With the NHS under unprecedented pressure through the COVID-19 pandemic, Sean Tickle, head of CyberGuard Technologies, looks at why there has never been a greater need for strong cybersecurity in healthcare
Healthcare data is one of the most valuable commodities on the dark web. This is just one of the reasons why, more and more, healthcare organisations are proving to be such attractive targets for ransomware groups. The issue of ransomware has been growing for years, and the current generation of ransomware steals the targeted information before applying encryption to the target’s data systems. Whether the ransom is paid or not, a successful attack gives hackers access to large amounts of highly valuable data. For attackers this is a win-win scenario; they either succeed in getting a lucrative ransom payday or they end up with a valuable resource to sell on the dark web – if not both.
Healthcare and ransomware
Healthcare organisations are often seen as a ‘safer’ pay out by many hackers because the ability to provide care is a matter of life and death – literally. Healthcare providers are more likely to pay the ransom to save lives, which are put in real danger by the crippling effects of ransomware. Healthcare organisations also present a more vulnerable target, with often limited security resources and many old, outdated and unpatched systems. This makes for a clear financial incentive for hackers to target healthcare – especially during stresses of coping with a global pandemic.
Ultimately we have to remember these threat actors have an agenda and, for many, that’s financial gain, so if they can leverage the current climate to exert pressure in a global pandemic so that organisations pay the ransom they certainly will.
When hit by ransomware, any healthcare provider is faced with a quandary. Government and law enforcement will usually discourage giving in and paying the ransom, because it is important to minimise the hackers’ success factor wherever possible. However, health organisations have a duty to provide care and protection to their patients, which requires minimising downtime and keeping patient data secure. Although paying a ransom gives no guarantee that the ransomware attackers will keep their word and allow a quick return to normal, refusing to pay guarantees a long period of turmoil and disruption to healthcare services, as well as the leaking or sale of patient data to other malicious actors on the dark web.
The current National Crime Agency report on serious organised crime (released in May 2021) states, “Law enforcement does not encourage, endorse, or condone the payment of ransom demands.” But the only recourse the agency gives ransomware victims is “You can report it to Action Fraud at www.actionfraud.police.uk.” This is not a solution to the difficulties faced by healthcare. The only way to fully foil ransomware attacks is to prevent or defeat them before they can infect critical systems.
Preventing ransomware is far easier said than done, especially in the healthcare sector. There are many ways for hackers to target health organisations with many potential entry points for attacks. Old, unpatched systems and poorly configured cloud storage that can be accessed online; remote workers who might provide an initial entry point via identity theft or spear-phishing; ever-present supply chain vulnerabilities and, most frequently, the external facing services (such as a VPN) through which companies allow connections for remote devices to their internal infrastructure.
HSE and New Zealand
A real-world demonstration of the difficulties faced by healthcare has recently played out. In early May 2021, Ireland’s Health and Safety Executive (HSE) was hit with a malware attack by the hacking group Conti. The gang claimed to have stolen 700GB of patient data and many computers and devices were disabled. Conti is a particularly heartless and unscrupulous cyber gang that often targets healthcare; according to the FBI, Conti has targeted at least 16 medical and first response networks in the US in the past year. While they are one of the most prominent current threats, it is also important to remember that they are far from the only ransomware group attacking healthcare.
While the HSE was dealing with the fallout from this attack, a new attack by an as-yet-unidentified cyber gang was unfolding in New Zealand, crippling the information systems of five different hospitals. Both the HSE and the New Zealand health authorities declined to pay the ransom, and in both cases some of the patients’ personal data has already been released by the hackers. These leaks are likely intended to prove the hackers have access to the data and increase the pressure on the healthcare groups to pay the ransom, and may indicate that they intend to sell the data to other criminals or simply release it on the dark web through their own public leak sites.
What can healthcare do?
Healthcare organisations are left in a difficult predicament when responding to a ransomware attack, but preventing them is equally difficult. The professionalism of cybercriminals and their attacks is only getting more sophisticated over time, but healthcare is struggling, especially during the Covid-19 pandemic. The UK’s cybersecurity skills gap is perhaps hitting the NHS hardest of all, with its limited budget unable to keep up with the market demands for cybersecurity specialists. A new report published on 7 June 2021, claims that healthcare incidents accounted for 34% of the total number of breaches in 2020; the inevitable result of being a lucrative target that cannot properly protect itself.
Privacy and data protection laws brought in as a response to the growing severity of cybercrime work well in the private sector, since corporations can and do adjust their budgets to meet the needs of compliance. Healthcare, however, often struggles with compliance – it may become a box-ticking exercise for something that interferes with providing vital services. The only way for healthcare to increase security funds is by decreasing funds available for patient care.
Certainly, I believe compliance standards are a good start but unless there are security operations in effect for these organisations to actively mitigate the threats then it will never be enough.
Compliance as a baseline for security does not work for healthcare. Healthcare cannot afford the resources to hire more security specialists or provide effective internal training. The best solution that exists for many health organisations is to outsource to a managed security service provider (MSSP). A good MSSP provides 24/7 security from full-time experts at a lower cost than in-house security, and provides much faster threat-response than any other solution, giving a much better chance to prevent impactful security incidents.
Unique needs demand unique solutions
Even some MSSPs are insufficient for healthcare bodies like the NHS. Healthcare faces unique cybersecurity challenges; the need for security is not based on a bottom line, shareholder expectations or protecting corporate assets. The priority is always to enable and protect effective delivery of care to patients. This means that many ‘off-the-rack’ MSSP services, which will have enterprise and business needs in mind, are not suitable for protecting healthcare organisations while fully enabling the provision of care. Healthcare requires a solution that can respond to its unique needs.
With the NHS under unprecedented pressure because of the Coronavirus pandemic, there has never been a greater need for strong cybersecurity in healthcare. Brands offering MSSP services to healthcare institutions need to create a bespoke security system that is able to respond to the healthcare workflow and prioritise patient care.
Proof of Concept is an integral part of our own process, and our recent work with an NHS Trust saw us rigorously stress-test the new security system against real-world threats and issues, with successful results allowing one NHS trust to break free of the healthcare-security trap. There is so much potential for MSSP providers to work with NHS trusts and other healthcare organisations in the future to assist them in gaining an unprecedented level of cybersecurity exactly where it is needed.