Philip Ingram MBE tackles the physical and cyber threats facing the UK healthcare sector.

In an era of rapidly advancing technology, healthcare security has become a paramount concern for the UK’s medical institutions.

The NHS cyber-attacks of 2022 and 2024 served as a stark reminder of the cyber vulnerabilities within the healthcare sector, especially in the supply chain, highlighting the need for robust cyber security measures.  

However, the threats to healthcare security extend beyond the digital realm, encompassing physical security breaches, the protection of sensitive patient data and areas often overlooked including staff safety from physical attack including when working as lone workers.  

The UK healthcare sector faces an increasingly complex array of security challenges, encompassing both cyber and physical threats.

Recent incidents have highlighted the vulnerability of healthcare systems to malicious attacks, underscoring the need for robust security measures.  

Intensified focus 

Cybercriminals have intensified their focus on healthcare organisations, recognising the value of sensitive patient data.

In 2022, a staggering 81% of UK healthcare providers fell victim to ransomware attacks, disrupting critical services and jeopardising patient safety.  

These incidents not only compromise sensitive information but also have a direct impact on patient care.

The NHS cyber-attack of 2024, a ransomware cyber-attack perpetrated against Synnovis, a pathology laboratory which processes blood tests on behalf of a number of NHS trusts, affected over 800 planned operations and led to the rearrangement of 700 outpatient appointments, demonstrating the far-reaching consequences of such breaches.   

While cyber threats dominate headlines, physical security breaches remain a significant concern for healthcare institutions.

Unauthorised access to server rooms or other sensitive areas can lead to data compromise and system vulnerabilities.

The interconnected nature of cyber and physical security means that a breach in one domain can have cascading effects on the other.

For instance, a cyber-attack could potentially unlock controlled buildings, creating physical safety vulnerabilities across a healthcare site.  

However, that physical vulnerability extends to the people domain because healthcare is all about people, patients and carers.

A Sister in charge of a busy central England Accident and Emergency department, Anna Marie, says that from a front-line clinical staff perspective the threats are not well understood, “As clinical staff we are in the NHS because we care, so we shouldn’t have to come to work fearful of being assaulted or subject to abuse. This has a severe effect on your morale and the abuse isn’t always from patients, staff on staff assaults and abuse are increasingly apparent.” 

The British Medical Association in a report published earlier this year said, “Last year nearly 15% of NHS staff had physical violence from patients, their relatives or the public.”  

Insider threats 

Insider threats pose a unique challenge to healthcare security.

These can stem from both malicious intent and unintentional actions by employees, contractors, or partners with privileged access.

The healthcare sector is particularly vulnerable to insider risks due to the sensitive nature of the data handled and the large number of individuals with access to critical systems.

However, staff on staff abuse and assaults are a worrying trend not properly reported on before.   

Healthcare trusts and organisations need to prioritise the development of robust infrastructure and resources to safeguard against both physical and cyber threats.

A resilient healthcare infrastructure forms the backbone of effective patient care and data protection.  

From a cyber perspective, a secure network architecture is crucial to protect sensitive patient information and maintain operational continuity.

Implementing a zero-trust approach removes inherent trust from the network while building confidence in each request.

This involves strong authentication, authorisation and device health checks for every connexion.  

Healthcare organisations should consolidate user roles into a single source of truth, enabling reliable rules for data access.

Multi-factor authentication and enterprise single sign-on services can mitigate password attacks and simplify credential management.  

 However, these basic procedures are not enough as was highlighted by the 2017 WannaCry attack where up to 70,000 medical devices across NHS England and Scotland, running an unpatched version of windows was struck impacting it is believed, computers, MRI scanners, blood-storage refrigerators and theatre equipment. 

The issue here is how reliant many medical devices are on older operating systems and the difficulties there are in keeping them up to date with the latest security patches.  

Disaster recovery 

What has proven critical with many of the incidents experienced is properly understood and practiced disaster recovery and business continuity plans.

One positive out of the COVID pandemic is that places have certainly been dusted off, tested, rewritten and practiced.

Our NHS and wider healthcare sector should have the most robust set of plans for dealing with security issues and crisis ever. 

What is worrying is that Anne Marie’s comments are from mid-October this year.   

What she is highlighting is a lack of basic understanding and basic resources.

Enough people, with the correct basic training and that training she is saying is lacking in the police, the security staffs and the front-line staff.

Unless this is corrected and quickly, with the continuing squeeze we are seeing on budgets it will never be fixed.   

The same issue remains with the cyber threat, a lack of awareness and cyber security minded culture is at the heart of continuing vulnerabilities.

Awareness, front line training, culture are not expensive issues to fix but they can only be done with the correct management oversight from people who understand the problem and set a wider security minded culture across the organisation.  

The real solution to allay a large percentage of the security concerns from front line staff is an understanding by the organisation management and a realisation is not simply for the security lead, it is a whole staff and organisation issue to deal with.   

Understanding the issues is the first step and forward-thinking organisations have clinical, administrative, IT and support staff formally embedded in their security organisations and charged with developing their security culture.

It is great to see some organisations leading with this, it is disappointing when it is seen merely as a security or a health and safety, or the like, issue. 

Security is a whole staff and whole organisation issue whether it is physical, cyber or data, everyone is responsible.   

This article was originally published in the November Edition of Security Journal UK. To read your FREE digital edition, click here.