This article was originally written by Avanade alum Guillaume Noé.

This article was first published in Australian Cyber Security Magazine.

The right arm up in a black splint. In pain. The left arm holding X-rays, an MRI report and other documents. My wife waited outside the hospital with the help of a medical staff. She had her second surgery within the span of six weeks following an accident.

Three thoughts came to mind as I approached the hospital pick-up zone:

• I feel grateful. The surgery went according to plan. I couldn’t visit due to COVID-19 restrictions, but the nurse I spoke with the night before provided a good report. The surgeon is reputed to be the best in his field, and I truly appreciate the quality of care and the dedication of medical staff in Australia.
• Why is my wife holding so many documents? Surely there is a way to process all of these health data in a digitised form in 2021, and to do so securely.
• Ransomware. Five months ago, a ransom gang claimed responsibility for a cyber-attack against a healthcare provider in our city. Operations were impacted.

The incident five months ago was unfortunately not the first. Healthcare service providers are increasingly an enticing target for cyber criminals looking for financial gains.

The rise of cyber-attacks in the health industry is global. Cédric Hamelin, CISO of the Rouen University Hospital Centre (CHU) in France, shared his experience with the French National Cyber Security Agency, which was recently published in a recent ransomware report:

"On 15th November 2019, on the eve of the weekend, an emergency services intern reported a problem with access privileges to a business application. Shortly afterwards, the internal IT services noticed that a large number of the CHU’s workstations and servers were encrypted. The diagnosis came very quickly: it was ransomware."

Hospitals can be hurt and need specialist skills to protect their operations and patients’ data.

What makes healthcare such an attractive target?
Attacks in the health industry are increasing, as reported by the Australian Cyber Security Centre (ACSC) in their 2020 Health Sector Snapshot. The ACSC identified the industry to be the subject of the highest number of reported cyber incidents outside of government and individuals. The ACSC also suggested the healthcare industry provides a very attractive target for cyber criminals because of:

• Its highly sensitive personal data holdings
• Its valuable intellectual property on technology and research
• The criticality of services it delivers
• The pressure to maintain and, if disrupted, rapidly restore business continuity
• Public trust in health sector organisations, particularly those linked to government services

The prospect of a hospital operation impacted, whether by lack of access to urgently needed medical data, or worse by its tampering, is frightening.

The COVID-19 pandemic has also amplified the issue because disruption breeds vulnerabilities to cyber security attacks and financial extortion.

Firstly, the pandemic has put medical institutions under operational stress. They have been dealing with a pandemic while scrambling to quickly enable remote services for staff, patients, and the broader citizen population. This involved fast-tracking the deployment and further use of:

• Internal collaboration tools to support corporate functions with many staff working from home
• Telehealth services for external consultations
• Management systems to orchestrate a massive citizen vaccination program

The speed of digital service delivery can come at a security cost, particularly when security is not strongly and natively embedded at the core of IT solution development processes.

Secondly, the ACSC suggested the cyber-attack surface has increased with new health-related targets including medical transport and supply chain service providers. Supply-chain cyber-attacks are widespread. The European Union Agency for Cybersecurity (ENISA) corroborates the warning more broadly across industries. It estimated that there will be four times more supply chain attacks in 2021 than in 2020, with about half of the attacks being attributed to Advanced Persistence Threat (APT) actors.

Finally, the pandemic has also provided cyber-criminals with the opportunity to build targeted attacks against a disrupted workforce and a vulnerable population through campaigns including COVID-19 themed scams. Cyber security vulnerabilities do not only apply to technology. They also apply to people and even more so when stretched in an industry under stress. Staff members become more susceptible to fall prey to scams and phishing attacks.

Boosting digital trust
Health cyber security managers and security operation teams do not lack of a challenge, to say the least.

They protect their organisations’ operations and reputation – implementing security in systems, processes, devices and connected medical equipment – to maintain the trust of citizens, patients, clients, and partners which are imperative. They also play a critical role in fostering the digital innovation and transformation that their organisations require to remain efficient, effective and competitive.

The health care industry is very competitive, especially in the private sector. Attracting and retaining the best medical staff, including Visiting Medical Officers, and improving patient experience can hinge on modern and secure digital services. The choice of security measures, such as a method for authentication, can greatly impact user experience. Security and user experience are not exclusive, but they must be thoughtfully planned.

The Australian Government is executing a promising cyber security strategy, with a range of initiatives driving further investment, awareness, compliance, and collaboration in cyber security.

However, health organisations must take ownership of their cyber security risks. They need talented cyber security teams, an appropriate governance, a security strategy that evolves with the health threat landscape, and the right support from the cyber security industry, as suggested by Cédric Hamelin (CISO Rouen CHU):

“Today, it is important to remind organisations in the healthcare sector as well as others that we are not alone in dealing with this type of situation. Do not hesitate to seek outside assistance and advice.”

The health industry is presented with an opportunity to harness the disruption forced upon them to amplify their digital services securely and to build a competitive differentiation. There is no better time to:

• Review security postures and strategies in health
• Embed security in digital health services. This involves putting people at the core of cyber security programs and optimise their security awareness with innovative solutions
• Maximise collaboration and user experience with secure services

Learn more about how Avanade is enabling clients to shift from a reactive to an adaptive agile security posture.