Having worked as a developer, penetration tester and security consultant for nearly 20 years, Laurie Mercer, Security Architect at HackerOne, shares insight into the potential role of ethical hackers in protecting the healthcare sector.
The healthcare industry is facing a relentless barrage of cyberattacks and the situation is unlikely to improve in the short term. Research surrounding publicly disclosed breaches has shown that between January and September last year, healthcare suffered more attacks than any other sector, with 241 incidents reported. To compound matters, the sector also took the top place for the highest remediation costs and has now held this unenviable position for 13 consecutive years.
As a result, the government has put forward a strategy to strengthen cyber-resilience in health and adult social care by 2030. While acknowledging that every NHS and social care organisation must take responsibility for its own cybersecurity, it advocates for more collaboration to provide a unified approach, with centralised support from national cybersecurity teams. The aim is to ensure that entities within what is largely a decentralised sector work together to share knowledge, optimise costs and achieve a minimum level of security across all systems with a ‘defend as one’ mindset.
Although the strategy was set to be published last summer, there is no sign yet of the promised implementation plan. In the meantime, the health sector is faced with the stark reality that theft of patient data is a lucrative business for criminals, intensifying the growth in cyberattacks.
Criminals have the upper hand
Health records contain valuable medical and personal information and fetch a high price on the dark web. Cybercriminals can also use their skills to exploit the critical nature of the data, holding it hostage through ransomware and extorting large sums to restore records. The potential magnitude of the financial rewards attracts criminals from across the globe looking to make easy money. Their attention is frequently drawn to the UK’s NHS as an increasingly vulnerable target. Its massive legacy infrastructure relies heavily on outdated software and protocols that lack the robust security features of modern technology. Many systems don’t benefit from regular updates or patches, leaving known vulnerabilities unaddressed and wide open to exploitation.
These inherent weaknesses have already been exposed in past cases such as Advanced, WannaCry, NotPetya and the 2021 Irish Health Service Executive. They highlight how staff and patients can fall prey to cyber attackers looking for ways into healthcare systems. These attacks are carried out through a variety of tried-and-tested tactics, such as phishing emails, social engineering and malware. Although employees nowadays are more aware of security risks than in the past, it only takes one mistake for a breach to be set in motion.
In the US alone, over 40 million patient records were compromised in 2023, a colossal 104% year-on-year increase. Cybersecurity teams can’t afford to wait for the same to happen in the UK. They must find solutions that can improve their security posture right now – a big challenge given current economic constraints. However, there is compelling evidence to show that security initiatives incorporating the ethical hacking community can provide an effective way of combating their counterparts in the criminal world – and at a cost that fits into limited budgets.
How ethical hackers can lend a helping hand
Healthcare organisations looking to step up their cybersecurity strategy should explore how programs that engage the global ethical hacking community can extend their teams and reduce cybersecurity risk. Vulnerability disclosure programs (VDPs) are a great first step to engaging the community and building a more robust secure posture. VDPs act as a ‘see something say something’ policy that gives the public and ethical hackers a continuous avenue to report security flaws. Bug Bounty Programs (BBPs) also do the same in exchange for monetary rewards for those that report valid vulnerabilities. These solutions complement engagements like penetration tests, which are timebound in-depth engagements that often help organisations meet security compliance standards — something that’s highly beneficial for regulated industries like healthcare. All of these programs harness the ingenuity and skill of the global ethical hacker community to identify elusive vulnerabilities that automated solutions fail to catch.
A recent report illustrates the potential of these solutions, highlighting that over 70% of organisations have successfully used them and prevented a significant security incident. For the healthcare sector, this could represent savings in future recovery and remediation costs. With VDPs and BBPs, security teams can complement their own skills with a range of expertise and technical knowledge from hundreds of thousands of registered ethical hackers. Therefore, internal technical gaps through skills shortages or staff turnover can be augmented by external resources with an easily scalable model.
The report also highlighted a platform-wide improvement in the time taken to remediate a vulnerability, with the average time dropping from 35.5 days in 2022 to 25.5 in 2023. Encouragingly, it shows how the platform and ethical hacking community can drive efficiency within organisations, ensuring vulnerabilities are taken seriously and patched faster. Unsurprisingly, there are some salutary statistics on the costs that could be saved if the software wasn’t released with security flaws in the first place, indicating a saving of US$18K per missed bug on average across industries.
In addition, 91% of organisations agreed that hackers provide more impactful and valuable vulnerability reports than scanning solutions – or AI tools. The majority measured success as a combination of the absence of incidents or breaches and estimated savings related to reputational damage and customer-facing incidents. It suggests that continuous human-powered solutions, like VDPs and BBPs, combined with in-depth testing offered by programs like penetration testing, could be an important part of improving cyber-resilience at an acceptable cost.
Quickly scalable and enabling a continuously improving security posture, along with a model suitable for organisations with limited budgets, ethical hacking solutions must be worth some serious consideration. Especially by those responsible and accountable for protecting patient data and critical health services infrastructure.