Health Sector Among Worst Adopters of Cybersecurity Frameworks

The stark vulnerabilities within health systems and the potential impact on the safe delivery of care have been exposed during the COVID-19 outbreak. Cybercriminals have exploited the confusion and fear to launch a wave of cyberattacks against healthcare organizations, including the World Health Organization (WHO) and the US Centers for Disease Control and Prevention (CDC). Despite this, the healthcare sector remains one of the worst adopters of cybersecurity frameworks.

This is the context for a forthcoming research report by the Leading Health Systems Network (LHSN), an initiative of WISH, in partnership with Imperial College London, looking into the current state of cybersecurity in healthcare settings worldwide. The findings and recommendations will be released at the WISH 2020 biennial conference set to take place in a virtual format from November 15-19.

Back in 2017, the National Health Service (NHS) in the UK was subject to a ransomware attack. But during the COVID-19 period, the main threats to cybersecurity have resulted from staff being moved to help with emergencies, leading to increased risk in maintaining adequate control of IT systems, accidental errors, stretched health systems, and the rapid introduction of new digital solutions that bring inherent risks, such as design flaws jeopardizing the security of the data they hold.

Alert to the growing challenge, LHSN, an international group of health systems and providers hosted at the Institute of Global Health Innovation (IGHI) at Imperial College London with the support of WISH, questioned key experts in the areas of IT, cybersecurity, health policy, and health systems about their experiences and organizational efforts related to cybersecurity. They also consulted experts from a range of health systems to provide input on the most relevant elements of a global framework for cyber readiness in healthcare. The result is the ‘Essentials of Cybersecurity in Healthcare Organization (ECHO)’ framework, proposed in the report as a minimum standard, depending on an organization’s resources and its cyber maturity.

The ECHO framework includes the most important elements of a global cybersecurity framework for healthcare and outlines the six primary dimensions to consider when scaling up cybersecurity in a healthcare organization.

Leading the report and its research process was Dr. Saira Ghafur, Digital Health Lead at IGHI, and an honorary consultant in respiratory medicine at St. Mary’s Hospital, with a team of authors comprising Niki O’Brien, Policy Fellow in Global Health; Dr. Emilia Grass, Cyber Security Fellow; and Mr. Guy Martin, NIHR Clinical Lecturer, IGHI, Imperial College London.

Dr. Saira Ghafur, chair of the WISH 2020 Cybersecurity and Healthcare Systems forum

Their report makes it clear that, while digital solutions have the potential to revolutionize healthcare and improve the health of people around the globe, it is essential that healthcare professionals work to mitigate the accompanying risk of cyber threats to protect patient populations. What COVID-19 has shown is that cybersecurity needs to be a fundamental and consistent consideration, and that protective mitigation strategies need to be in place. WISH 2020 will extend over five days this year. Healthcare experts, policymakers, innovators, frontline workers, and members of the public from across the globe will gather on an interactive virtual platform to collaborate toward achieving the goal of building a healthier world under the theme ‘One World Our Health’.