In this week’s blog post Teiss Head of Consulting Jeremy Swinfen Green ponders why the NHS is such a target for hackers.
According to Experian’s Annual breach industry forecast 2017, healthcare organisations will be the most targeted sector during 2017. While the NHS wasn't specifically targeted in last Friday's ransomware outbreak, it has certainly shown how vulnerable it is to cyber attacks.
The NHS is rightly concerned to keep patient data secure and confidential. The “poster child” of medical cyber breaches was perhaps the Anthem data breach in 2015 where around 80 million sets of medical records were compromised in the USA. The NHS has suffered similar problems, often through the accidental loss of equipment.
Data loss can have a direct impact on patient health if for instance important data such as test results are lost. It can also have an effect on the data subjects, resulting in them being targeted by scams or even having their identity stolen. This is well recognised and is why Amber Rudd the Home Secretary continually stressed that patient data hadn't been stolen.
But it isn’t just data loss that is the problem. Cyber attacks can badly damage the operational efficiency of hospitals. And that is what we have seen over the last few days.
Last October North Lincolnshire and Goole NHS Trust was infected with malware that left the hospital’s infrastructure down for 4 days. Some 2800 appointments were cancelled as a result.
And earlier this year, the UK’s largest hospital trust, Barts, was also taken off line for 4 days while the system was cleaned, after a Trojan was downloaded.
And now we have WannaCry.
Why is the NHS so prone to data breaches?
The NHS is a major target for cyber crime
The NHS is a major target for cyber crime. Why is this? Some analysts would say that it is because medical data is so valuable.
And indeed it used to be the case that medical data was ten times the value of credit card data. This was in part because medical data could be used to steal people’s identities. But it was also because medical data could be used to make extremely profitable invoice frauds.
However the value of medical data is dropping fast and you can now buy sets of data on the dark web for as little as $1.
In part this is because the market is saturated. By some estimates around half of the US population’s medical records have been stolen and are available online.
But it is also because there is an easier way to make money: ransomware.
The rise of ransomware
Criminals use ransomware to extort payments from organisations who need to regain access to their data and IT systems. For health organisations losing access to patients’ data can literally be a matter of life and death.
The sensitivity of NHS organisations to ransomware attacks makes them an ideal target for criminals. And a Freedom of Information (FoI) request from NCC Group has revealed that almost half of NHS trusts (28 out of the 60 trusts who replied to the request) admitted that they were victims of a ransomware attack in the year to April 2016.
And of the other 32 respondents only one said that they hadn’t been infected that year. The other 31 simply refused to say.
The cause of the problem
Why is ransomware (and other cyber attacks) such a problem for the NHS?
It is partly (as with any organisation) because for most people in the NHS security isn’t their job. Busy doctors and nurses have plenty of other things to think about than cyber security. Indeed, it is likely that most regard it as a problem for IT security specialists just as they have their own medical specialities.
This opinion will be reinforced if those medical staff are not getting appropriate cyber security training. And it appears they are not. The website Business Reporter have written that “approximately 70 per cent of (NGS) Trusts said they had limited training programmes if any in place to safeguard organisational information, including patient records, for staff using personal devices”.
This problem is made worse by the presence of so many agency staff who inevitably will have less cyber security training. Stories of passwords taped to screens or computer mice are common: it’s not really laziness but rather the prioritising of operational efficiency at the expense of security.
Another factor is that NHS trusts (and the NHS itself) are complex organisations that involves many disparate entities that communicate using different (or absent) security protocols – which gives hackers plenty of opportunity.
And then there is also a common lack of cyber security competence – research last year in the USA found that 40% of acute health providers were not encrypting data at rest and 30% were not encrypting it in transit. Basic defence practices that are being neglected.
This is made worse by obsolete equipment and operating systems. Sometimes the reason for old equipment is the cost of upgrading; other times it is the need to preserve old data on old systems (and a reluctance or inability to transfer it to newer systems). Whatever the reason, again cost and operational efficiency such as access to data is being prioritised over security.
And this really is a problem. According to reports, an FoI request from Citrix in 2016 found that 90% of NHS hospitals were still running the unsupported Windows XP. This is a basic failure and makes all of these hospitals ineligible to qualify for the UK Governments Cyber Essentials scheme.
Defending against ransomware
Given these weaknesses ransomware attacks on the NHS are set to continue causing problems.
So what should be done?
If we accept that they are going to be difficult to prevent (although education, up-to-date software and basic defences would help massively to prevent them) then the focus has to be on resilience after falling victim to an attack.
Resilience could involve simply paying the blackmailers. But this is hardly an appropriate tactic for organisations funded by public money. In any event continued capitulation to the criminals’ demands would inevitably result in the ransom demanded increasing.
Rather the tactic used should be adequate backing up. This is never easy and has to involve a number of different techniques which could include:
- automatic online back ups with back ups of those back ups (held in secure locations that are GDPR compliant of course)
- layered back ups taken at different times (e.g. every day, week and month) so that if a particular back up fails (perhaps because it has been infected by ransomware) there are earlier versions that can be used
- manual back ups of key information with an “airgap” where the back ups can be scanned and cleaned without the danger of “command and control” software activating the ransomware
- key data (e.g. data required for surgery due to happen in the next week) kept offline as well as online
- the use of different back up locations for different data sets so that corruption of 100% of data is less likely
As well as effective back ups, it is important to implement regular testing of back ups to ensure that rapid restoration of data and repair of systems can be delivered without undue damage to operational efficiency.
As well as backing up data, organisations should consider whether equipment, such as MRI scanners, need to be constantly connected to the Internet. An internet connection has many benefits for medical machinery. It can allow remote servicing of equipment, the sharing of utilisation data, and the communication of test results, it is debatable whether these machines need constant connections. Perhaps a regime of regular connections, say at the end of each working day, combined with ad hoc connections say when remote servicing is required, would decrease the vulnerability of these machines to cyber attacks.
Ransomware is likely to be a problem for a considerable time and will never be particularly easy to manage. But is should be less of a problem than it is for the NHS and some basic cyber hygiene would make a huge difference. But that will only happen once the NHS as an organisation accepts that data security is just as important as patient safety.
Image under licence from thinkstockphotos.co.uk copyright Ruben Pinto