This May, over 300,000 computers across 150 countries including Russian, Taiwan, Ukraine and India were attacked and compromised by the WannaCry ransomeware, which demanded that users pay to restore access to their files.
While this caused panic and outrage globally, the UK faced a more frightening problem still - of all the organisations hit by the attack, the National Health Service faced the worst consequences.
Hospitals and GP surgeries across England and Scotland were forced to cancel appointments and turn away patients, advising people to only seek medical care in emergency cases. While the NHS has recently committed to a more connected and data-led approach, healthcare staff reverted to using paper, pens and their own mobile browsers to complete their work while the National Cyber Security Centre (NCSC) investigated the attack.
Connected hospitals and electronic health systems have answered overburdened health organisations’ calls for a more efficient and productive infrastructure. However, our reliance on such technologies has made them an attractive prospect for cybercriminals.
Cyber attacks are constantly evolving, with even the most up-to-date cybersecurity systems sometimes failing to take into account new malware developments. In order for healthcare organisations to continue to take full advantage of big data and connectivity, all staff need a thorough grasp of how to spot, avoid and respond to cyber crime.
What is a cyber attack?
Cyber attacks are socially, politically or financially motivated attacks on data, carried out via the internet, often with far-reaching consequences. Targeting the general public as well as national and private organisations, these criminal attacks rely on malicious programs to access personal or institutional information.
Targeted attacks are those geared toward specific organisations and services, essentially vandalising their digital property in order to cause panic and disruption. Often cybercriminals will follow such attacks with a demand for money, knowing that without access to their systems, organisations will quickly fall into chaos.
Advanced persistent threats (APT) are likewise targeted, and carried out continuously over a longer period of time, attacking public servers and sites online while also manipulating users through phishing emails and similar scams. In such cases, the disruption can seem unending, as every time the organisation regains access to one aspect of its systems, a simple human error such as clicking on a malicious link can bring them back to square one.
Why is healthcare a cyber crime target?
While the WannaCry Ransomeware’s main objective was extorting money from individuals and organisations, the targeted attack on the NHS seems to go against this motive, as there are far more wealthy and obvious UK organisations to blackmail in this way.
However, the healthcare sector is classified as national critical infrastructure, meaning that is is essential to the wellbeing of citizens. By attacking such systems, hackers can guarantee causing national chaos, leading security organisations to hypothesise that such attacks are a form of digital terror.
Furthermore, healthcare’s increasing reliance on technology makes it a sitting duck for attacks, with connected and wearable devices generating a constant stream of personal information, which is then stored and analysed centrally. For a hacker, this presents a number of ways to access the central infrastructure, including mobile applications and the ever-expanding Internet of Medical Things.
With connected devices such as smart sensors, pacemakers and wearable monitors giving patients increased access to central healthcare systems, the infrastructure in decentralised, meaning that a hacker can tap into data via such device with relatively little chance of discovery until their aims have been achieved.
What is the risk?
Cyber attacks aren’t just affecting healthcare on an organisational level. They’re also putting human lives at risk. The Internet of Medical things makes it possible that connected devices such as pacemakers and robotic surgical tools could be disrupted in themselves, and exploited for financial or political gain.
Naturally, this is a source of intense concern for patients relying on connected devices for treatment and management of their conditions. The idea of something inside your body being compromised by unknown external forces is the stuff of nightmares, and patients need more reassurance than ever that the benefits of medical technology outweigh the risks.
The most common risk involved with data theft is human error. A hacker may send a doctor with access to sensitive records an email including a false link that downloads malware onto their computer. While cyber security systems are getting better at flagging such emails as potentially harmful, hackers are getting to know and work around the algorithms that identify malware.
APT attacks can also sit dormant in a network, unnoticed by security systems as it spreads through the network. This gives hackers real-time insight into what is happening across the system.
From losing funds to losing control to directly compromising the lives and safety of individuals, vulnerability to cyber attacks is an international crisis. Only by educating staff at every level of a connected infrastructure can we assure stakeholders and patients of our ongoing commitment to their safety, online and in their everyday lives.
How can healthcare organisations avoid cyber crime?
Most of the recent attacks on health systems have left limited traces, despite causing significant disruption. This makes it hard to track down the origins of the attack, or to pre-empt future issues. However, the threat goes beyond a single isolated hacker or organisation - by drawing attention to key weaknesses within the system, the WannaCry attacks have made the NHS a target for attackers across the globe.
Healthcare institutions therefore need to focus their efforts on preventive measures, building cyber security into their IT strategies from the ground up. As new connected technologies emerge, hospitals and clinics can form security standards and procedures around them on a case-by-case basis, ensuring that no cracks are left in the overall infrastructure.
Most importantly, organisations need to counter the chaotic anonymity of the attacks with complete trust and transparency in the way they respond. Some organisations are tempted by their fear of legal costs to under-report on incidents of cyber crime, and even pay ransoms to hackers rather than expose the extent of the problem. However, only when organisations show commitment to understanding and guarding against such attacks can they maintain the the confidence of patients and stakeholders.
First and foremost, it’s crucial to know that the right people are accessing the right data. Organisations can ensure authorisation with multifactor authentication (MFA), complex passwords, single sign-on and access management.
These measures will cut out the risk of hackers discovering a user’s password and gaining access to the system via the account. With increasing numbers of patients having online access to their own medical information via mobile devices and patient portals, it’s crucial that we adopt measures to counter passwords getting into the wrong hands.
Alternative data transfer
Data is at its most vulnerable when it’s in transport. The digital hospital environment itself can be heavily monitored and reinforced, but any time a third-party service such as a web server is used to transfer data between systems, there’s an opportunity for hackers to exploit weaknesses.
Many organisations are turning to programs such as Blockchain to ensure safe encryption of data while transporting healthcare information. Secure by design, these distribution systems record all transactions transparently, promoting interoperability between multiple infrastructures without loss or corruption of information.
Data loss prevention tools
Innovative tools are able to identify potential data loss via specific criteria, and trigger security responses to encrypt the data before any of it is leaked. This is particularly useful when it comes to emails discussing personal health data or data being copied across drives. These tools automatically give information an added level of defense whenever it leaves an organisation’s firewalls, protecting patients and organisational infrastructures alike both within and beyond hospitals.
The Internet of Medical Things means that personal devices such as smartphones and tablets as well as health wearables now have direct access to healthcare data infrastructures. From doctors instantly bringing up patient information on their iPads to patients checking their progress via bespoke apps, the multitude of devices being used require specific security policies to be built around them.
Hospital IT departments can also take advantage of the interconnectivity between the main network and personal devices to automatically install up-to-date security patches on all connected devices at once, giving staff and patients peace of mind that the latest threats have been taken into account.
Intelligent threat protections
APT attacks allow hackers to spend an extended period of time exploring data before launching a more obvious offensive. It’s therefore vital that hospitals effectively monitor their digital environments, picking up on anomalies and alerting staff to suspected intrusion.
Healthcare providers need to adopt artificial intelligence tools capable of evaluating logs and user activities across the system, comparing consistent behaviours in order to weed out any abnormal activity and stop an attack in its tracks.
Education and awareness
Advanced as your security system may be, hackers design their attacks to take advantage of human psychology. It’s therefore crucial to educate all end users to recognise hidden threats, and to alert others to phishing emails, fake websites and unauthorised password requests as soon as possible.
By offering ongoing training to all staff who deal with data and connectivity on any level, an organisation can stand together against cyber attacks, mitigating risks and protecting their patients.
How can targeted organisations respond to an attack?
While we can combat individual cyber threats as they arise, opportunistic hackers aren’t going anywhere. Organisations must aim to stay one step ahead of cybercriminals, but in the event of a breach, it is necessary to have an efficient response plan that reduces risk while maintaining calm.
The US Office for Civil Rights has outlined a quick-response checklist for organisations that find they’ve been compromised to use while getting back on their feet. This ensures that they follow best practice, remain transparent and compliant, and maintain their reputations while dealing with attacks.
Taking these guidelines into account, organisations need to devise their own response protocols, and ensure that all staff are aware of them in preparation for potential cyber emergencies. By keeping the conversation open between organisations, government bodies, employees and patients, we can present a united front against attackers, and assure stakeholders that their information is safe going forward.