GlobalData, comments: “Health Secretary Matt Hancock has been directly involved in relaxing these policies, such as granting Government Communications Headquarters (GCHQ) powers to obtain information from NHS IT systems and issuing orders to healthcare providers to process confidential patient information relating to the coronavirus.”
The value of NHS data to cybercriminals has come to the forefront of market attention in recent years with healthcare organisations increasingly being targeted. Amid the chaos caused by COVID-19, operational priorities are concentrated into coping with high levels of demand for healthcare services, which makes the NHS ripe for attack.
Cordwell continues: “Access to clinical data and IT systems can be highly valuable to cybercriminals for various purposes including holding users to ransom. The attractiveness of targeting healthcare providers increases furthermore with efforts to centralise data (making the prize bigger) and give private sector organisations greater access (increasing the number of entry points to exploit.)”
Despite internal members of staff often being cited as the weak link in an organisation’s cyber defences, participation in training and events seems to be a relatively low priority across the board, presumably outside of mandatory training for compliance purposes. This suggests that healthcare organisations continue to view cybersecurity as operational and not strategic.
Cordwell adds: “Lack of training, unintuitive IT systems and insecure practices by members of staff all contribute to them being cited as the weak link. Interestingly though, GlobalData’s survey findings suggest that they are also a rich source of cybersecurity expertise and guidance. It is vital therefore that a consistent program of training is established and feedback is sought after from the workforce for suggestions of improvement.”