Last week’s ransomware attack was a major wake up call for the NHS
What was ‘good enough’ in cybersecurity a few years ago is woefully inadequate in 2017, as the UK’s NHS found out Friday. It fell victim to one of the largest ransomware attacks in history – something Europol described as “unprecedented”.
Hackers’ technology in all sectors moves at an alarming pace, and organizations must be willing to stay on top of their cybersecurity game – none more so than healthcare firms.
“While security remains a low priority for NHS management, they will increasingly fall victim to these kinds of attacks,” warns Jamie Moles, Principal Security Consultant at Lastline. “The National Health Service is one of the largest organisations in the United Kingdom.With an annual budget in the region of £116 billion, it is a massive target for cyber-attacks and currently, it’s a poorly defended target.”
Interestingly, the NHS takes a very strict and sanitary approach to dealing with these attacks, shutting down almost all of its IT capabilities while it triages and treats the problem. Why would we expect any different from a medical organization?
Ransomware is able to establish ownership of machines and networks through phishing, the practice where criminals trick a user on the network to click on a link which may look entirely legitimate, inadvertently triggering a complete shutdown of resources as seen around the world last week.
Part of the blame for the disruption of the NHS hack has been put down to their reliance on Windows XP, the operating system no longer supported by Microsoft patches and updates.
“While the NHS no doubt has taken these and other precautions, the complexity of their security environments may be leaving gaps where an attacker can find a way in,” says Paul Calatayud, CTO at Firemon. “Managing all those security technologies becomes vitally important,” he adds.
Cyber attacks on healthcare, like any industry, can come in a myriad of forms:
In most phishing cases, phishing artists mimic their target company’s logos and use an actual employee’s credentials to make their emails look credible. Be wary of emails that look even slightly suspicious and try not to click any links from a sender unless you know them.
The Internet of Things has made headlines in recent months for its vulnerability to DDoS hacking. The implications this could have in a healthcare context could be horrifying: imagine a life support system being put out of action due to a denial of service attack that floods it with a volume of requests it wasn’t built to cope with.
Selling off of data
Stolen data will likely be sold for healthy profits. What the buyers will do with that information would be out of healthcare organizations’ (and patients’) control. Potential uses could range from serious harassment or even blackmail.
The National Health Information Sharing and Analysis Centre (NH-ISAC) has warned that cyber attackers could pick random medical records to change, demanding a ransom before they reveal which ones have been altered. If ignored, changed records could lead to patients being put through unnecessary and potentially harmful treatments, wrongly diagnosed or even exposed to medication that they’re allergic to.
A criminal gaining access to an IT system can, of course, simply choose to inject malicious data or demand a ransom. This can compromise or destroy the system, leading to chaos and huge financial loss.
What are the consequences?
Apart from the direct consequences of cybercrime, healthcare organizations could be penalized for not keeping their security up to scratch. Healthcare organizations in the US are already being heavily fined by federal health regulators – in 2016, one of the biggest healthcare companies in the country settled for $5.5million after breaches to their system compromised around 4million electronic patient records.
The European Union has directed that, as of next year, companies – including healthcare companies – can be fined 4% of their turnover if their data are hacked. The NHS can be punished (both under the EU directive and the Information Commissioner).
Another sector which could be badly hit is non-profit and non-governmental healthcare. As a recent report from the Institute for Critical Infrastructure Technology (ICIT) showed, such organizations may not have the budget or time to set up decent systems. Those same deficiencies mean that a big attack is more likely to kill the organization altogether – they can’t absorb big financial or PR hits.
What are the solutions?
Every member of an organization should be educated to the risks of a cyberattack. Accidents happen – but they’re a lot less likely if the workforce understands the significance of a security breach.
All health records and files should be encrypted. There is no excuse here.
Companies should employ ethical hackers and security experts to try to breach their defenses – both digitally and physically (data breaches can include the theft and selling off of hard drives).
Security Information and Event Management (SIEM) systems have become an important part of cybersecurity. SIEM platforms sort through the huge amount of log data that’s generated by every system in your IT infrastructure. A good SIEM will do this in real-time, alerting you to a threat as it appears.
Ensure the trustworthiness and security of third parties
Healthcare companies deal with many third-party vendors. They should all be vetted to make sure they follow security guidelines – otherwise, criminals could have access to healthcare data through them.
Be aware of external hardware
Viruses can be spread through a USB stick or external hard drive. Malware introduced in this way can boot up with a computer, meaning it takes effect before anti-virus has a chance to catch it. Healthcare companies should be aware of every external device introduced into the system.