Associate Feature: Health Target

Most people would not consider the cyber security impact of either their weekly food shop or a visit to the doctors. But for Anne-Marie Vine-Lott, Director of Health for Vodafone Business, the personal data risk of visiting either could be similar. “From the point of view of a cyber criminal, healthcare organisations collect valuable, sensitive data about individuals,” she says. “It’s not dissimilar to signing up for a loyalty card with a supermarket where the data collected provides information and insight about habits, preferences and spend profiles.  When you think about someone’s health profile it’s the same: you’re getting an immense amount of information.”

As a result, the healthcare industry has become a key target for cyber criminals with one US-based report citing that between 2015 and 2019 almost 80 per cent of all recorded data breaches were in the health sector, three times as many as in education, finance, retail, and government sectors combined.  

Here in the UK, the NHS has found itself vulnerable to attacks on a number of occasions – from personal data breaches to problems affecting entire software systems such as Adastra, which forced call handlers to resort to pen and paper to keep ambulance services running during a breach in 2022.

In 2017, the worldwide WannaCry ransomware attack targeted PCs running Windows in 150 countries, affecting hundreds of companies and public services. Microsoft had issued a patch to protect computers some months earlier, however those who had not downloaded the update, or whose machines were running on older versions of Windows, were not protected.

Among UK health boards affected was NHS Lanarkshire, which had to cancel almost 500 patient appointments and procedures as a result of the attack.

Vine-Lott is only too aware of how vulnerable healthcare organisations can be, particularly in the public sector.  “Vodafone is dedicated to strengthening the cyber security position across the UK’s critical national infrastructure and we want to do more to support the NHS,” she says. “The NHS has become – and will always be – a target, and as we increasingly look to create an environment where everyone is better connected at an individual and organisational level, you have to ensure that there is appropriate security in place.”

Vodafone in Health is a new division within Vodafone Business, established in April 2023, to specifically address the needs of the sector in driving digital acceleration and reducing health inequalities. This sense of purpose is aligned to Vodafone’s everyoneconnected campaign, helping people and businesses gain more access to digital technology. Working across all parts of the UK in Health, in the NHS, the private and third sectors, the new division wants to expand its services to protect the nation’s healthcare system as well as helping to scale new technologies to reduce pressure on the sector. Vodafone recently announced its collaboration with eConsult Health, with the aim of improving patient access to care through digital A&E triage.

Vine-Lott understands that health boards, faced with soaring costs and increasingly squeezed budgets, may not have the capacity to deal with the potential impact of cyber security. Yet this, she warns, plays into the hands of criminals and fraudsters. “It’s known that the UK healthcare system suffers from under investment,” she says. “It’s challenging to balance operational or patient risk that is immediately evident versus the risk of something that you can’t see, but you know may be brewing in the background.” Faced with that dilemma, the tendency is to go for the risk that you can see.

“But if a system is breached and has to be shut down, it has an absolutely huge impact, not just in terms of, for example, operations being cancelled, but the cost of actually trying to get up services and running again, safely.”

The long history of the NHS compared to some countries’ healthcare systems has meant it has been more difficult to modernise and to create a successful digital system. “The NHS started in 1948 and it’s changed and evolved constantly since that time. If you had to start from scratch, you’d never design it in the same way.” She points to countries such as Estonia, where the healthcare system has been created and designed in more modern times, following the country’s independence from the USSR in 1989 – resulting in a more coherent digital system – but she also highlights that Estonia is more centralised and still has challenges in the integration of services.

Meanwhile, an increasing number of people in the UK are topping up their NHS care by using private healthcare providers for some issues, with the rollout of “private healthcare lite” benefits such as online GP appointments which are becoming standard in a growing number of workplaces. In a post-pandemic world, even within the NHS, some appointments, particularly in primary care, are available online or via the phone.

“The upside,” says Vine-Lott, “is that people can access services far more easily, especially since Covid. However, from a cyber perspective, this does open up risk, with a plethora of systems being used as multiple points of access. “In England there has been an ongoing drive towards collaboration with the creation of group Health Trusts into Integrated Care Systems. 

“We are supporting these groups to look at cyber challenges more holistically to reduce risk.”  
Vodafone is offering cyber assessments to better understand potential vulnerabilities and concerns.  She adds: “I would encourage everyone to consider cyber security as a high priority. Whilst it is often difficult to clearly articulate the business case for things that may not happen, it’s better to have invested in the right support to have assurance that they won’t.”  

This article is sponsored by Vodafone

www.vodafone.co.uk