Over the past two decades, cyber-attacks have morphed from a minor nuisance to a business-critical threat. But for healthcare organisations (HCOs) the threat is not just financial — a serious attack could have a knock-on effect that disrupts key frontline services and patient care. The sector has long been a target for hackers: in fact, two-thirds (67%) of UK HCOs are said to have experienced some form of cybersecurity incident last year. But today, NHS staff have an even harder job: dealing with the tremendous strain of battling Covid-19 whilst combating an uptick in cyber-attacks designed to capitalise on the pandemic.
The answer is to focus on best practice cybersecurity steps, where possible, to improve IT hygiene and reduce the attack surface.
Old and new
The current pandemic is a crisis few if any NHS staff will have ever encountered before. Already beset by funding challenges and staff shortages, the health service has responded superbly thanks to the hard work, dedication and passion of its workforce. Yet as the curve begins to show the first signs of flattening, it’s clear there’s still a long way to go before the crisis is behind us. That means attention must be paid not just to the physical world but also the threat from cyberspace.
Despite a five-year government pledge of £250 million for NHS cybersecurity, gaps remain. No two NHS organisations are the same, NHS IT systems are often a mix of old and new. Some operating systems may even be out-of-date and no longer receive vendor patches. This exposed key systems to the WannaCry ransomware worm of 2017 which ended up causing disruption at a third of trusts in England and costing £92 million.
A large, distributed workforce makes it even harder to manage risk, while newer, connected IoT devices increase the attack surface of HCOs further. Cyber-criminals are attracted to the sector by the wealth of valuable patient data held by organisations, and the likelihood that they will have to pay up if struck by a serious ransomware attack taking out critical services.
Reacting quickest
Unfortunately, in many cases it is these black hats who have reacted quickest. Phishing emails are among the most potent threats: they feed off social engineering tactics to trick the user into following a malicious link or opening a booby-trapped attachment. Covid-19 works against HCOs two-fold here: it provides the lure which invites the user to click through, perhaps in the form of a spoofed document from the WHO or DHSC, and it has stretched healthcare staff to the limit, so they may be more distracted and less discerning in the decisions they make online.
A single misplaced click on such an email could provide hackers with privileged account credentials, or covertly install ransomware, crypto-mining malware or other threats. Ransomware is particularly dangerous given the impact it could have on critical IT systems. INTERPOL was recently forced to issue a Purple Notice warning HCOs of the threat. Prolific phishing-borne malware like Trickbot and Emotet is adept at exploiting the unpatched systems common in the NHS to download second-stage threats like this.
IT staff must also be aware that their remote access infrastructure is increasingly being targeted by hackers; whether via RDP brute forcing, or exploitation of vulnerabilities in VPNs and Citrix ADC/Gateway products. Any of these routes could lead to critical ransomware outages. That’s not to mention vulnerabilities in connected medical devices which are increasingly popular in the sector. These could be exploited to crash critical systems like pacemakers, insulin pumps and electrocardiograms. Even nation state attackers are targeting HCOs via suppliers of OT systems, the FBI has warned.
For those still unsure at how much damage a breach or ransomware outage could really do, take a look at a 2019 US study. It found an increase in the 30-day mortality rate for heart attacks at hospitals that had suffered a data breach. It warned that its findings “suggest that ransomware attacks might have an even stronger short-term negative relationship with patient outcomes.”
Time for action
Taking on such threats will be a challenge for IT security teams already drafted in to support remote working, and who may be working from home themselves. But it’s essential. Best practices that can help here include implementing a least-privilege policy on web servers, and a demilitarized zone (DMZ) between corporate systems and web-facing applications. HCO IT teams should also consider disabling remote access to administration panels as well as avoiding the use of default authentication credentials. The use of a reverse proxy to restrict accessible URLs to only trusted sources is recommended.
This is just a start. But by making their organisation a more difficult target, it could be enough to persuade attackers to try their luck elsewhere. As long as the health service is battling the current crisis, that would count as a win.
Find out more about ransomware recovery.
