What the healthcare industry did (and didn’t) learn from WannaCry

  • Published: 27 March 2019,
  • The Say Team

The healthcare industry has been no stranger to cybercrime in recent years; May 2017 saw the now infamous WannaCry ransomware attack cripple the National Health Service, as well as many other organisations worldwide. This was due to a patchwork of outdated IT solutions, like Windows XP, that made up a large number of its computer systems. All told, the whole saga cost the NHS £92 million during the attack and the subsequent repairs. Resultingly, it’s safe to say that the NHS has a long way to go to modernise its IT Security following this standing start. And even though signs of modernisation seem to be on the horizon (the Health Secretary recently took the decision to phase out pagers by 2021); it’s clear that adopting any new digital practices across the whole of the NHS is a mammoth task – but the sheer size of the organisation doesn’t exonerate procrastination.

But why has the Healthcare industry lagged behind the cyber security due diligence of other industries? And what factors do healthcare professionals consider when deciding on a vendor, now the importance of strong protection has been highlighted? We compiled a research study, The State of Trust in Security Companies Barometer, to discover just this; to find out what makes healthcare professionals trust a vendor and want to buy from them.

Cyber security is an international healthcare crisis

A recent report showed there were 359 healthcare company data breaches in the US during 2017. The following year that figure stayed comparable with 350 breaches, but the amount of data stolen actually tripled – showing that the severity of such breaches is escalating. It was only recently that, due to an insecure server, the medical records of 800,000 blood donors in Singapore were leaked. Donors had information such as number of blood donations, dates of the last three blood donations, gender and, in some cases, blood type, height and weight, leaked on the Net for two months until the breach was discovered. Cyber security, therefore, is an issue bodies in the UK are not just struggling with – organisations across the globe have failed to get to grips with necessary cyber infrastructure.

What does our research tell us about healthcare purchase priorities?

The healthcare industry has a communitive approach to innovation – meaning that it relies on the industry as a whole taking on best practices. This is reflected in the survey data that shows that peer usage case-studies are highly regarded when healthcare decision-makers are choosing a new security vendor – more so than in any other industry that Say surveyed (Education, Financial Services, Transport, Retail and Leisure, Utilities and Infrastructure).

Organisations must also comply with a litany of government regulations which increasingly requires companies to show not only that their products reliably do what is claimed, but are also that they are cost-effective relative to competing products. This is illustrated in our research, which has shown the health industry to be the most cost-conscious sector when it comes to choosing a security solution. This is perhaps due to the influence of the public sector, but when you consider the vast quantity of private health companies also on the market, as an industry it does seem to be a common trend with regard to holding cost in high regard. Healthcare is an expensive commodity, and cost saving is paramount to running successful business models – to which security is only a part.

Furthermore, health professionals are highly sceptical of social media and media advertisements when considering security products; of all the industries surveyed they were least likely to value information from these sources. The security market is extremely crowded and to cut through the noise and effectively reach healthcare professionals, security vendors need to focus on trade shows, trade publications and national media – all of these avenues scored highly on trust scores in the Say Trust Barometer.

Know your audience

Healthcare is digitising and modernising, with new practices like telemedicine, AI-enabled medical devices and blockchain digital health records all breaking into day-to-day operations, which will no doubt have a transformative effect on the industry. As more digital elements come online, the healthcare industry needs to take on cyber security as a priority ‘from board to bedside’ – in a time of rapid digital transformation and the upturn in malware attacks, it’s vital to the industry as a whole. Effective cyber security measures are essential to protect data and critical infrastructure in a way that gives doctors and staff rapid and reliable access to patients’ medical records while ensuring that this information remains private and secure from unauthorised eyes and cyber-criminals. The sector needs to learn from its past mistakes and vendors have been given the opportunity to demonstrate their value – if they are able to market themselves.

By Charlie. E

What's Next?