By Andrew Kays, Chief Operating Officer, Socura
Cyber threats can cause major disruption and financial loss for any organisation. But clearly, when we’re talking about the health and care sector the stakes are even higher. The past year has shown us that cyber criminals have no qualms about launching life-threatening attacks on hospitals and clinics across the globe. Vulnerable patients are in harm’s way and advanced tactics, techniques, and procedures (TTPs) are filtering down to more threat groups. We’re witnessing a new era in cyber risk for health and care organisations (HCOs).
There’s no silver bullet answer here, but a focus on good cyber-hygiene will go a long way. Expertise in threat detection and response is vital too, whether you’re able to source that in-house or by partnering with a trusted expert.
The threat landscape is changing
HCOs aren’t just faced with individual cybercrime groups. They’re taking on a cybercrime economy said to be worth trillions. This provides threat actors with a readymade market to sell stolen data on, as well as a place to buy or hire the skills and tools they need to launch attacks. There’s a high risk of data theft, given how valuable patient information can be on underground sites. According to IBM’s Cost of a Data Breach report, the sector has consistently ranked number one over the past five years as suffering the most expensive incidents. Today, global HCOs are faced with an average breach cost of over $7.1 million (£5.2m).
Yet increasingly, the threat of data breaches is converging with that of ransomware. Today, many groups are using techniques more commonly associated with advanced persistent threats (APTs) to compromise their targets and monetise attacks. They may perform reconnaissance for months before striking, and use legitimate Windows features like WMI and PowerShell, as well as commonly available tools like Cobalt Strike, to move laterally inside networks, steal data and achieve persistence. The final ransomware payload can be delayed until the point at which the extortionists believe it will cause maximum disruption.
A deadly impact
While the attacks on HCOs have been mostly occurring in the US so far, it’s probably only a matter of time before we see them emerging in the UK. Scores of US hospitals were hit by this type of attack last year, including several by the same group in a 24-hour period. The worst-case scenario has not yet been realised, but it is getting closer. In Germany last year a woman passed away after being forced to re-route to a different hospital due to a ransomware attack, although it was later judged that she would have died anyway.
Sometimes data theft alone could expose vulnerable patients to extreme distress. After a data breach at a Finnish psychotherapy clinic, patients were blackmailed by online extortionists asking for Bitcoin payments to keep their private case files secret. The clinic was actually a public health sub-contractor, highlighting the extended cyber risk facing HCOs from their partners.
Health and care is changing
The UK’s health and care sector has of course recognised these emerging risks. But there are challenges that may cause roadblocks to an effective response. One is investment in cyber security: currently at around 2%, it ideally needs to double. The ability to attract staff to work in the public versus private sector is a challenge given that the latter is usually able to offer higher salaries. Finding the right skills to protect and architect solutions for legacy and emerging operational technologies (OTs) will become increasingly challenging. In addition, certain functions can be particularly expensive to maintain in-house, such as the 24/7/365 threat detection and response needed to mitigate the more advanced cyber risks.
COVID-19 has placed yet more challenges in the way for health and care cyber security bosses. In any IT organisation, day-to-day tactical firefighting usually trumps longer-term strategic planning, and so it has been with the all-hands-on-deck approach to the pandemic. IT and security staff have been drafted in to support remote workers, and the reconfiguring of hospitals to increase intensive care facilities. While this is absolutely vital, it has come at the expense of more strategic projects.
Time for cyber hygiene
Given these challenges, how can health and care IT security bosses respond? A great place to start is the Data Security and Protection (DSP) Toolkit: a self-assessment initiative which allows organisations to measure performance against the National Data Guardian’s 10 data security standards. It’s also mandatory for all organisations with access to NHS data, which will help spread security best practice across the supply chain.
Combined with the Government’s Cyber Essentials Plus scheme, it provides a fantastic foundation for HCOs to improve their so-called “cyber hygiene”. Simple steps like prompt patching, using strong passwords and two-factor authentication, and anti-malware on all machines and devices, can have a major impact on cyber risk levels. In fact, it’s been claimed that they could protect organisations from 80% of attacks.
However, it’s virtually impossible to stop a determined attacker from breaching your cyber defences. In those instances, continuous monitoring, and threat detection and response are essential to spotting and dealing with attacks before they’ve had a chance to impact the organisation. Outsourcing this function may be your best bet, as it means the organisation can benefit from the economies of scale a partner can provide. Expert third parties can also leverage valuable additional insight into the threat landscape from their other clients.
The NHS is rightly focused on COVID-19 right now. But building cyber security for the post-pandemic world will certainly be one of the key challenges in the future.