Kirsten Bay, CEO and President, Cyber adAPT, explains why the healthcare industry needs to solve its cyber skills gap - fast.
Security nightmares came true last year when the NHS fell victim to the WannaCy cyber attack. According to a report by the National Audit Office (NAO), IT systems at 81 Trusts were affected; with 37 locked out of systems and asked to pay a ransom for restored access.
While it may seem that such a devastating disruption of critical services could only be a one-off, chaos is likely to strike again for two reasons.
First, healthcare is an especially attractive target for cyber criminals due to the sensitive personal data held about patients. As WannaCry demonstrated, these criminals have no qualms about putting lives on the line. Second, technical defences are not up to scratch. After completion of the report, NAO head Amyas Morse stated that the attack: “could have been prevented by the NHS following basic IT security best practice.” It appears the NHS is no exception to the growing cyber skills gap placing many organisations at risk.
This raises a vital question: how can the NHS - and healthcare industry as a whole - protect itself from future attacks?
Digital jeopardy: the growing threat
Cyber crime is rising across industries. Last year, the Crime Survey for England and Wales revealed there had been over three million cases of digital fraud and a further two million of computer misuse in just 12 months: an 8% annual increase. Note that this study only covered successfully detected instances; not the many others that often slip through the net unnoticed.
The scope of attacks is expanding too. Criminals used to set their sights on obtaining valuable physical items, yet the high value of data means it is now a prized asset. In a world where almost everything is connected and dependent on data, information has become crucially important - and this means it can be sold or ransomed for high prices.
The WannaCry attack is a prime example of the harm criminals can do by controlling access to essential data. In addition to the vast operational confusion highlighted by the NAO - which included the cancellation of 19,500 appointments, computer access denial at 600 GP surgeries, and ambulance diversions at five hospitals - WannaCry also created significant costs for the NHS with a windfall for its perpetrators. Ransom notices issued to victims demanded payment of between $300 and $600 (£224 and £448) to unlock devices and regain data, generating an estimated £100,000 worldwide. However, because of the turmoil caused throughout the NHS, its expenses are projected to be much greater: responding to a written question posed in parliament, Thurrock MP Jackie Doyle-Price, commented; “the identifiable cost of emergency measures put in place to specifically address the NHS ransomware attack on 12 May 2017 was approximately £180,000.”
Moreover, given the desirability of medical data as a profitable commodity - which can be sold on the black market multiple times over - organisations like the NHS are likely to be subject to continual cyber crime schemes. Unless, that is, they improve their defences.
Pinpointing and plugging vulnerabilities
The NHS is no stranger to taking hygiene precautions in its operations, and managing online networks should be no different; every aspect of security operations must be carefully inspected and any hazards quickly removed.
It is imperative to monitor organisational networks as a whole, to establish how, and where, data flows. This is a particular priority in the Internet of Things (IoT) era, as the increasing use of web-enabled devices adds yet more connections - and potential gateways for attackers - to already vast networks.
With that in mind, let us take a look at the vulnerabilities of the ever-growing NHS system.
The perils of network innovation
IoT has created diverse new opportunities for the NHS. In 2016, NHS England began a series of initiatives in conjunction with IoTUK; an integrated, three-year, £40 million Government project aimed at boosting IoT adoption. Dubbed the ‘Test Bed’ programme, the plan includes the provision of remotely connected devices that will allow patients with dementia to stay in their own homes for as long as possible, and for closer physiological observation of diabetics.
Other exciting prospects are emerging for wearable IoT technologies, including the creation of a direct link between patient and healthcare systems, as well as helping with tasks such as clinical diagnosis, patient monitoring, streamlining workflow, and managing medication. In fact, a study conducted by the Centre for Economic and Business Research (CEBR) estimates that by 2020, IoT will generate 13,000 extra UK healthcare jobs and increased use will provide a national economic benefit of £4.8 billion for the sector.
But, while these steps undoubtedly bring value to the NHS and its patients, they also present higher risks to network security. With greater connectivity comes a higher chance of dangers such as medijacking: a term that describes the act of breaking into and taking control of smart medical equipment. This process poses a sizeable threat to patient and network safety. For instance, in early 2017, medical device manufacturer St. Jude had to patch defibrillators and pacemakers after it discovered attackers could take control of them to cause shocks or disable implants. And, at one Austrian hospital, patients took the unexpected step of hacking equipment themselves to adjust their pain medication; leading to overdoses that triggered respiratory problems.
Appropriated technology is not the only issue; there is also what criminals can do with data extrapolated from IoT devices. If they are able to view NHS files, they can sell this data through nefarious channels; enabling third parties to access patient records and even medical services on a black market. This might include using services they are not entitled to and obtaining drugs prescribed for other people; causing harm to both individuals and the NHS.
How can cyber attackers be tackled?
Despite its daunting reach and reputation, the good news is that cyber crime can be fought. Organisations simply need to change their approach to network protection.
The truth is that IT professionals simply cannot fortify perimeters against every possible attack as they did with technologies such as firewalls, Virtual Private Networks (VPNs), and Network Access Controls (NACs). Today’s sprawling networks are too large and fragmented to precisely plot or secure: especially in the healthcare sector, where connected machines and employee - and patient - devices create a vast number of end points for criminals to target.
Consequently, these ‘edgeless networks’ are frequently infiltrated via unmapped entryways. Some are so tangled that threats can spread through them unseen for up to 200 days; doing plenty of damage before they are discovered.
Fortunately, however, technology is adapting to meet the challenges of modern networks. Harnessing advances in artificial intelligence (AI), tools are changing to focus on detection, identifying unusual changes in data flows and alerting IT teams for further scrutiny. This represents a shift from older methodologies which focused purely on protection, to identify threats that have already made their way into networks and neutralise them before they can begin to fulfil their intended purpose.
However, upgrading technology alone is not sufficient to keep healthcare services safe; employees must be vigilant in helping to avoid cyber attacks in the first place.
Filling the skills gap
Healthcare urgently needs to fill its cyber security skills gap by educating all employees about the dangers of cyber crime. In fact, as a system breach can put the delivery of life-saving services in jeopardy, it is arguable that training on how to deal with technological disasters should be prioritised alongside teaching individuals the correct method of approaching medical crises.
Thus, IT leaders must look at enhancing team members’ knowledge and abilities in various areas, including; fraud identification, reporting malware, the pros and cons of connected devices, and responding to ransomware. This is in addition to improving the education of team members on what they need to do to comply with the law - for example, how organisations must report a relevant data breach to the authorities within 72 hours under the new EU General Data Protection Regulation. Taking into account the rapid evolution of cyber crime, training should be provided regularly - at least once a year - to ensure employees are updated on current threats, and detection techniques.
Internal practices must also be reviewed. For example, IT policies must be frequently adjusted by security experts and configured to focus on pinpointing the breaches that may have already taken place rather than trying to stop attacks completely. What is more, resources should be allocated to make sure employees have the time and tools needed to keep systems up-to-date: a move that will help to avoid the Microsoft Windows oversights that fuelled WannaCry’s impact on the NHS.
A final, yet essential, measure is the consideration of smart cyber security technology. While implementation will require investment - and possibly the assistance of outside organisations to support IT managers - it is also likely to save costs in the long run. Machine learning and artificial intelligence can help reduce expenditure on hiring new employees to fend off cyber security threats while keeping a close eye on what goes on within networks; something that large organisations, such as healthcare providers, often find challenging. It is also worth noting that the sheer scale of potential patients at risk could make the outlay on universal information security defences a wise investment.
The value of data will continue to rise as it becomes ever more crucial to core services, and so will the threat of cyber crime. In the immediate future, we can be relatively certain that the next WannaCry attack is just around the corner, which means organisations must increase their knowledge of how they can protect themselves against attacks. And they need to do it fast.
With lives at stake, healthcare providers such as the NHS have the most critical need to shore up systems, prevent cyber criminals from launching attacks, and detect attackers that may already be inside the network. To achieve this, they will need to take an approach that accommodates the frequency of breaches and the vast intangibility of networks. That, in turn, means they should recognise skills and security gaps, and equip teams with the understanding and means to stay continually sage.
