Stephen Knibbs, director at Vodafone Business Security Enhanced Services and Paul Hopkins, global head of cyber security strategy, Vodafone, give their perspectives.
The cyber landscape for health and social care
Recent reports have highlighted the increasing cost implications of cyber threats to the health and care sector. Since 2020, the cost associated with data breaches in healthcare has surged by 42%. For the 12th consecutive year, the industry has registered the highest average data breach cost.
But why is healthcare such a target? The answer lies in the intrinsic value of health data. Patient records, medical histories, billing information, and other associated data present a lucrative target for cyber criminals. This reality was confirmed in 2022 when healthcare saw the most cyberattacks among all industries.
To add another layer of complexity, health and social care organisations are rapidly becoming digitalised. More services are online, and patient records are being stored in the cloud. This is great for accessibility and convenience, but it also opens up new vulnerabilities. As these organisations become more digitally advanced, there's an urgent need for stronger cyber security measures to protect both the organisations and the people they support.
‘As technology changes, so does the way organisations work. We are moving data from our own physical premises to the cloud, and this means we have to rethink safety, ensuring we have strong security across all aspects of the network, infrastructure, software and supplier services. And with advancements like AI and quantum computing, how data is handled and protected will undergo a whole new level of sophistication.’
Paul Hopkins, Global Head of Cyber Security Strategy, Vodafone
Where are these threats coming from?
The types of cyber attackers can be defined by four categories:
- Foreign state actors –Their aim is to gather intelligence about another country's healthcare infrastructure and personal data of citizens for strategic benefits, from political to economic. However, not all are driven by knowledge; some aim to disrupt the system and cause widespread chaos, affecting a nation's healthcare stability, both intentionally and accidentally.
- Criminally organised groups – Main aim is driven by profit. They exploit vulnerabilities in healthcare systems to launch ransomware attacks, demanding large ransoms to restore access to crucial data and systems.
- Casual hacktivists – Unlike organised groups, their motivation might not be financial. They're often looking to make a political statement or draw attention to particular causes. For some, it's about showcasing system vulnerabilities and competing for recognition in their niche communities.
Insider threats – The reasons can vary from employees with malicious intentions to well-meaning staff unintentionally compromising security measures.
The impact of cyber threats
The impact of these cyber threats is not just a technical problem. It resonates on multiple levels, affecting the very core of healthcare service delivery and its relationship with patients.
- Financial ransoms – When cyber attackers infiltrate a system, they often lock data away, demanding hefty sums of money for its release. These financial demands can strain the resources of health and care organisations, diverting funds from essential patient care services.
- Reputational damage – Trust is at the heart of patient-provider relationships. A breach doesn't just expose data; it exposes the vulnerability of the institution that's supposed to protect our most intimate information. As a result, patients may lose confidence in their healthcare providers, leading them to question the confidentiality of their sensitive medical records.
- Mass disruption of health and care services – Beyond money and trust, cyber threats can bring operations to a grinding halt. Scheduled treatments can be delayed, critical patient records might become inaccessible, and in extreme cases, lives can be at risk. The disruption underscores the importance of protecting digital assets as well as maintaining uninterrupted healthcare services.
‘Getting to know your health organisations' vulnerabilities is essential. Like many other sectors, dealing with older systems that, although crucial, come with challenges in protection. At the same time becoming more accessible to the public and other organisations, with mobile apps and online portals, their openness also exposes them to potential threats.’
Paul Hopkins, Global Head of Cyber Security Strategy, Vodafone.
Where chief finance officers should be focusing their budgets
With these escalating threats, chief finance officers (CFOs) play a key role in allocating resources to secure their organisations. Cyber security isn't an option anymore – it's a necessity.
To begin with, CFOs should allocate funds for identifying and correcting system vulnerabilities. This includes investing in hygiene patching, a process of regularly updating and fixing software to keep cyber threats at bay. Ensuring systems are hardened against possible threats, and a proactive approach can also help to eliminate as many security risks as possible from the get-go.
Another critical area of investment is user-end controls. Given that many breaches can occur due to human error or oversight, having stringent controls in place at the user's end can mitigate such risks. Since 2021, IT security incidents saw a 14% rise in accidental data leaks by employees, highlighting the crucial need for tighter user controls. This goes hand in hand with password and multifactor authentication – and a layered defence strategy that ensures users prove their identity before gaining access.
Equally crucial is the incorporation of anti-virus and endpoint detection and response. This allows for real-time monitoring and defence against potential threats, ensuring immediate action can be taken. Lastly, investing in data loss prevention tools ensures that sensitive data, particularly invaluable patient information found in health and social care institutions, doesn't end up in the wrong hands.
'Technology should advance with security at the forefront, not as an afterthought. It's not just about preventing financial loss, but ensuring the continuity of essential services.'
Stephen Knibbs, Director at Vodafone Business Security Enhanced Services
For CFOs in the health and care sectors, ensuring data protection is critical. From advanced threat monitoring to effective security plans, we're here to support CFOs in enhancing their organisation's cyber defences. Vodafone Business Security Enhanced has 25+ years of experience securing essential service organisations, with 200+ technical and security experts and longevity of working with critical national infrastructure.
Our global internet infrastructure offers a deep view of the digital world, making us well-equipped to identify and address potential threats. Vodafone carries 20% of the world’s internet traffic across our network, meaning we have access to indicators of compromise that can help our customers react quickly to evolving threats.
In essence, for CFOs looking to reinforce cyber defences in health and care institutions, Vodafone Business offers expertise and tools to navigate the digital landscape confidently so healthcare can continue to embrace the benefits of digital transformation while protecting their organisation from risk.
To find out more about Vodafone Security – click here.
This event is for senior NHS finance and healthcare professionals and will provide delegates with the know-how to begin applying value in practice.
A delegate-led day tackling specific technical costing challenges and discussing some of the practicalities of implementing the costing standards.