According to BBC News, “WannaCry was the biggest cyber-attack that has affected the NHS to date: NHS trusts were left vulnerable in a major ransomware attack in May 2017 because cyber-security recommendations were not followed, a government report has said.”
The BBC report claims that a third of the NHS systems in England was disrupted by the WannaCry ransomware attack, according to the National Audit Office (NAO). This led to at least 6,900 NHS appointments being cancelled because of the attack. “NHS England reported that no patient data had been compromised or stolen and praised the staff response. The NAO chief said the Department of Health and the NHS must now get their act together”, the BBC stated.
You might be forgiven for thinking that ransomware was no longer an issue, but it still remains a cyber-security threat to most healthcare organisations around the globe – including NHS hospitals in the United Kingdom. However, new strains of ransomware are constantly emerging. This means that hospitals must think how they can prevent ransomware and malware attacks today. The battle to stop such incidents in their tracks is ongoing, taking up invaluable time and resources.
Cyber-security: not working
The problem is that there is also a belief that traditional methods of cyber-security haven’t been working. Michael Sentonas, VP Technology at CrowdStrike, writes on 13th October 2017 in the Australian edition of PC World magazine:
“As we reflect on the way organisations around the world have been impacted by breaches this year, it’s clear that traditional approaches to security have failed. Look no further than WannaCry, which saw more than 300,000 computers across more than 150 countries get locked up by the ransomware. Shortly after this, WannaCry’s evil twin brother, NotPetya, had a large impact around the world, bringing down hospitals and healthcare organisations, manufacturers and logistics companies, as well as corporate firms.” Artificial intelligence (AI) and machine learning are now seen as the answer, which may be good news for the hospitals that are still failing cyber-security checks to this day.
Owen Jones reports in his 7th February 2018 article for Digital Health magazine: ‘NHS trusts fail post-WannaCry cyber security checks’. He writes that every NHS trust has been tested to see how resilient they are against current cyber-security standards compared to the period in 2017, when they were being embattled by the WannaCry ransomware attack. Unfortunately, NHS Digital revealed to him that they all failed. Such poor performance led to the Care Quality Commission disclosing plans for impromptu inspections of the UK’s hospitals, as a cyber-attack can affect the quality of patient care.
The NHS isn’t the only healthcare organisation that needs to act now to prevent cyber-attacks. Noel Towell and Aisha Dow write in Australian newspaper, The Age, on 29th November 2017: “Outdated computer systems are putting Victoria's most critical services - including hospitals, police and child protection - at risk of cyber hackers and fraudsters, two audits have revealed. The obsolete IT systems leave the state exposed to a disastrous hardware crash and computer virus attacks, the Victorian Auditor-General's Office says.”
Moreover, Times of Israel journalist Shoshanna Solomon wrote on 29th January 2018 that ‘Medical imaging devices are vulnerable to cyber-attacks, Israeli team warns’. To prevent the attacks, she states that cyber-security researchers at Ben-Gurion University are developing ‘AI-driven solutions to foil hacks, by making sure medical instructions match the patient's profile’.
Poor patching and education
In the Australian edition of CSO Online, David Braue writes on 15th February 2018 that the potential success of cyber-attacks is unwittingly aided by ‘Poor patching and user education leave healthcare providers sitting ducks for cyber attacks’. These factors combined make it easier for cyber-criminals to attack healthcare organisations, and they do so because the sensitivity and re-sale value of patient data make the whole disruptive exercise an attractive prospect.
“Despite the masses of highly sensitive data that healthcare companies manage, new analysis has warned that chronically poor endpoint security, weak patching practices and high exposure to social engineering make the industry one of the worst-performing sectors when it comes to protecting data”, says Braue.
Healthcare organisations across the globe do tend to focus on other aspects of healthcare rather than the threat from hackers and viruses. The UK’s NHS has proved that these threats can no longer be thought as confined to the commercial sector and healthcare organisations need to improve their security to prevent unauthorised access from users, but from outside. The NHS is an example of knowing a threat existed but failing to keep their PCs up to date.
Security Expo conference’s website claims that ”The new wave of cyber terrorism is perhaps its most insidious, attacking medical devices and shutting down hospitals.’ It also claims that, until recently, hospitals were completely vulnerable to hackers.”
It adds: “Medical devices feed into the hospital networks, which allow intruders a backdoor to access sensitive data or shut down systems entirely to extort money. This is not hypothetical either, with the healthcare industry ranked in the top three of most cyber-attacked sectors in the world.” MRI and X-ray images, medical files, etc. should always be backed up, and healthcare organisations around the world need to ensure that their sensitive data is extremely secure.
Australia’s Invest Victoria is taking the threat seriously. On 22nd September 2017, it reported in an article on its website that Melbourne’s hospitals “will soon have cutting-edge cyber-security devices installed to protect medical equipment from being hijacked in a world-first global trial. The State Government of Victoria will fund a pilot with hospitals in Melbourne’s west to trial 400 Cyber-Nexus anti-hacking devices developed by Israeli firm Bio-Nexus.”
Invest Victoria says, “The devices provide a double-layered security protection for medical equipment. including heart rate monitors and intravenous pumps to prevent compromise by hackers. Protecting Victoria’s healthcare system from cyber-crime is of high priority to the Victorian Government. Earlier in 2017, the United Kingdom’s NHS was victim to a global ransomware attack, with computers, medical equipment, patient records, appointment schedules, phone lines and emails all [affected].”
The Victorian Government is funding the project to the tune of A$457,000, and the investment is coming from its A$11 million Public Sector Innovation Fund. To combat the threat of cyber-attacks, the project involves the installation of devices, staff training, tests and results analysis. Invest Victoria adds:
“The trial complements the work done by Victoria’s Cyber Security Centre, which houses the A$30 million Cyber Security Growth Centre, the CSIRO’s Data61 and Israeli cyber security training company CyberGym. It also follows the Victorian Government’s Cyber Security Strategy, a first of any Australian state, and Cyber Victoria, putting Melbourne on the path of becoming the first cyber-ready city in Australia.”
Hackers must be stopped at the entry points with firewalls, remote user authentication, security audits, user education and by implementing other processes – including regularly data back-ups. Once they are in, they’re in. With the European Union’s General Data Protection Regulations (GDPR), and other data protection initiatives, data should be encrypted at rest before it is stored and backed up. This doesn’t necessarily stop hackers from lifting the data, but it makes it more difficult to use. Also, losing this data by removal or deletion requires a robust back-up and disaster recovery (DR) strategy with gold copies held off premises on remote sites.
With the fragmentation of the US healthcare service into independent automatous healthcare providers, lessons learnt from one provider aren’t necessarily passed on to others for obvious reasons. The US HIPAA regulations are quite stringent about the use and protection of the individual patient’s data. So, perhaps, it is time for healthcare providers around the world to adopt these regulations.
Audits and solutions
Healthcare providers are no different from any other organisations. They should always and regularly audit their disaster recovery and business continuity strategies in case a cyber-attack actually breaks through their defences, which may in effect not be strong enough. They therefore need to learn the lessons of the last few years – taking into account the changing threats. This requires a constant process of reviewing the latest threats with a regime of testing against various scenarios.
One aspect that is being recognised now with ransomware is the importance of having a separate copy of all the data located far enough away, so as not to be affected by natural disasters, but air-gapped to prevent access by the ransomware. Yet moving ever larger amounts of data offsite can be problematic, and with some tools it may not be possible to achieve a secure back-up within the required timescales of the data users and of their healthcare organisations.
With healthcare data required to be encrypted in flight, traditional WAN optimisation products are unable to provide the much-needed throughput enhancements over the WAN to these remote locations. In contrast WAN data acceleration solutions such as PORTrockIT can enable healthcare organisations to back-up their data more securely and more quickly. So, even if a cyber-attack were to get through and cause damage, and if the organisation has at least 3 disaster recovery sites, it would become possible to keep patient services and hospitals running. They also need to ensure that their software is updated, and that they invest in user training to prevent ransomware from succeeding.
David Trossell, CEO and CTO of Bridgeworks
Image Credit: Lightpoet / Shutterstock