Nigel Thorpe, technical director at SecureAge looks at why an increase in cyber-attacks on healthcare is causing a lack of trust and says it’s time for a new approach
Cyber-attacks on the healthcare sector are nothing new and the infamous WannaCry ransomware attack in 2017 that disrupted more than a third of NHS Trusts was a massive wake up call for public and private healthcare providers. But during the pandemic, attacks from cybercriminals surged. The UK’s National Cyber Security Centre (NCSC) and NHS Digital, responded to more than 200 major cyber-attacks related to Covid-19 in the first months of the pandemic.
In the US, the Healthcare Management and Information Systems Society reported that 70% of hospitals it surveyed experienced a significant security incident in 2020. Ransomware, botnets, remote code execution and distributed denial-of-service (DDoS) attacks were the most common incidents faced by healthcare organisations. According to the German federal government, the number of successful cyber-attacks on German health service providers more than doubled in 2020, compared to 2019, while French media also reported a rapid increase in major attacks against health institutions and Ireland’s healthcare system was targeted in recent months, causing IT systems to be shut down at Department of Health after a ransomware attack.
This is all leading to a lack of trust. In a recent survey by Imperva, a poll of over 6700 consumers found that just 33% trust healthcare organisations to keep their data safe.
Reasons to be fearful
There are many reasons why healthcare organisations are a target for cyber-attackers, but the main attraction is the incredible amount of confidential patient data and financial information in one place. This data is worth a lot of money to hackers who can ransom it or sell it for identity theft and phishing. Then there is the problem of legacy systems that was exposed dramatically by the WannaCry attacks. Many healthcare organisations have limited budgets and focus resources on clinical technology rather than back-end systems and while legacy systems may appear to do the job, they impose risks to network security.
Collaborative working is key to effective healthcare, but this means that a huge amount of information in many different structured and unstructured forms, is generated and accessed by staff in different locations. Connecting to a network remotely from new devices is risky and if just one endpoint is compromised, it can provide a back door into the whole network. Then there is the human factor, without doubt, the weakest cybersecurity link in any organisation. While healthcare organisations invest in security awareness training, someone somewhere is always going to click on a malicious link or open a rogue document.
The traditional way to mitigate these risks is to try to identify and then block malicious activities using anti-virus software and more recent techniques such as threat intelligence centres, endpoint telemetry, zero-trust, and user behaviour analysis. But cybercriminals have a habit of being one step ahead and while anti-malware vendors try to keep up, mainstream security is always one step behind.
So, why bother trying to identify anything malicious? A better way is to simply block all unauthorised processes from executing. In a healthcare environment, there is generally no reason for a previously unknown executable or script to run. If it is not on your list of authorised processes, then it should simply be blocked. A bit like the bouncer on the door. If you’re not on the list, you won’t get in. Using this approach, the recent ransomware attack on the Irish Health Service Executive, which was the result of a single user opening a malicious Microsoft Excel file attached to a phishing email, would have been stopped before any damage was done.
Beating ransomware criminals at their own game
The mainstream approach to preventing data theft is to layer up defences to stop cyber criminals from getting in. But a compromised user account will pass all these tests, granting the ‘authorised’ user easy access to data, which can be extracted to the endpoint and then stolen by copying it externally.
Full disk encryption is frequently used to mitigate this problem because it encrypts your device. This is fine if you lose your laptop, but on a running system it will hand over decrypted data to every process that asks for it. And as cybercriminals can only steal data from running systems, full disk encryption cannot prevent this theft. The answer is to encrypt all your data, all the time. But to work, full data encryption must be just as transparent and as easy to use and data needs to be encrypted at rest, in transit and in use no matter where it gets copied – including when it is stolen. This way if cybercriminals steal data, it is useless to them, as they are unable to decrypt it – reverse ransomware you might say.
This approach also avoids the cost and hassle of deciding if data is sensitive or not. Rather than categorising data into different levels of sensitivity and treating them differently, all data is treated as sensitive. With the technology and processing power available today, encrypting everything at file level is a seamless and affordable way to protect data. Security is most effective when it is applied as close to the source as possible, and you can’t get closer than the data itself.
Adopting this data-centric approach would make a big difference and at a time of global conflict and geopolitical instability, robust security is more important than ever. The UK’s NCSC is calling for “increased cyber-security precautions”, particularly for national critical infrastructure, while US President Joe Biden has called on private companies and organisations in the US to “lock their digital doors”, from possible Russian cyber-attack on the US. Data-centric security goes to the heart of the problem by securing data against theft and ransom.