On the morning of the 12th May 2017, healthcare staff in the UK, turned on their workstations to see one of the most sinister of messages in cybersecurity pop up on their screens. The message said, “Oops, your files have been encrypted!”. What ensued, was a major cybersecurity incident that affected many businesses across the globe and that impacted 34 percent of English NHS trusts. The message was the result of a ransomware infection known as “WannaCry”.
The WannaCry ransomware attack on the NHS was disruptive in the extreme, with operations delayed and medication unable to be dispensed. But it isn’t just cyber-disruption that impacts the healthcare sector. According to data collected over several years by the UK’s Information Commissioner’s Office (ICO) and collated by Egress, healthcare experienced 43 percent of all cyber-security incidents. These data breaches are a costly business for healthcare too. A report by Ponemon and IBM found that healthcare breaches cost at least twice as much as that of other industries, currently costing $408 (approx. £325) per breached record.
Cyber-attacks On Healthcare – A Painful Few Years
The types of cyber-attacks on healthcare vary, but examples show just how painful they have been.
Stolen login credentials and data theft: Phishing is a type of social engineering attack focusing on the human-element in cybercrime. NHS staff are targets for phishing, as theft of the right credentials can lead to valuable patient information being exposed. East Anglian Air Ambulance was one such establishment that was targeted by a phishing campaign:
Another phishing related issue that has an indirect impact on the NHS but a direct impact on patients is the use of the NHS brand by cybercriminals. During a single month in 2017, the National Cyber Security Centre (NCSC) blocked a total of 746,000 phishing emails, disguised as NHS official emails. These spoof emails tricked recipients into entering personal data into malicious sites that look like an NHS website.
Ransomware: As mentioned earlier, the attack on the NHS by WannaCry in 2017 caused massive disruption across a number of trusts. A “lessons learned” report by NHS England concluded that:
“Organisations noted that the technical security team, directors and associate directors needed training in cyber incident response, and that there should be ongoing user training for all staff to encourage good security behaviours as well as the reporting of suspicious emails and other threats.”
Distributed Denial of Service (DDoS): A DDoS attack typically overloads websites, so they become unavailable. The attack type can also affect other network resources. It also has knock-on effects on the computers or IoT devices that are used to perpetrate the attack – devices being infected with ‘bot-malware’ which floods sites with traffic. Device infection often starts with a phishing email that has a malicious attachment. Verisign found a 53 percent increase in DDoS attacks in Q1 of 2018.
Tips to prevent cybercrime hurting healthcare – Taking your cyber-medication
Tip #1: Patch and update: When malware infects a computer, it utilises flaws in software. The WannaCry attack, malware that steals data and credentials, and bots that cause DDoS attacks, all begin with a software flaw that allows infection. It is vital to ensure that your computers and other devices are routinely updated, and any software patches issued are applied promptly.
Tip #2: Provide security awareness training: The attacks on healthcare have reached crisis point, but one area the extended industry can use to hit back is through knowledge. Organisations as wide-ranging as the NHS and IBM are placing cybersecurity awareness training as a high priority in dealing with cybersecurity threats. Security awareness training is backed by the NHS Care Computer Emergency Response Team, CareCERT. Dedicated training on security issues, covers the entire gamut of threats that staff face. With proper training, including phishing simulation exercises, employees will be able to more easily spot phishing emails and avoid accidentally exposing credentials and other data.
Tip #3: Ensure robust security measures: Cybersecurity is a double-edged sword that needs to be dealt with as such. It has a human-angle and a technical one. Both, together, provide the holistic approach needed to tackle modern cybercrime and prevent accidental insider threats. Healthcare needs healthy technical measures to shore up employee security awareness training. This includes ensuring that data is encrypted both at rest (e.g. in databases) and in transit (e.g. Internet communications are done using SSL/TLS). It also includes using robust, second-factor authentication to control access to patient data.
Tip #4: Build in BYOD to security policies: Mobile devices are now regularly used in UK hospitals and throughout the sector. As mobile device usage in healthcare accelerates, the cyber-threats come along for the ride. Mobile security issues include insecure Wi-Fi connections, malware-ridden apps, mobile ransomware, and careless sharing of data. Mobile threats and their mitigation need to be high up on the healthcare security strategy.
Tip #5: Vulnerability test and then test again: Penetration testing of IT systems is a way to determine if security gaps exist in your network. If they do, you are forewarned and can close them to attack. But it isn’t enough to just test and run. As you add new Cloud apps, mobile devices, or IoT devices to the system, you need to retest. All points within the expanded network are potential ways in. Regular penetration testing will give you foresight of any doors that have been left open.
Cybersecurity: A Dangerous Operation
The healthcare sector offers a vital service that changes people’s lives. It is also an easy access point for a cybercriminal. Healthcare, including hospitals and GP surgeries, are easy targets with limited resources. And, they often don’t have dedicated cybersecurity staff available to tackle the everyday issues that cybersecurity threats throw at us. This is why security awareness training for all staff is a vital part of the way we tackle cybercrime and accidental insider threats. The trick is to make sure that staff has the knowledge to make security second nature. This will not only reduce the likelihood of a cyber-threat becoming a cyber-attack, but it will have a lower impact on their busy and challenging jobs.