News emerged last week that a virus had infected the network of the Northern Lincolnshire and Goole NHS Foundations Trust (NLAG). While antenatal clinics, chemotherapy treatments and emergency departments remained open, operations and outpatient appointments across Lincolnshire were cancelled for 48-hours to enable IT staff to investigate and remove the malware. Details of the malware type, or whether this was a specifically targeted attack against NLAG, remain limited.
The healthcare sector faces significant cyber security threats and IBM research revealed it became the most-attacked sector in 2015. The Information Commissioners Office also recently reported that half of all UK data breaches reported to them in the final quarter of 2015 came from private or public health organisations.
Reports of UK entities being targeted remain rare, but the highest profile healthcare victim to date was the Hollywood Presbyterian Medical Centre in LA where a ransomware infection forced the hospital to shut- down all its computers for a week. The centre reluctantly paid hackers $17,000 (£12,000) in Bitcoins to end the crisis and protect patient records. Regrettably, this set a precedent that cyber-extortion works and, following publication of this case, many copycat-style attacks occurred throughout the US.
Hacking Health Equipment
Media stories often feature sensationalist headlines of medical equipment being hacked and researchers have demonstrated it is possible to gain access to some devices. Although a threat exists from actors wishing to steal the technology behind medical devices, the main perpetrators are most likely to be cybercriminals whose main incentive is money. They are unlikely to have the motivation or intent to conduct attacks that would directly lead to the loss of life.
Why Target Healthcare?
The healthcare sector is increasingly targeted due to perceived poor cyber defences and the large amount of sensitive data it holds. Health data, much of which remains valid (and potentially exploitable) for years, contains valuable personal information which some suggest can be up to 10 times the value of stolen credit-card information.
Continued budgetary constraints often results in many healthcare providers having outdated computer networks and recent research identified at least 42 NHS Trusts still use Microsoft’s Windows XP. NHS Digital have also admitted that 15% of Windows installations in the sector are on XP. The healthcare sector also includes many small companies who generally lack the financial resources and technical expertise to update legacy systems or implement robust cyber security strategies.
The nature of the sector means that lives are literally at stake. If a critical system is compromised with ransomware which threatens to delete critical data within a strict deadline, it is unlikely that a healthcare authority will wait for a technical solution rather than just paying the ransom. Cybercriminals are acutely aware of this which is why the sector is being so aggressively targeted.
What about the UK?
UK healthcare faces significant cyber security challenges, complicated by the 100,000 or so different authorities, public and private bodies that make up the sector. This is compounded by government plans to digitise the NHS and become paperless by 2020. A perceived lack of understanding of the threat, and a shortage of both funding and experienced information security staff to help protect outdated systems, is also a significant challenge. The decision whether to spend already tight budgets on new security solutions is clearly difficult, but cyber security does not have to be expensive. By separating critical medical devices for patient care from general networks, implementing a regular patching regime and educating network users to prevent the potential infection of malware, the cyber risk can be significantly reduced.
Follow us on Twitter: @
(Source: PGI Cyber)