Aon. Allied World.
Health.The Future State. Aon Health Symposium. 14 September 2017.

CASE STUDY: Cyber risk poses real threats for healthcare providers and can compromise patient care

Speaker: Poppy Economakos and Rhiannon Hardwick - VMIA  

Cyber risk is posing an increasing threat to the healthcare industry, according to Poppy Economakos and Rhiannon Hardwick from VMIA. Speaking at the Aon Health Symposium on 14 September 2017, they revealed that an estimated - 66% of all cyber risk issues relate to healthcare, with patient health records described as the “Holy Grail” of cyber hacking due to their value on the dark net. With a significant increase in global cyber risk events over the past year and a variety of deadly remote attacks possible, the sector is particularly vulnerable and ill equipped to fend off, respond or recover from a cybersecurity incident.

Cyber risk and healthcare: The importance of employees and prevention

Cyber risk relates to risks emerging from the use of information and communication technology (ICT). For healthcare organisations this could mean the disclosure or destruction of information, the spread of misinformation causing confusion and impairing decision-making, or being held ransom to cyber hackers stealing patient files and demanding payment.

Of particular concern however is the potential for cyber issues to directly impact patient health. With risks including unavailability of patient medical records, compromised integrity of medical data, and the exploitation and disruption of medical devices and equipment, it’s clear that cyber issues have the potential to cause significant long-term damage both to patients and healthcare providers.

Human error and the role of employees

VMIA’s research highlighted the role of human error and negligence in both causing and preventing cyber risk exposure. Some of the human risks observed by VMIA and Aon include:

  • Password protection: Many hospitals were seen to use default passwords and not enforce regular changes or unique user passwords
  • Account management: Poor user account management controls, such as not deactivating accounts once someone leaves the organisation
  • Virus download: Individual users accidentally downloading a virus which spreads and infects the entire network
  • Remote access: The increase of flexible working and BYOD (bring your own device) increases the risk of data loss through unsecure wi-fi connections, hacking, loss and theft
  • Paper-based risk: Inadequate procedures for the management and disposal of paper-based records, such as failure to shred documents or documents being misplaced.

Developing a risk culture is key to prevention

With employees playing a significant role in the exposure to - and prevention of - cyber risk factors, engaging and educating them as part of an organisational-wide approach to risk culture is an important means to mitigate against cyber risk. It’s vital that employees understand the role they play in protecting their organisation from cyber security threats, and that they have clear guidelines for how they are expected to operate and behave. By feeling comfortable to identify any potential breaches and escalate any concerns, employees can become a powerful form of frontline defence and prevention.

The establishment of a risk culture based approach to improve organisational security was reinforced by Poppy Economakos and Rhiannon Hardwick (VMIA), who outlined a five-stage framework on the National Institute of Standards and Technologies (NIST) Cyber Security Framework:

  1. Secure the cyber perimeter: Identify gaps, monitor and secure the cyber perimeter with appropriate measures and controls which are regularly tested and updated
  2. Cyber committee: With boards now understanding that cyber risk is the responsibility of the entire organisation (not just IT), establish a cross-functional governance team to create policy and test risk hypothesis
  3. Risk profile and appetite: While there is no such thing as perfect protection, the goal is to build a sustainable program that balances organisational need and risk appetite
  4. Assess, measure and mitigate: Identify gaps and develop a roadmap for your desired future state, including an incident response plan, business continuity plans, roles and responsibilities if an event does occur, training and awareness
  5. Cyber insurance: Given the financial impact potential, businesses need to explore opportunities to protect themselves by transferring risk across a range of conventional and emerging cyber insurances.

By developing and nurturing a risk culture across the entire business can help healthcare organisations both protect themselves from cyber risk, and build the capability to respond and deal with any threats efficiently.