The NHS is a top target for cybercriminals and remains susceptible to attacks. Randeep Gill, Principle Security Strategist at Exabeam, discusses the importance of cyber-resilience and the services’ existing vulnerabilities.
The last few years have seen a surge of new digital technologies being deployed across the NHS in a bid to streamline operations, improve communications and initiate new remote monitoring and healthcare services for patients. All of this has made the NHS a top target for cybercriminals.
In today’s digitally connected world, healthcare has become one of the most frequently targeted sectors by threat actors for a number of reasons. Alongside offering a wealth of sensitive patient and employee data that cybercriminals can leverage for financial gain on the dark web, the NHS is also particularly susceptible to ransomware attacks that disrupt critical systems and put lives at risk.
Not only is there an inherent value of the healthcare data digitally held by the NHS – over 40 million citizens’ personal information – but there are also a number of reasons why the NHS represents an extremely attractive target for cybercriminals.
Multiple vulnerabilities add up to a wealth of opportunities
Offering one of the largest attack surfaces of all public sector bodies in the UK, the NHS contains a multitude of organisational systems, technologies, networks and users. All of this represents a huge and complex landscape that is difficult to cohesively protect in a unified way against today’s rapidly evolving threat landscape. In recent years, the proliferation of connected Internet of Things (IoT) medical devices has introduced additional security vulnerabilities into the mix.
However, the biggest challenge confronting NHS organisations is their continued reliance on legacy hardware and software systems that are ripe for exploitation by malicious actors. Whether that is multiple instances of inadequate data storage that leaves patient hardware exposed for cybercriminals to steal or legacy databases that are difficult to secure or encrypt.
For budget-constrained NHS organisations, older operational technologies can prove expensive or difficult to replace and update. However, as part of a wider connected infrastructure, this creates a major problem for NHS organisations because these older systems and platforms often lack the security features and functionality needed to effectively protect against today’s cybersecurity risks. For example, they may be unable to accommodate tools such as multi-factor authentication, single sign-on or role-based access that are essential for preventing unauthorised access to digital assets.
Finally, threat actors are constantly on the lookout for low-hanging fruit and will scan systems for unpatched software and hardware vulnerabilities that can be exploited to infiltrate and undertake a breach. Increasingly, they are also undertaking supply chain attacks which involve exploiting vulnerabilities in third-party tools that are used daily by organisations worldwide. For example, in June of last year, Health Service Ireland (HSE) became a victim of a cyberattack launched via the MOVEit file transfer tool.
The need for cyber-resilience is growing
The enduring and growing threat of cyberattacks is highlighted in news stories on a daily basis. In June, a ransomware attack on the University of Manchester affected an NHS patient data set holding information on 1.1 million patients across 200 hospitals.
Meanwhile, in July the Barts Health NHS Trust, which serves more than 2.5 million patients, confirmed it was investigating a ransomware incident perpetrated by the BlackCat ransomware gang which claimed to have stolen 70 terabytes of sensitive data. More recently, it was revealed that historic data leaks at the Cambridge University Hospitals NHS Foundation Trust had exposed the sensitive data of more than 22,000 patients.
To overcome the challenges posed by legacy technologies, NHS organisations will need to take some key steps to foster the cyber-resilience that is needed. At a minimum, this includes:
- Implementing strict access controls that limit data access and reduce the likelihood of success from cyberthreats.
- Regularly training all staff on the importance of setting strong passwords, keeping devices locked when not in use and being aware of phishing and email scams.
- Keeping software and systems updated and diligently rolling out security patches to address known vulnerabilities.
- Securing mobile devices with strong authentication and encryption.
- Undertaking regular risk reviews to identify critical areas to address. This should include understanding who accesses systems, how systems are secured and how patient data is stored and encrypted.
- Initiating a cybersecurity mindset that considers systems, software and tooling.
- Ensuring that the policies and workflows between security and IT functions are aligned and that a clear incident response plan is in place.
By implementing some pragmatic measures, NHS organisations can start to shift how they thwart cyberattackers and overcome their legacy technology dilemma. By addressing issues like cybersecurity, communication and data storage with a view to moving as close as possible to future-proofing their environments, they will be able to gain a holistic view of their operations and be better prepared to identify and mitigate risk.