Diagnosis Cyber: The Cyber Threats to Healthcare
By Olly Jones – PGI Cyber
The Cyber Threats to Healthcare took another twist as news emerged this week that a virus had infected the network of the Northern Lincolnshire and Goole NHS Foundations Trust (NLAG), forcing it to shut down computers in two hospitals and cancel operations across Lincolnshire. While the antenatal clinics, chemotherapy treatments and emergency departments remained open, a major incident was declared. Operations and outpatient appointments were cancelled for a 48-hour period to enable IT staff to investigate and remove the malware. While the majority of systems have now been reportedly restored, details of the malware or whether this was a specifically-targeted attack against NLAG are limited.
This is just one of many examples of the cyber threat facing the healthcare sector. It emerged as a significant cyber security risk in 2016 and research from IBM has revealed that the healthcare industry became the most-attacked sector in 2015. The Information Commissioners Office (ICO) has also recently reported that half of all UK data breaches reported to the ICO in the final quarter of 2015 came from private or public health organisations.
So Why is Healthcare Such an Attractive Target?
- The healthcare sector is increasingly targeted due to perceived poor cyber defences and the large amount of sensitive data it holds. Health data, much of which remains valid (and therefore potentially exploitable) for years, contains valuable personal information which some suggest can be 10 times the value of a stolen credit-card information.
- Continued budgetary constraints often results in many healthcare providers having computer networks based on outdated, legacy systems. Recent research identified that at least 42 NHS trusts in the UK still run Microsoft’s now-outdated Windows XP operating system and NHS Digital admitted that 15 per cent of Windows installations in the sector are on XP. The healthcare sector also includes many small companies who generally lack the financial resources and technical expertise to update legacy systems or implement robust cyber security strategies.
- The nature of the sector means that lives are literally at stake. If a critical system is compromised with ransomware, with a time-restricted deadline before critical data is potentially lost, it is unlikely that victims will wait for a technical solution to be found rather than just paying the ransom. Cybercriminals are acutely aware of this which is why the sector is being so aggressively targeted.
What Are the Threats?
Reports of UK entities being targeted thankfully remain rare, but the highest profile healthcare victim to date was the Hollywood Presbyterian Medical Centre in Los Angeles. After a ransomware infection forced the hospital to shut down all of its computers and revert to using fax machines and paper records for a week, the centre reluctantly paid $17,000 (£12,000) in Bitcoin ransom to hackers to end the crisis and protect their patient records. Regrettably, paying this ransom set a precedent that this form of cyber-extortion works and, following publication of this case, many copycat-style attacks occurred in California, Indiana, Kentucky and Maryland.
Hacking Health Equipment
Any headline-grabbing media stories relating to healthcare almost always includes a feature about medical equipment being hacked and the associated risk to life. Security researchers have demonstrated it is possible to gain access to critical medical devices, and although part of the threat exists from actors wishing to steal the technology behind the equipment, the main perpetrators are most likely to be cybercriminals whose main incentive is money. They are unlikely to have the motivation or intent to conduct attacks that would directly lead to the loss of life.
What Does This Mean for the UK?
The UK healthcare sector faces significant cyber security challenges, complicated by the 100,000 or so different authorities, public and private bodies that make up the sector. This is compounded by government plans to digitise the NHS and become paperless by 2020. A perceived lack of understanding of the threat and a shortage of both funding and experienced information security staff to help protect outdated systems is also a significant challenge.
The decision whether to spend already tight budgets on new security technology is clearly difficult, but cyber security solutions do not have to be expensive. By separating critical medical devices for patient care from general networks, implementing a regular patching regime and educating network users to prevent the potential infection of malware, the cyber risk can be significantly reduced.
For more information about their capabilities just click the button below: