The second wave of coronavirus has crippled our lives as we strive to create a vaccine against this deadly pandemic. In such a troubled time, bad actors remain busy in targeting the healthcare sector, which is already struggling with multiple challenges and issues.
On the one hand, hospitals have been inundated with an unprecedented spike of people being admitted en masse. On the other hand, their systems have now become the latest preying ground for cybercriminals across the globe who want to capitalize on this precarious situation.
In recent years, the number and severity of cyber-attacks against health and social care systems and hospitals have significantly gone up, compromising the health information of millions of people not just in the UK but worldwide.
In May 2017, the WannaCry ransomware program encrypted data and files on 230,000 computers in 150 countries and devastated the NHS.
The WannaCry attack was not, however, targeted at the NHS, though it was allegedly state-sponsored. Other major organizations were also affected, including Telefonica, FedEx, Nissan, Russian Railways, and the Bank of China. Yet the most significant impact was undoubtedly felt by the NHS.
While WannaCry was a wide-ranging attack that happened to impact health systems, including the NHS, in 2018, hackers specifically targeted the Singapore healthcare group SingHealth. They stole critical information of more than 1.5 million patients.
The threat to patients would have been even more significant if data had been subtly manipulated, for example, changing a patient's blood type in the Electronic Health Record, without being detected.
This opportunity to manipulate data at will highlights that any cyber-attack in healthcare is a threat to patient safety, and it became apparent how vulnerable healthcare is to any cyber-attack.
The NHS cares for over 1 million patients every 24 hours in 236 trusts (comprising acute and specialist hospitals, community service providers and ambulance services) and 7,454 GP practices. The NHS in England employs just over 1 million full-time equivalent staff (not including those working in general practice).
The NHS system is devolved, meaning that there are thousands of different networks running locally. The NCSC and CISA, so-called watchdog organizations of their respective countries, continue to see indications that Advanced Persistent Threat (APT) groups are exploiting the COVID-19 pandemic as part of their cyber operations.
These security agencies have foiled several cyber campaigns targeting organizations involved in giving the response to coronavirus. Most healthcare organizations in the UK are contributing to curb the spread of COVID-19 amid increasing cases. There, such cyber campaigns highlight the apparent failure to address cybersecurity measures in the sector.
Cybersecurity Situation in the UK Healthcare Sector
In a joint advisory in the recent past in the UK, NCSC and CISA have indicated strong possibilities that 'Advanced Persistent Threat' (APT) groups can target healthcare bodies to collect personal information. The National Cyber Security Centre disclosed in its annual review that over a quarter of all cyber incidents detected in the UK involved criminals and hostile states exploiting the coronavirus pandemic.
Precisely, out of 723 incidents detected in London in the year to September, 194 or 27% are related to coronavirus.
The NHS, along with health systems across the world, is becoming ever more reliant on technology to deliver safe patient care. There are exciting innovations that have the promise to change the way care is provided and offer new treatments and discoveries. Some of these technologies, such as artificial intelligence (AI) and robotics, are in use at relatively small scale and in some trusts. The challenge will be to adopt technologies safely and securely and appreciate the emerging cybersecurity challenges that become more apparent as these technologies are more commonplace.
Suppose a method of assuring the cybersecurity of connected medical devices can be achieved by an organization. In that case, it will be possible to deliver a fully integrated and scaled ecosystem of connected medical devices across healthcare providers and patients.
If no concerted efforts are carried on, and adoption of medical devices continues at pace and scale, there could be a mass introduction of poorly regulated or unsecured medical devices that are hyper-connected and vulnerable to a cyber threat.
Ever since breach reporting has become mandatory in the UK, the number of breaches reported to the Information Commissioner’s Office (ICO) has kept on increasing steadily. Security agencies have identified many malicious activities targeting national and international healthcare bodies, research firms, and pharmaceutical companies.
Mostly, these activities aim at collecting information related to the coronavirus outbreak and patients’ information. Hackers get an advantage of the vulnerable and poorly secured connected devices that fetch and transmit the patient’s data. Also, a complex clinical process, which remains highly vulnerable to such breaches can be a major cause of the attacks.
Ransomware, password spraying, phishing emails, etc. are some of the most notorious techniques used for a data breach in the healthcare sector.
How can the Healthcare Sector Address Heightened Cyber Threats?
Any incident of a data breach or a cyber-attack can come at a very high cost for all stakeholders within the healthcare industry. It is, therefore, essential for health and social care organizations to ensure that the health and care system nationally, regionally, and locally is equipped to withstand and respond to cyberattacks in an effective manner which minimizes disruption to services and, most importantly, impact on the patients.
Some key priorities which organizations and not just from the healthcare industry can imbibe on their journey to cyber resilience.
Awareness: All organizations need to develop and promote a deepened sense of security culture and ensure that the message being disseminated is that cybersecurity is not an 'IT/Helpdesk' problem, but a safety concern of the vulnerable.
There is an imminent need to improve individual, organizational and system-wide awareness of future threats, vulnerabilities, and the potential impact of cybersecurity incidents.
Education: At the heart of cybersecurity are people. Consequently, this recognizes the importance of training and development as a countermeasure against the cyber threat. An event may range from internal phishing attacks to test the awareness of staff to the danger of opening spam email, through to specific training associated with the
management of cyber incidents. Leaders must take information governance and data security as a core part of training and support their staff in reaching the desired higher levels of competence.
management of cyber incidents. Leaders must take information governance and data security as a core part of training and support their staff in reaching the desired higher levels of competence.
Governance: The Information Governance Playbook should be updated to support and underpin the new standards. There is a need for supporting better decision-making, maintaining trust in the system and ensuring organizations meet their responsibilities to provide clarity around responsibility, accountability and authority.
Maintain good practices: Best practices for the use or technology and infrastructure should be included in the training and governance of not only new employees but of all stakeholders, including third-party partners in the healthcare sector.
Secure infrastructure: Organisations must ensure they have robust perimeter security (firewalls), effective protective monitoring (intrusion detection), incident management, end-point protection and networks that are designed to support robust cybersecurity from the outset; all systems must be secure by design, not as an afterthought. Good cybersecurity 'hygiene' is also vital: effectively managing access and privileges, ensuring an appropriate level of encryption, utilizing multi-factor authentication and ensuring systems are regularly patched and updated.
Business Continuity: All organizations must be able to safely and effectively function not only in a BAU condition but even whilst under cyber attack. Therefore, all data and systems must be securely backed-up and disaster recovery processes tested to ensure that the backup is isolated and cannot be erased or tampered with and is in HA (High Availability) mode all the time.
As other organizations across the world have learnt, no establishment, however secure as they seem can be completely immune from a cyber-attack. As we move to a 'new world order' the occurrence of cyber-attacks across the UK economy and across will only keep on increasing and also, a one-size-fits-all approach will not work across health and social care. As apocalyptic as it may sound - it is not a question of "if" but "when" the next cyber-attack strikes the health and social care system.
Sattrix, a renowned and reputed Managed Security Service Provider (MSSP) is one such organisation which is spearheading the fight against cyber-attacks with the bevvy of products and services tailored appropriately and proportionately to suit the scale of the health and social care sectors across the globe. With its associations with the industry's leading OEMs, its partners and its expertise in AI&ML based solutioning, Sattrix is uniquely placed to deliver trust and confidence in the services they offer thereby ensuring and enabling their customer's to increase cyber resilience across the system.