NHS still a sitting duck for cyber-criminals

Deficient security monitoring, legacy systems and inadequate investment in security mean that even after WannaCry, the NHS remains vulnerable to cyber-attacks

The UK’s National Health Service has borne the brunt of several cyber-attacks, the biggest being WannaCry, which cost the NHS £92 million. With deficient security monitoring, legacy systems and inadequate investment in security, the NHS is still a sitting duck for cyber-criminals, according to a new research.

The report from Imperial College London, which collated evidence from NHS organisations and examples of previous attacks in the UK and across the globe, said more investment is urgently needed. 

The WannaCry attack in 2017 locked out staff in 34 NHS trusts from accessing patient data and critical services. Thousands of appointments were cancelled, and in some cases patients were diverted to other hospitals. However, the new report warns that the WannaCry attack was relatively crude and unsophisticated, and that the number and sophistication of attacks on the NHS is rising.

"Since the WannaCry attack in 2017, awareness of cyber-attack risk has significantly increased. However we still need further initiatives and awareness, and improved cyber-security ‘hygiene’ to counteract the clear and present danger these incidents represent," Dr Saira Ghafur, a co-author of the paper, said in the ICL announcement.

According to the Identity Theft Resource Center (ITRC), USA, there were 363 cases of data breaches globally in medical and healthcare organisations in 2018, exposing 9,927,798 documents.

"Healthcare institutions are seen as softer targets as not only are these systems just as rich with data as the traditional targets but security often lags due to the focus on, in the case of healthcare, patient care over IT," said Anna Russell, VP at comforte AG.

IoT devices running on outdated software provide a porous network for hackers to access. Recent research by Check Point highlighted ultrasound machines as a particularly vulnerable loophole.

"By some estimates, 87 percent of healthcare organisations will have adopted IoT technologies by the end of 2019 and there will be almost 650 million IoMT devices in use by 2020," said the Check Point report. Cyber attacks on hospitals occur on an almost weekly basis, it added.

"Anything that is online is essentially fallible to breach, including backup and data stores. The first rule of cyber-security is to accept that a breach is likely and not live with the idea that you're infallible," said John Gillan, UK country manager of Cohesity.

"Organisations the scale of NHS update their technology with a view to it lasting longer than enterprise businesses. When they update their technology and storage infrastructure, security that is able to change and evolve must be built into the core of it," he said. 

Medical insurance and allied financial companies are another hot targets of hackers. The UK’s Financial Conduct Authority (FCA) has recorded 819 cyber-crime incidents in 2018. Third-party failure has caused 21 percent of the incidents reported.EMIS, a major NHS outsourcer, announced in 2018 it would shift records of 40 million patients onto the cloud using Amazon's Web Services business.

"Fixing such a large infrastructure is no easy task and it's not an issue that can be resolved simply by throwing money at the problem. Rather, this is an instance where we see an organisation that has neglected its security culture for a long period of time," said Javvad Malik, security awareness advocate at KnowBe4.

"That doesn't mean making security issues black and white or introducing friction into processes which could end up adversely impacting patient safety. It means creating an environment and technology choices that encourage and push towards better security and risk decisions being made both from the medical staff on the front lines and all the back end support," he added.

Training employees to help them note suspicious emails, maintain best practice around using USBs and connecting personal devices, and use of personal email on work devices is also critical, said Cohesity’s Gillan. 

"The majority of security breaches are still down to human error. Technology can play a key part in a security defence, obviously so. But if employees are making basic mistakes, the technology aspect is always going to be on the backfoot," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop