Why the healthcare sector needs to check up on its cyber vulnerabilities


As the Cyber Resilience Centre for Wales continues to grow and welcome new members to our community, we are also seeing more organisations from the healthcare sector signing up.


The Covid-19 pandemic tested this industry to its limit, putting it under great pressure and strain never experienced before. And now, it faces new vulnerabilities, this time from cyber-criminals with attacks reaching new heights across the healthcare sector.


A recent report from cyber security firm CybSafe has highlighted that 34% of incidents reported from last year were experienced by the healthcare and education sectors, an increase on 2020’s figures from the Information Commissioner’s Office. The report highlights phishing as the most common form of cyber-attack, with ransomware becoming an increasing trend impacting all sectors.


When it comes to cyber security, many of the larger organisations have dedicated resources to develop an effective cyber defense plan - a chief information security officer, and a security operations centre – yet the reality is that the smaller providers will not have these resources and are increasingly vulnerable to a cyber-attack.


Common issues include medical equipment lacking proper security protections, remote access to medical data required for medical workers and little cyber security training for healthcare staff and all with the heightened importance of protecting the health and well-being of patients, and the records that relate to them.


Identifying the risk

The most common threat currently used by a cybercriminal is a phishing email. This may be a general widespread attack, or a more focused assault on your organisation. They key to defending yourself against this type of attack is staff awareness so that all employees understand the key elements to recognising a phishing email if or when they receive one. This means that your organisation is in a far stronger position to avoid falling victim to being hacked and blackmailed.


It's easy to make a mistake as phishing attacks become more sophisticated, and one can easily slip through the net, especially when we’re very busy or under a lot of stress. Clicking on a corrupt attachment or link may mean malware is downloaded to your computer which could be used to reveal your passwords, to access your email account, send emails pretending to be you, or to steal patient data and blackmail you for its return. The malware may be in the form of ransomware, which means that all the data you have on your computer or network is encrypted, and you must pay the criminals to get your data back.


How to be better protected from threats

To make yourself more resilient to a cyber-attack take the following simple steps:

· Use a strong password – we recommend you follow the government advice of using three random words.

· Use two-factor authentication

· Ensure you have anti-virus installed and regularly download available updates – these often have security fixes for identified vulnerabilities

· Back up your data – make sure your back up is separate to your network to ensure it is protected.

· Educate your staff to recognise a phishing attack – 83% of cyber-attacks last year used phishing as the mode of delivery.

· Use supported operating systems – for example after 10 years, support for Windows 7 ended on January 14, 2020. This means that security fixes or patches will no longer be released allowing potential vulnerabilities to remain.


If you want to learn more about protecting your business from a cyber-attack then sign up for our free core membership and receive our regular newsletters. The National Cyber Security Centre has produced the 10 Steps to Cyber Security which is a great introduction for those with cyber security responsibilities in the healthcare sector as well as other sector organisations.

The NCSC’s Board Toolkit also hosts numerous resources for the essential discussions between board members and their technical experts. We provide both of these in our welcome pack on signing up for our membership.






The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.