It is no secret that healthcare facilities hold important patient data. And, with the UK’s National Health Service (NHS) caring for over 1 million patients every 24 hours, one can only imagine the amount of data that one working day can produce. Additionally, healthcare data comes with a big price tag on the dark web – more than any other data. According to a report, a healthcare data record can be valued at around £200, compared to just £4 for the next highest value record (a credit/debit card). With access to such an abundance of highly valuable data, the NHS, as well as private healthcare entities, are major targets for malicious cyber criminals.
In 2017, the NHS found itself victim to one of the most infamous attacks in recent history; the Wannacry attack. This ransomware attack was a major push for NHS healthcare facilities to reassess their approach to cybersecurity. In 2019, Matt Hancock, the Secretary of State for Health and Social Care, established NHSX; a government unit responsible for developing best practice for NHS technology. Nevertheless, this industry as a whole – not solely the NHS – is still severely lacking in sufficient cybersecurity. This is perilous considering the industry’s reliance on technology is only expanding. Moreover, COVID-19 has expediated this dependency, meaning that cybersecurity needs to be at the forefront of the healthcare industry.
Attacks on Healthcare
As mentioned, the most significant attack on the UK’s healthcare industry occurred in 2017. Although only lasting a few days, the Wannacry attack affected up to 70,000 NHS devices. This includes computers, MRI scanners, blood-storage refrigerators and theatre equipment. Because of the necessity of such devices, some NHS services had to turn away non-critical emergencies, divert ambulances, and cancel 19,000 appointments. Understandably, this caused complete chaos and cost the UK £92 million.
Despite the attack sparking a much-needed re-evaluation of the NHS’ cybersecurity approach, not enough has been done. ForgeRock’s recent research has found that the healthcare sector is the most at-risk in the UK. Additionally, two-thirds of healthcare bodies in the UK experienced a cybersecurity incident in 2019, according to a report by Clearswift. These statistics demonstrate the industry’s high vulnerability to cyberattacks.
The Appeal of Attacking a Healthcare Facility
The appeal of attacking a healthcare facility has only increased following the outbreak of COVID-19. According to the National Cyber Security Centre’s annual review, over a quarter of all cyber incidents detected in the UK between January and September 2020 involved criminals and hostile states exploiting the pandemic.
With the UK being one of the most affected countries, the healthcare industry is treating tens of thousands of patients a day. To bad actors, this means more valuable data that can be stolen and sold on the dark web. Equally concerning is the presence of Advanced Persistent Threat (APT) groups, who are often sponsored by nation states. These pernicious actors are exploiting the pandemic by conducting attacks that seek to steal intellectual property, such as vaccine information. This is extremely relevant to the UK due to its involvement in vaccine research.
COVID-19 Tracking Apps
Moreover, COVID-19 tracking apps are another cause for concern in the realm of cybersecurity. These apps provide more than just an individual’s healthcare information. Using contact tracing to curb the spread of the virus, the apps collect information on where an individual has been and who they have been in contact with. This information can be useful for state-sponsored groups conducting espionage activities. This is especially if they target high value individuals such as politicians. To make matters worse, researchers found seven security flaws in the UK’s pilot app. These flaws, however, are not unexpected considering the main focus for the healthcare industry is the virus itself, therefore leaving cybersecurity even more neglected than it already is.
The greatest problem associated with the lack of cybersecurity in the healthcare industry is that an attack can be fatal. With so many devices and operations becoming more reliant on technology, including those which perform life-saving actions, an attack could directly, and indirectly, result in many patient deaths.
With the appeal of an attack on a healthcare organization being high, and the reliance on technology within the sector increasing, attackers are turning to hardware-based attacks. These attacks have greater chances of success due to a lack of hardware security. Spoofed Peripherals impersonate legitimate HIDs and therefore do not raise alarms, while Network Implants sit on the Physical Layer which is not covered by existing security software solutions. Rogue Devices have the ability to conduct harmful attacks that can result in data theft, espionage and operational disruptions meaning that their extremely covert nature makes them a major threat due to the extent of damage that they can cause.
Lack of Cybersecurity
With healthcare entities performing life-saving operations, cybersecurity is often deemed a hindrance to the time-critical nature of the industry. The healthcare sector has a reputation of neglecting cybersecurity in favour of patient care. This is not necessarily a negative approach, yet when patient care is relying on technology, a lack of cybersecurity is, in fact, detrimental to the industry’s very cause. UK healthcare providers are not allocating enough of their budget to cybersecurity, resulting in insufficient measures.
Clearswift conducted a survey into cybersecurity in healthcare and found that less than a quarter of respondents claimed to have “adequate” levels of budgeting allocated to security. In the same survey, only 26% of respondents said they were investing in endpoint security. This specific statistic is concerning with regards to hardware attacks since endpoints are a key target. Furthermore, this demonstrates that healthcare facilities have a lack of understanding as to what they are vulnerable to. Moreover, an abysmal one out of hundreds of NHS trusts passed the government-backed Cyber Essentials Plus assessment which includes a range of security tests.
Lack of Employee Training
Without sufficient cybersecurity software in effect, employees stand as the main barrier protecting healthcare facilities from cyberattacks. However, the lack of investments into cybersecurity also applied to employee training on the subject. With a lack of awareness regarding cybersecurity risks and practices, employees are not a reliable form of protection and are often the primary cause of cyberattacks. This is especially dangerous since an increasing number of NHS staff are provided with access to critical systems. This means any error made could have dire consequences. Furthermore, hardware attacks regularly rely on social engineering techniques since the attackers need to acquire physical access to an entity. With employees oblivious to such methods as a result of insufficient training, attackers can successfully manipulate staff and carry out attacks.
Many systems within the healthcare industry are outdated in terms of cybersecurity. Having been built without cybersecurity in mind, these systems have fewer, to no obstructions to cyber criminals. Many systems also lack two-factor authentication, a basic form of cybersecurity in current times. This further facilitates the attacker’s job.
Increased Reliance on Technology
All these vulnerabilities are not helped by the fact that the healthcare industry is increasingly relying on technology. More and more medical devices are now part of the IoT. This increases the attack surface for malicious actors since there are more entry points, and more devices storing patient data. Importantly, many of these IoT medical devices perform life-saving operations and/or allow patients to continue their daily lives.
Medical IoT devices include connected inhalers which allow for better management of asthma; automated insulin delivery systems which continuously monitor a patient’s blood glucose without requiring a finger prick test; and implantable pacemakers, to name a few. IoT devices are vulnerable to attacks, and an attack on a medical IoT device can have extremely damaging results.
Furthermore, COVID-19 has resulted in proliferated remote work. The healthcare industry is no exception since some operations can be conducted online. This makes it easier to attack the NHS since it is becoming increasingly reliant on its network. Many devices connecting to it could be employees’ personal devices which have fewer security features in place, thereby increasing the cyber risks.
With the increased reliance on technology comes the increased reliance on the supply chain, since devices used in the healthcare industry are manufactured by third parties. The supply chain is a cybersecurity risk due to the inconsistencies in security measures. If an organization is too difficult to infiltrate, malicious actors often turn to the organization’s supply chain. This is due to the fact that there are likely less stringent security measures in place.
Devices can be manipulated by cyber criminals in the supply chain with the intent of said device being used by the target organization. This is a very real threat, with almost 50% of incidents originating from a third-party device, such as an IoT device or hardware peripheral.
Hardware attacks require that the attacker gain physical access to its target. Healthcare entities are relatively easy to gain access to and are often designed with a high level of openness to facilitate operations. However, this openness makes the attacker’s job easier since devices can more easily be tampered with. And, with thousands of people coming in and out of hospitals daily, including patients, doctors, nurses and secretaries, how could one detect the presence of a malicious actor disguised as one of the many genuine individuals that can be found in a hospital?
Are hospitals even safe?
In short, yes. Here at Sepio, we are not discouraging you from going to visit a doctor if you are feeling unwell (it is necessary to emphasize this). However, this blog seeks to highlight the risks of insufficient cybersecurity within the healthcare sector in an effort to improve operations, data confidentiality, and general security within the industry. The healthcare industry’s prioritization of patient care must now come hand-in-hand with cybersecurity. In 2021, the former without the latter is simply an oxymoron.