FIVE SECURITY THREATS FOR THE NHS TO THINK ABOUT, RIGHT NOW

Posted by highland82 on June 12th, 2017

The WannaCry ransomware attack was a world-wide phenomenon that affected major companies; but in the UK, it was its impact on the NHS that made headlines.

At least 16 trusts were hit by the virus also known as WannaDecryptor, WannaCrypt or Wcry after it started spreading on Friday, 12 May, and a number had to close A&E departments or postpone routine work. However, ransomware is hardly the only security issue facing the health service.

A few days before WannaCry hit, Accenture released its '2017 Healthcare Cybersecurity and Digital Trust Research' report; and it hardly made for reassuring reading. The UK cut of the global research indicated that 13% of us have had our healthcare data accessed by someone who was not authorised access it.

If that wasn't bad enough, it also found that 36% of the breaches were only uncovered when the person affected noted an error on their records. And that in 82% of cases the data had been used for the purposes of fraud.

My analysis of the report leads me to conclude that such data breaches are most likely in pharmacies and then hospitals, with GP surgeries not that far behind. Yet, understandably, most of us (78%) would say it is the responsibility of the NHS to keep our confidential health records secure. 

Competing priorities for limited funds

So, what's going wrong? It's easy to point the finger of blame, and there were plenty of misinformed allegations of stupidity aimed at NHS trust IT managers in the wake of the #NHScyberattack. But nobody is seriously suggesting that they don’t take cyber security seriously; of course, they do.

However, trusts must juggle limited budgets, boards must decide where to focus their attention, and departments must decide where to deploy scarce expertise. In these circumstances, patient care will always win out.

Does that mean the NHS must always fight a losing battle when it comes to securing its systems and the security of patient data? Nope, not at all. What is required is a proper understanding of where risk comes from and the systems and processes that can be put in place to mitigate it.

Also, prioritisation to make sure risks as mitigated, using the budget, board attention and expertise available. The truth is that not all security threats are created equal; some are a lot more threatening than others. Here are five cybersecurity threats that the NHS needs to be dealing with right now...

 Ransomware

Ransomware is a kind of virus that lets hackers encrypt an organisation’s files, and then demand a ransom to give them back. Generally, the demand is made in Bitcoin, the electronic currency that is so beloved of the dark web.

It was only a matter of time before the NHS was caught up in a major ransomware attack; US hospitals have been under siege for two years, and a couple of NHS trusts had been forced to take their systems offline to deal with attacks over the winter.

The good news is that it’s possible to defend against attacks through a combination of good perimeter defences (firewalls, anti-virus, keeping systems patched), user education, and back-up. However, it’s not always easy to do these things well.

It certainly won’t be easy if an organisation is short on security expertise, has a lot of old and fragmented systems to patch, and employs hundreds (or even thousands) of staff with varying degrees of cyber security savvy. Which pretty much describes the trusts worst hit by WannaCry.

Fractured security systems

If one bad apple is all that it takes to spoil the whole bunch, then one weak point in a hospital security system is all that's needed to let the bad guys in. The thing is, the nature of hospitals and healthcare in general is that there are lots of weak points.

Everything, from a wireless printer in a busy clinic that is left unsecured to a doctor using a smartphone to share diagnostic information with a colleague, can leave holes through which a hacker can jump. Once on the network, a hacker will look for more opportunities to exploit.

The #NHScyberattack was high-profile, but this happens all the time. If NHS trusts cannot secure every device in a diverse and fractured ecosystem, they must at least ensure that any attackers that get in cannot access patient data. Layered security, and a proliferation of firewalls, are your friend.

Legacy applications and hardware

I’ve already noted that the NHS is not a bottomless pit when it comes to money. A specific consequence of that is that it cannot afford to replace things that are still perfectly capable of delivering patient care, even if they aren't the latest model.

Some devices delivering care aren't made any more, or will only run on an ancient operating system. That means most NHS trusts will have multiple machines running on legacy systems that might no longer be supported by the manufacturer (this includes, but is not limited to, Windows XP - the Microsoft OS that received so much attention while WannaCry was in full cry).

What does that mean? It means no security patches to plug the gaps when a new vulnerability is discovered; and discovered they will be. The bad guys know the value in attacking legacy devices and applications for this very reason. If a legacy device or application cannot be secured, then at the very least it should be segregated from the rest of the network. 

Social engineering

Ransomware makes headlines, but if the worst comes to the worst most hospitals will have backups of their data. This means they should be able to restore their systems to an uninfected state, which means they are unlikely to respond to a request for a ransom.

Attackers know this, so rather than targeting organisations or individuals, they target everyone by sending hundreds of thousands of phishing emails with infected payloads. Some of those emails will hit NHS staff mailboxes. Some of those staff will click on a link they shouldn't. As far as we know, this is how WannaCry got into NHS IT systems.

But whether it’s WannaCry or something less high profile, the result is the same: compromised networks and a finger of blame pointed at an unfortunate member of staff. Although I don’t think it’s their fault if their management has not implemented staff threat awareness training, so they know what to look out for and how to deal with suspicious contact.

The variant of what is generally known as social engineering is spear phishing, and it can be particularly difficult to deal with, as it targets an individual with a tailored approach rather than a grapeshot mailout. Using social media profiles and posts, an attacker can then include references that put a victim at ease; and more likely to click that potentially devastating link or attachment.

Sometimes an attack can comprise multiple emails before the one with the 'promised document' is sent over and the compromise begins in earnest. Only awareness training can defend properly against such a scenario.

 The Internet of Medical Things

You’ve probably read in the newspapers about how the Internet of Things is wonderful, but insecure. Baby monitors that allow an attacker to spy on your child, 'smart' TVs that can spy on you, and even connected cars that can be hijacked by a hacker.

You might not realise that this is a problem facing the NHS as well, as medical devices are increasingly hooked up to the network. Take drug infusion pumps, for example, that can be controlled from afar by hackers. One researcher even managed to remotely install a game of Donkey Kong on a machine that delivers radiation treatment to patients.

Then there's the amount of highly personal data portable medical devices can collect, and the value of this to potential attackers. It's not the easiest problem to solve, but it needs to be tackled fast – and before it's more than data that is the victim of a breach…