This year has already been one of the worst ever for cyberattacks against healthcare systems and the threat is growing around the world.
- The UK, June 2024: a Russian gang (Qilin) attacked pathology service provider Synnovis, causing serious disruption to NHS care in London and the South East, including the cancellation of thousands of appointments and elective procedures. The situation was made even worse by the publication of sensitive patient data on the dark web
- The USA, February 2024: a major ransomware attack on the medical invoicing and payment company, Change Healthcare, led to severe cashflow problems for practices and delays for patients who needed medication or essential care. It also had severe financial consequences for Change Healthcare: the company later admitted it had paid a ransom of $22 million for stolen medical and financial data, while parent, UnitedHealth, said it expected the attack to cost “between $1.35 billion and $1.6 billion this year”
- France, January 2024: in the space of five days, around 33million people – nearly half the population – were affected by cyberattacks on healthcare payment providers, Viamedis and Almerys. It’s thought to be the largest ever cybersecurity breach in France
According to the Lancet medical journal, there’s been an “alarmingly rising trend of cyberattacks targeting healthcare”. This can be explained by several factors, including the amount of sensitive personal data held and shared by organisations as well as reliance on “outdated technologies and software”.
The UK Government announced a Cyber Security and Resilience Bill in the King’s Speech but cases like these show that we all need to be proactive in combatting cybercrime. The consequences for not doing so are extremely serious in terms of patient care, as well as the reputational and financial impact.
In August, for example, the Information Commissioners Office (ICO) provisionally decided to fine the Advanced Computer Software Group £6million. This is because initial findings showed “serious failings” in the company’s information security prior to a ransomware attack in 2022 that disrupted NHS services. The ICO said it expected “all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication [also known as two-factor authentication or 2FA] and keeping systems up to date with the latest security patches.”
The CEO of UnitedHealth was also criticised at a Senate Finance Committee hearing after admitting that Change Healthcare systems were compromised by a server that didn’t have 2FA in place.
At Healthcode, we’ve already introduced 2FA as an option for customers, and we’re pleased that a growing number of you are already using this additional security check to access your account (a code generated on an authenticator app or sent by text).
However, cybercriminals don’t stand still and neither should we. That’s why, from September we’re leading the way by making the use of 2FA mandatory to access your Healthcode Account for any of our products and services. You can find everything you need to set up 2FA here and then be reassured that your account is protected. It’ll also help you demonstrate compliance with IT security best practice during audits and when applying for accreditation, such as the Government backed Cyber Essentials scheme.
Most of us are already using 2FA in our daily lives (it’s now required for NHSmail user accounts) and it’s an essential safeguard for private healthcare organisations too. We’re proud to have set the industry standards for IT security and resilience and mandating 2FA is another way we can all stay one step ahead.