Healthcare organisations are under attack from ransomware groups as healthcare data is a valuable commodity on the Dark Web. Whether the ransom is paid or not, the current generation of ransomware steals the targeted healthcare and patient information before applying encryption to the target’s data systems. So, a successful attack gives hackers access to large amounts of highly valuable healthcare and patient data, which they can then sell on the dark web.
But why are healthcare organisations such a popular target for hackers? Simply put, the ability to provide healthcare and to have the right patient care information available is a matter of life and death, which means those organisations are more vulnerable to target as they will most likely to pay the ransom demand so as to save lives.
Too often healthcare organisations have old, outdated or limited security resources, which gives hackers a clear financial incentive to target them. When hit by ransomware, any healthcare provider is faced with a quandary as they have a duty to provide care and protection to their patients, which requires minimising downtime and keeping patient data secure. So, although paying a ransom gives no guarantee that the ransomware attackers will keep their word and allow a quick return to normal, refusing to pay guarantees a long period of turmoil and disruption to healthcare services, as well as the potential leaking or sale of patient data on the dark web.
Preventing ransomware is far easier said than done though, especially in the healthcare sector. There are many ways for hackers to target health organisations with many potential entry points for attacks. Old, unpatched systems and poorly configured cloud storage that can be accessed online; remote workers who might provide an initial entry point via identity theft or spear-phishing; ever-present supply chain vulnerabilities and, most frequently, the external facing services (such as a VPN) through which companies allow connections for remote devices to their internal infrastructure.
A real-world demonstration of the difficulties faced by healthcare
Ireland’s Health and Safety Executive (HSE) was hit with a malware attack by the hacking group Conti in May 2021. The gang claimed to have stolen 700GB of patient data and many computers and devices were disabled. According to the FBI, Conti has targeted at least 16 medical and first response networks in the USA in the past year but they are not the only ransomware group attacking healthcare organisations and the industry as a whole.
While the HSE was dealing with the fallout from this attack, another cyber attack was unfolding in New Zealand, crippling the information systems of five different hospitals. Both the HSE and the New Zealand health authorities declined to pay the ransom, and in both cases some of the patients’ personal data has been released by the hackers. These leaks are likely intended to prove the hackers have access to the data and increase the pressure on the healthcare groups to pay the ransom. It is also an indication that the attackers intend to sell the data to other criminals or simply release it on the dark web through their own public leak sites.
What can healthcare do?
Healthcare organisations are left in a difficult predicament when responding to a ransomware attack, but preventing them is equally difficult. The professionalism of cybercriminals and their attacks is only getting more sophisticated over time, but healthcare is struggling, especially during the Covid-19 pandemic. The UK’s cybersecurity skills gap is perhaps hitting the NHS hardest of all, with its limited budget unable to keep up with the market demands for cybersecurity specialists. A new report published on 7 June 2021, claims that healthcare incidents accounted for 34% of the total number of breaches in 2020; the inevitable result of being a lucrative target that cannot properly protect itself.
Privacy and data protection laws brought in as a response to the growing severity of cybercrime work well in the private sector, since corporations can and do adjust their budgets to meet the needs of compliance. Healthcare, however, often struggles with compliance – it may become a box-ticking exercise for something that interferes with providing vital services. The only way for healthcare to increase security funds is by decreasing funds available for patient care.
Healthcare cannot afford the resources to hire more security specialists or provide effective internal training. The best solution that exists for many health organisations is to outsource to a managed security service provider (MSSP). A good MSSP provides 24/7 security from full-time experts at a lower cost than in-house security, and provides much faster threat-response than any other solution, giving a much better chance to prevent impactful security incidents.
NHS use of MSSP to break free of the healthcare-security trap
Even some MSSPs are insufficient for healthcare bodies like the NHS. Healthcare faces unique cybersecurity challenges; the need for security is not based on a bottom line, shareholder expectations or protecting corporate assets. The priority is always to enable and protect effective delivery of care to patients. This means that many ‘off-the-rack’ MSSP services, which will have enterprise and business needs in mind, are not suitable for protecting healthcare organisations while fully enabling the provision of care. Healthcare requires a solution that can respond to its unique needs.
With the NHS under unprecedented pressure because of the Coronavirus pandemic, there has never been a greater need for strong cybersecurity in healthcare. Brands offering MSSP services to healthcare institutions need to create a bespoke security system that is able to respond to the healthcare workflow and prioritise patient care.
Proof of Concept is an integral part of our own process, and our recent work with an NHS trust saw us rigorously stress-test the new security system against real-world threats and issues, with successful results allowing one NHS trust to break free of the healthcare-security trap. There is so much potential for MSSP providers to work with NHS trusts and other healthcare organisations in the future to assist them in gaining an unprecedented level of cybersecurity exactly where it is needed.
Author: Sean Tickle, Head of CyberGuard Technologies