Healthcare phishing attacks - Is the NHS next and how can it prepare?

The healthcare sector is vulnerable to cyber-attack, keeping a lot of personal data that attackers are increasingly targetting, and the NHS needs to get its defences in place now says Stuart Robb.

Stuart Robb, CEO, Cyber Security Partners
Stuart Robb, CEO, Cyber Security Partners

Today, the majority of GP practices offer online services. Whether it's booking appointments or ordering repeat prescriptions, the move online has helped to streamline processes, benefitting both healthcare professionals and their patients. This year, the UK can expect a further expansion of NHS online services enabling patients to access their records via the internet, including information about medications, allergies, immunisations and test results. As convenient as this may be for all parties involved, there is no denying that it poses a whole new challenge for the NHS in the form of cyber-security.

Healthcare records represent an extremely attractive target for cyber-criminals and recent incidents have highlighted just how unprepared the health industry is to defend against these sinister, and increasingly sophisticated, agents. Last year in the US, hackers accessed over 100 million health records in a series of high-profile attacks. In one case in Maryland, a single phishing email gave criminals access to 25,000 patient records in just one click. The UK certainly needs to make sure it has all the defences necessary to avoid a similar situation in the coming year.

Threats to data security of organisation like the NHS, can have severe consequences if allowed to succeed. Large scale attacks on company data  are the ones we tend to hear about most often. When the Harley Medical Group was hacked back in 2014, potentially revealing the details of 500,000 people considering plastic surgery, the unease spread to a national scale. It was reported that hackers used compromised online enquiry forms to access data, which they planned to use to extort the company and the clients themselves. Yet these entry points are merely the tip of the iceberg for the healthcare industry. For the NHS in particular, the threats may lie in much more targeted attacks on the vast mass of individuals connected to the organisation.

Cyber-criminals are easily able to execute targeted phishing attacks on unsuspecting staff and patients, especially since the move online. For instance, if an NHS patient receives a carefully crafted phishing email offering them cheaper medication, they have no reason to assume there is a sinister undertone, especially if it comes from an nhs.uk domain. Likewise, if an employee receives an email from a colleague from their usual domain, which contains seemingly legitimate information, they would be unlikely to question it. Using patients and staff as a means to penetrate security systems is a popular method for cyber-criminals because of its sheer simplicity. It presents an easy way to successfully attack a company due to the fact that, largely, patients and staff are unaware they are being targeted. Given that all NHS domains are currently unprotected, the organisation is at a hazardous risk level.

Thankfully for the NHS, its most vulnerable target is also its most valuable solution. A consistent level of training and monitoring can significantly lower risk levels where customers and staff are concerned. Creating a human firewall, where employees are trained and vetted around cyber-security, is an effective way to avoid preventable attacks on a basic level. The NHS is particularly vulnerable due to the disparity in cyber-security training and standards implementation across the different NHS Trusts. If it can find a way to make this uniform across all its organisations, the NHS will be in a much stronger position to deflect attacks.

Of course, there will always be elements of human error involved in cyber-attacks. For this, technology is available for companies to utilise for free. DMARC authentication works by determining the source of an email; if an email does not align with what the receiver knows about the sender, it is flagged and can be binned before it reaches the victims inbox. Currently, the adoption rate of DMARC is worryingly low. Recent research by Cyber Security Partners reveals that only three percent of the FTSE 250 currently uses DMARC to reject and quarantine illegitimate emails being sent to their customers on their behalf. The NHS must be much smarter given the huge number of individuals that pose easy targets for phishing attacks and the vast amount of sensitive data at stake. Education is essential but it is certainly not enough in isolation.

NHS hospitals are a prime target for cyber-attacks and, while so far, they have done well to keep out of the media, their vulnerability makes them a sitting duck for attackers. It is only a matter of time before cyber-criminals attempt to exploit the NHS on a large scale, assuming it hasn't already happened without public knowledge. The NHS needs to remain rigorous with its prevention strategies and have a formalised and clear continuity plan. If simple changes are put in place, such as the implementation of water-tight cyber-security software, our healthcare service, which is such a fundamental part of our infrastructure, can prevent catastrophic cyber disturbances that it has been lucky to have avoided for so long. Large-scale cyber-attacks are being organised as we speak; let's not wait for the explosion to take place before taking cover. 

Contributed by Stuart Robb, CEO, Cyber Security Partners