It’s no exaggeration that protecting healthcare organisations from cyber-attacks can be a matter of life and death.
Sean Tickle, Head of CyberGuard Technologies, knows the extent of the challenge and what can be done to protect precious systems and data.
The WannaCry global ransomware attack, which affected 80 hospital trusts and 595 GP practices across England, was arguably the first major wake-up call to healthcare providers.
Although not specifically aimed at the NHS, it resulted in the cancellation of thousands of operations and appointments, reducing staff to using pen and paper or their own mobiles and laptops.
Critical medical devices and equipment – such as MRI scanners and blood test analysis devices – were also affected. Since then, there has been a widespread view that the NHS is vulnerable to other serious attacks. As the Chief Information Officer of the health and social care system, William Smart, said in a review of the incident.
“This disruption to patient care has made it even clearer how dependent the NHS is on information technology and, as a result, the need for security improvements to be made across the service… WannaCry has made clear the need for the NHS to step up efforts with cyber security so that every possible protection is taken to defend against a future attack.”
Rather than impose a ‘one-size-fits-all’ top-down solution, Smart said the answer lay in proportionate measures for individual trusts and organisations to implement. The review found that most trusts that were assessed needed to upgrade firewalls, improve network resilience and segmentation, improve device security through device replacement and automation of patch management, and improve anti-virus protection.
More recent high-profile attacks affecting the healthcare sector include:
- In May 2021, Ireland’s Health and Safety Executive was hit with a malware attack by the hacking group Conti, which claimed to have stolen 700GB of patient data, disabling many computers and devices
- An attack in New Zealand in May 2021, which disabled the information systems of five different hospitals
- In September 2020, some 400 hospitals and healthcare facilities in the United States and UK lost access to patient records, resulting in delayed patient care and ambulances being rerouted, with the disruption lasting three weeks
- In October 2021, the Hillel Yaffe Medical Centre in Hadera, Israel, where some patients had to be diverted to alternative facilities, according to local media
In addition, the FIN12 cybercriminal group deploying Ryuk ransomware was responsible for around 20% of all ransomware intrusions responded to by Mandiant2 in the past 12 months, with the healthcare sector being “disproportionately impacted”. According to a new study3, 81% of UK healthcare organisations suffered a ransomware attack in the past year, with 64% saying they had to cancel face-to-face appointments because of an attack, while 65% believe that a cyber-attack on their systems could lead to a loss of life. Worryingly, in the third quarter of 2021 there was a 30% increase in attacks on the healthcare sector, compared to the previous three-month period.
Against this threat landscape, healthcare organisations are especially vulnerable as there are many potential entry points for attacks. These include:
- Old, unpatched systems (the entry point for the WannaCry attack) and poorly configured cloud storage
- Remote workers vulnerable to identity theft, and firewall configurations that have been relaxed for staff working from home
- External facing services (such as a VPN) through which organisations allow connections to remote devices
What can be done to guard healthcare organisations against cyber attacks?
If they find they are unable to commit as much resource as needed to defend against cybercrime, NHS trusts and other healthcare organisations are advised to consider outsourcing a managed security service provider (MSSP).
A reputable MSSP can provide 24/7 security from full-time experts at a lower cost than in-house resources, providing a much faster threat response. But MSSPs offering services to healthcare organisations have to be able to create a bespoke security system that responds to the healthcare workflow and prioritises patient care.
Reducing the vulnerability of healthcare organisations to cyber-attacks must take a multi-angled approach, with the basics including:
- Carry out staff awareness training on phishing, malicious email and social engineering
- Regularly back-up files from a known safe state and ensure they are stored offline
- Use a Security Information and Event Management (SIEM) system to increase log retention and availability
- Use a EDR (Endpoint Detection & Response) solution with tamper protection to allow for containment and eradication of active threats
- Create strong access controls and network segmentation for confidential patient and organisational data
- Use multi-factor authentication for all remote access via the internet
Putting trust into cybersecurity
Birmingham Community Healthcare NHS Foundation Trust employs around 5,500 staff across more than 100 community-based services in and around Birmingham. The disparate nature of the workforce and IT infrastructure and a lack of in-depth cyber security knowledge internally made it difficult to effectively implement cyber security measures. With responsibility for implementing cyber security down to each NHS trust, BCHC intended to recruit its own cyber specialists, but a nationwide skills shortage and high salaries meant that it was financially constrained in doing so.
After reaching out to NHS trusts in the region, CyberGuard was engaged by BCHC to assist it in strengthening cybersecurity. The managed security service provider ran a proof of concept for a number of weeks, which enabled BCHC managers to see the security service in action and rigorously test it in situ, before committing themselves. At the same time, a Critical Incident Response Service enabled the investigation of, reaction to and remediation of any threats at source.
Soon afterwards, CyberGuard expanded the scope of the Security Information and Event Management system, to transform communication with the Trust’s existing security products that were active but had not been monitored. This provided a clear picture of any threats and possible attack vectors. Next a CREST-approved internal and external penetration test on both the standard internet line and the Trust’s HSCN connectivity was carried out, which identified specific flaws and weaknesses.
“Previously, when completing the Trust’s DSPT (Data Security and Protection Toolkit) submission, it was a challenge to tick all of the boxes regarding cyber security,” said Gerard Kilgallon, BCHC’s Head of IT. “Now, the department works well within the spirit of the DSPT and I can confidently assert we’re meeting the criteria, thanks to our CyberGuard partnership. One of the main things for me is a team of highly skilled people at our disposal, a true extension to our team. We even have a WhatsApp group for making urgent contact in the event of an incident. It’s very reassuring at a time when the growth in cybercrime is prolific.”