With significant data breaches hitting the headlines each year, healthcare cybersecurity is a major and expanding area for investment and concern.

Cybersecurity, according to the UK’s National Cyber Security Centre (NCSC), is ‘how individuals and organizations reduce the risk of cyberattack.’

Cybersecurity should ‘protect the devices we all use and the services we access from theft and damage’ and ‘prevent unauthorized access to the vast amounts of personal information we store on these devices and online. For healthcare organizations, this means that all data stored digitally – everything from medical records to staff bank account details – is kept secure, so it can only be accessed, used, or changed by those authorized to do so.

SARS-Cov-2 both raises the possible impact of a cyberattack and increases the likelihood of it happening. With unprecedented demand on healthcare, the impact of service disruption on the scale seen in 2017, could be devastating. Acute services are under strain, and there is no slack in the system to divert patients away from affected hospitals. In addition, while some face-to-face care was possible without access to digital technology in 2017, most of healthcare is now reliant on digital technology.

It’s widely accepted that healthcare has lagged behind other industries when it comes to cybersecurity and that the industry needs to close the gap.

Healthcare leaders must ensure vital hospital facilities and power supplies can’t fall into the wrong hands – not to mention control of smart medical devices and implants.

Thankfully, businesses can use standards to build resilience across diverse cybersecurity fronts simultaneously.

The challenge: Making healthcare cybersecure

Healthcare managers must protect significant, decentralized, systems containing vital personal data relating to millions of people.

Post-GDPR, the consequences of failure are severe.

Cybercriminals constantly seek to gain access to this information – especially as many consider healthcare institutions to be soft and slow-moving targets. This data also has significant value on the dark web.

There are also many avenues of possible vulnerability – from data breaches, vandalism, and extortion to so-called C-suite attacks, AI-driven malware, and assaults from the computing cloud.

What’s more, significant outsourcing, third-party arrangements, and personal device use provide further layers of cybersecurity complication (and potential exploits for criminals). Good cybersecurity combines the right technical barriers with the right culture and staff mindset since most attacks exploit human interaction.

Growing Internet of Things (IoT) connectivity presents a further nuance to the cybersecurity challenge. The stakes could scarcely be higher here – directly impacting patient health, safety, or even mortality.

Aside from protecting existing structures and safeguarding patients, optimized cybersecurity also helps to remove widespread barriers to innovation in the digital health space. Successfully addressing the challenge truly calls for a combined view of both the micro and macro issues.

To learn more about innovation within the healthcare sector, read our article ‘At Home Healthcare: Where is the Consumer Genetic Testing Industry Headed?’.

A standard-led approach to cybersecurity

In order to develop an effective security-specific strategy, healthcare leaders need to examine their wider organizational standards strategy, across all operational aspects.

This can help to ensure a reliable foundation on which to build (for example looking at pillars like BS EN ISO 9001, the internationally recognized quality management standard).

With the fundamentals covered, the next task for healthcare leaders could be considering the development of a formalized cybersecurity policy – one which goes far beyond simply backing up data and frequently testing network security to identify potential gaps (although these remain important).

Managers can use the global information security standard BS EN ISO/IEC 27001 to create and implement a bespoke management system, and then BS EN ISO/IEC 27002 to develop guidelines that meet international standards. This may also help large healthcare institutions remain agile and responsive in the face of an incident or data breach.

Cloud-based services and storage policies will make up a significant portion of any wide-ranging security protocol. BS EN ISO/IEC 27017 provides enhanced controls for providers and customers. It clarifies roles and responsibilities to help make cloud services as secure as any other part of the healthcare IT estate.

A robust cybersecurity policy could be considered vital for decentralized systems, with users spread across several geographical locations or campuses. They should detail all security procedures, processes, and responsibilities for staff – both for routine best practices and emergency protocols. It should underline the need for an ‘ever vigilant’ mindset which must be present across every healthcare organization.

A vital strand of any BS EN ISO/IEC 27001-based plan is the correct management of patient healthcare data and medical records. BS EN ISO 27701 helps healthcare leaders control this personal information. It outlines how to establish and run a privacy information management system (PIMS).

Consideration should also be given in the wider policy to the increasing prevalence of personal device use amongst staff, for routine work and administration. It needs to clarify exactly what’s acceptable, and what responsibilities users have (as well as which applications they can use and where specific risks lie).

Building and maintaining resilience to cyberattacks will be always an ongoing, incomplete, process. It’s about building the right culture of awareness and responsibility across all management and staff because healthcare leaders are fighting a constantly evolving threat. A standards-based approach is the most powerful means of organizational defence – optimizing the balance between efficient daily operation and appropriate protection.

Protect your healthcare organization from cyberattacks and information theft by adding these key information security standards to your collection today.

Discover BSI Knowledge

Want to have access to all your cybersecurity standards in one place? A BSI Knowledge subscription gives you instant access to the resources you need to improve your information security processes. The flexibility and visibility it provides of the best practices guidance enables you and your team to get the most from standards - from patient privacy to remote data access. Build your own custom collection of standards, or opt for access to our GBM24 Information Technology - Software & Networking module and keep up-to-date with any relevant changes to your cybersecurity strategy. Request to learn more.