Healthcare is under attack and it’s important that companies perform cyber security check-ups writes Ed Williams, EMEA Director of SpiderLabs Trustwave
Last year, the sector was hit by a record-breaking number of cyber crimes and security breaches. This year, the ferocity and intensity of the assault are unlikely to abate, which means immediate action is required, starting with a vulnerability assessment to uncover defensive weaknesses.
Statistics from 2021 make for frightening reading. They also illustrate the chilling amorality of cybercriminals, who chose to ramp up their attacks during a year in which the pandemic placed a huge strain on hospitals. Last year, attacks on the healthcare sector affected more than 45 million people in the US alone – up from 34 million. In the UK, there were 277 incidents resulting in 297 million breached records.
Attackers accessed an unprecedented amount of protected health information, which means they were able to rifle through the most intimate secrets of tens of millions of people. Once this information has been accessed, it could be used for anything from identity theft to old-fashioned blackmail.
The effects of a breach are devastating for the individuals whose data is stolen. Attacks are also reputationally disastrous for the healthcare organisation involved, potentially impacting the trust of its patients, customers and partners. There is also a financial risk because organisations that fail to ensure digital security are likely to be hit with a fine. Private companies may also suffer an impact on their share price as well as the unquantifiable damage caused by a dent in customer confidence.
Healthcare organisations must be sure to have the protections in place. But before putting up their defences, organisations need to identify vulnerabilities and shut them down. This is not a task that can be put off, because if defenders do not find vulnerabilities in their organisation’s security posture now, attackers will be sure to discover them later.
Why Are Criminals Targeting the Healthcare Sector?
To understand how to stop cybercriminals, it is useful to first understand why they seek to attack healthcare organisations. Most threat actors (the name cyber security professionals use to refer to cyber attackers) are motivated by financial gain. There is a smaller proportion that has different aims. Some may simply want to cause damage whilst others work for a nation-state and therefore have a more politically focused goal. Primarily, however, threat actors want to earn money.
The healthcare sector is an ideal place to achieve this ambition. Firstly, there are huge amounts of sensitive data which can be stolen and sold. This data or other critical systems can also be locked down with ransomware, which encrypts and restricts access until a ransom is paid. Or at least that is the claim. There is no guarantee that paying a ransom will be enough to end the attack. The most famous ransomware attack that targeted healthcare in the UK was WannaCry, which reportedly cost the NHS £92 million. In that case, the NHS did not pay a ransom, but the damage and disruption were severe.
Today, the risk to healthcare is growing. Technological dependence is increasing day by day, particularly with the spread of internet-connected medical devices and other technologies linked to the advent of the Internet of Things. The NHS is also moving away from paper-based processes and storing data centrally in projects such as the General Practice Data for Planning and Research (GPDPR), which collects information from GP practices. Central databases are the perfect target for threat actors.
Homeworking has also increased the attack surface exponentially, so we expect to see cyber security issues metastasize in the coming years. We are looking at an emergency in the healthcare sector.
Proactive Cybersecurity Healthcare
An apple a day keeps the doctor away. There is wisdom in this ancient phrase.
If healthcare organisations want to protect themselves from digital threats, they must take small, regular actions – starting today. The first step should be a vulnerability assessment, which should be repeated as often as possible to expose new problems as they emerge.
A vulnerability assessment scans an organisation’s digital infrastructure to find weaknesses. The report produced during this process is a comprehensive rundown of cyber risks. Armed with this information, security personnel can address each vulnerability one by one, and prioritise the most severe. An assessment mimics the way in which attackers probe an organisation’s defences, looking for a way into the network or weaknesses they can exploit.
A vulnerability check can also investigate the patches applied to software to check they are up to date. Unpatched operating systems are an obvious target for attackers because they are not equipped to cope with the latest cyber threats. Other tests include assessments of legacy systems. If an organisation relies on older systems or devices, they too will not have the latest protection.
As recently as 2020, up to half of the computers in the NHS were running old versions of Windows – posing a major cyber security threat. An assessment can provide visibility of the reliance on legacy tech and guide targeted action to secure or, ideally, replace older systems. Visibility of all network-connected devices is also a key part of an assessment. If staff are using insecure devices or home routers to log onto the network, security staff need to know about it so they can intervene and promote safer practices.
Furthermore, assessments can highlight database configuration errors, access control issues, missing patches, and other weaknesses that could result in the leakage and misuse of data. Applications should also be analysed. They should be tested throughout the production and deployment process so that new apps are secure from the moment they are introduced and remain safe throughout their lifecycle. A process called penetration testing conducted by ethical hackers is also especially useful because it mimics the tactics real threat actors use to find vulnerabilities. Once these flaws are identified, they can be fixed.
Assessments can monitor an organisation’s adherence to audit and compliance requirements – which is fundamentally important in the age of legislation like the GDPR. Again, companies should want to find out about any risks of failing to meet compliance requirements and fix problems before they become an emergency.
Better Outcomes for Healthcare
Every doctor is familiar with delivering bad news. Unfortunately, a vulnerability assessment is likely to make for grim reading, as many organisations have a concerning number of weaknesses in their defences. But this information is invaluable. If a patient is found to be suffering from a vitamin deficiency, they are armed with the information they need to address the problem. When an organisation has an honest assessment of its security posture, it can take steps to dress the wounds and fortify defences to provide the most powerful immune response possible. To be forewarned is to be prepared.
Healthcare organisations should not wait to be hacked to find out they have a cyber security problem. A vulnerability assessment is the health check every organisation needs to undergo to be safe in an extremely dangerous era.
RefleXion announces closing of $125M debt facility for expanding cancer treatment
Insider Insight: LifeWIRE founder and Nova Insights Principal, Howard Rosen
Shapeshifting microrobots can brush and floss teeth
Israel: Health tech powerhouse – Special Report
Discovery could inspire new way to detect brain abnormalities
Improving chronic back pain outcomes through superior medical device technology
Grasping tool brings missing sense of touch to keyhole surgery procedures
Insider Insight: Ernst & Young Americas CMO, Dr Yele Aluko
Coding cells for more accurate cell models in neurodegeneration
Scientists engineer synthetic DNA to study architect genes
News1 week ago
Occuity launches new investment round to support product development and capitalise on new opportunity
Insight1 week ago
Insider Insight: Michael Bidu
Opinion6 days ago
Why assistive tech should be ‘only learn once’
Digital health5 days ago
Health Tech World’s mental health podcast picks