fbpx
Connect with us

News

Compromising hospital networks can “mean loss of lives”

Avatar photo

Published

on

Digital forensics expert Eliza-May Austin speaks to Health Tech World about cyber attacks on healthcare – and its potential danger to life.

Damage and disruption to services is one thing, but the recent cyber attacks on the NHS could easily result in much bigger consequences, according to a digital forensics and cybersecurity expert. 

Eliza-May Austin, who runs Doncaster security firm th4ts3cur1ty.company, said that health professionals should open their eyes to the fact that lives could be at stake.

The NHS was once again hit by a major ransomware attack (August 2022) which caused chaos amongst ambulance dispatch, emergency prescriptions and the 11 helpline. Fears were raised about the safety of patient data and the level of tech security currently in place by the health service. 

Hackers have since made financial demands as bosses grapple with the best next move. 

Speaking to Health Tech World, Eliza said the consequences may be bigger than just disruption. 

She said: “There are a number of incentives to attack healthcare, whether it’s damage and disruption to people and services, loss of life or data theft –  the medical sector is a highly sought-after industry for exploitation. 

“If an attacker were to successfully compromise hospital networks or the systems they rely on there’s a risk that it could lead to a loss of life. 

A responsibility to protect 

Eliza, who trained in digital forensics, also said that cybersecurity staff need to be raising awareness of the issues. 

She added:  “Cyber security staff must raise awareness internally by linking the risks to patients and loss of life, making it part of the care of the patient rather than just another hurdle for the nurse or receptionist at the ward desk. 

“Systems and networks need to be robust enough that if a system were to be compromised it couldn’t spread easily or affect critical devices. 

“Networks housing sensitive projects and departments should be segregated to allow for immunity in an infection, and taking backups has to be a priority.”

“Persistent and well-funded adversarial nation states may wish to conduct such an attack, gathering data on civilians around blood types and what diseases a population may be susceptible to, is valuable data in the context of a specific demographic.

“Data like this could be used in targeted biological weaponry.”

Patient health, not just data safety, at stake 

Eliza pointed out that another “insidious route of wreaking havoc” is altering data, like the attacks of April 2019 in which malware was developed to add brain tumours into brain scans.

She continued: “This was done as a proof of concept by professionals who wanted to prove it was possible, but imagine how far that could have escalated should nefarious threat actors have been to blame –  a healthy patient could be subjected to (disruptions in) chemotherapy or brain surgery.”

Is a ransomware payout necessary? 

“ Ideally, it would never get to the point where a company must decide between funding criminal activity, or not. 

“Where companies have paid they’ve sometimes not gotten their access back. Sometimes they have, but the data can no longer be trusted and often the same company will get hacked a second or third time because they’ve proven themselves to be a soft touch.

If companies take a step back and assess their assets to identify what is critical to continuous operations they can start by making backups of those systems. Once they have done that they will need to store those backups away from the originals. 

Sometimes organisations will take a backup and store it on the system where the backup was taken, rendering it useless. They will need to make sure they have a defined incident response plan, so while those backups are being reinitiated to bring systems back online operations can carry on as normal.”

Eliza concluded: “Attacks evolve alongside defenses, however, organisations have got to apply defense in-depth principles and mitigate the impact as much as possible.

Don’t miss:

The truth about cyber attacks on the NHS

black laptop computer with white paper

 

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending stories