Andrew de Ruiter

Andrew de Ruiter

Facing the cyber threat

Andrew de Ruiter, risk advisory director at Deloitte UK’s Birmingham office, looks at cyber-security issues facing the healthcare and life sciences sectors.

The major security concern for healthcare used to be all about patient confidentiality, typically relating to treatment which patients were receiving. Now though, the biggest issue is about the integrity of the data, and how that can be maintained.

“A hacker could, for example, hack into a hospital’s data-base and change information about blood groups, for a particular individual, or a group of patients. Someone could also hack into a digital platform which was delivering data to clinicians about what dosage levels to give.

“Even a few years ago, such actions would have sounded like sci-fi, but now we’re seeing cyber-criminals accessing hospital data-bases, taking control of their systems, and demanding ransoms to be paid, usually in bit-coins.

“So far, the only reported attacks have been in Germany and the United States, but there’s clearly a potential threat to hospital trusts and healthcare institutions anywhere. In these instances, the systems were corrupted by ransomware, and hackers demanded payment for the data to be ‘released’.

“It seems that these attacks were opportunistic; hackers were seeking notoriety, trying to make political statements or hoping to make easy money. However, a much greater threat is posed by organised crime gangs, looking to extract confidential data which they can then sell on the dark web.

“Such activity has happened for years. A hotel chain’s reservation system might be hacked, for example, but that’s a relatively low level issue. Now though, hospitals have systems which are so data-rich, that they are very tempting targets for sophisticated cyber-criminals.

“We’re also now seeing teams of hackers linked to nation states, such as China and Russia, which is a modern version of industrial espionage. It’s quite possible that one group could hack another nation’s healthcare systems, to steal data not just about its patients, but about its intellectual property.

“If hackers can reach data about new medical devices, products or services, they might sell that information to manufacturers, and at worst, illegal drugs are later sold online. There was a case in 2015, when a student from Shropshire bought what she thought were ‘fat-burning’ pills, and they were really industrial chemicals.

“Many recent instances of hacking come when criminals take a scattergun approach, they buy bulk e-mail addresses and send them out to see who ‘bites’. They don’t target a specific sector, they’re just looking to get malware installed into someone’s computer system to then see what they can find of potential value.

“The basic technique of a cyber-attack hasn’t really changed since the 80s, but now they’re much easier to carry out, and of course the arrival of bit-coin has enabled hackers to access ransom payments with little fear of being caught.

“It is an issue of which NHS Trusts are aware and increasingly concerned. I’ve visited several hospitals and healthcare providers recently, and have been talking to their boards who want to understand issues about the possible hacking of their data, and the loss of integrity of that data.

“In turn, the board members are asking questions of their management and technology teams, but as always, it’s about skills and resources, about how the NHS can identify people with the right experience and expertise, and then if they can afford to recruit them.

“Nationally, the NHS is looking at this issue, through its NHS Digital programme, for example, but can the ‘centre’ provide the information, the guidance and the systems which the regional trusts will require?

“At the moment, my perception is that there needs to be more from the centre, and that the trusts need greater resources and guidance to tackle these issues, or tensions will be created.”