Healthcare security
From Blood Tests to MRIs:
How Ransomware Stopped NHS Machines in their Tracks
One year on from WannaCry’s devastation of the NHS, what lessons have been learned? Paul Parker, chief technologist of federal & national government at SolarWinds, explores the security challenges and lessons for the healthcare industry
Despite the fact that almost a year has passed since WannaCry infiltrated the NHS, the UK’s national health service has yet to fully learn from the mistakes that rendered it vulnerable to attack in the first place.
Despite the fact that almost a year has passed since WannaCry infiltrated the NHS, the UK’s national health service has yet to fully learn from the mistakes that rendered it vulnerable to attack in the first place.
A recent report published by the government highlights the impact of the attack and lessons that need to be learned as a result.
While the risk to patient data is the main focus of this report, and is often viewed as the weakest point for the NHS, it is important to remember the other aspects of healthcare that were also affected by the attack and remain vulnerable to ransomware.
The impact of WannaCry
Hospitals and health centres of every size rely on equipment to carry out a multitude of tasks, from machines conducting everyday blood and tissue tests to expensive MRI scanners.
Although less obvious, medical devices such as these are also at the mercy of cyberattacks, with over 1,200 pieces of diagnostic equipment affected by WannaCry last May, and additional equipment put out of use to prevent the ransomware from spreading. As a result, delays in test processing and the communication of results were just the tip of the iceberg in terms of patient impact.
Top three security challenges
The cyberattack last year showed the effect a mass IT outage can have on the NHS, crippling vital healthcare services around the country. It also highlights that security should be one of the top healthcare priorities, as the nation as a whole relies on the industry 24/7.
But healthcare professionals face a range of challenges to meet the security standards required to prevent attacks such as WannaCry from affecting their equipment. While the NHS still grapples with how to remain fully secure, here are three priorities that should be top of the list:
1. Devices hold data that can be accessed wirelessly
One clear problem is that many devices have the ability to store personally identifiable information (PII), which highlights these in particular as security risk. Should these devices be hacked, the information they hold could be compromised.
Increasing this risk is the fact that these devices can be connected to the network either wired or wirelessly. While the wired equipment stays put, the wireless devices can be taken anywhere in the facility, making the job of keeping track of them all the more difficult.
2. Not all devices accept malware protection or system patches
Despite the increasing risk of cyberattacks, most medical devices have restrictions on software updates to malware protection products and operating system patches, preventing the equipment from maintaining its frontline security.
These unprotected devices can therefore unintentionally serve as entry points for cyberattacks, leaving the entire network vulnerable. To make matters worse, devices are still in use today that are too old to be patched at all.
3. IT professionals lack visibility into network devices
Without an accurate and up-to-date map of all of the devices that exist in a healthcare facility, IT leaders and their teams have no feasible way to track the equipment that is in use at any one time.
The issue this raises in relation to attacks is that it becomes difficult to see where malware has infiltrated one or more devices, as there is currently no system in place to monitor this.
How the NHS can prepare for next time
With ransomware, it is a case of when, not if, another attack will occur. As recent reports have highlighted, cyberattacks can have a devastating impact on the NHS due to the critical nature of the service it provides.
To prevent it from suffering to the extent it did with WannaCry again, the UK government has invested an additional £196 million in cybersecurity up to 2020. But what should the NHS use this funding for?
A ‘lessons learned review’ published by NHS England recommends that all NHS organisations develop plans to comply with the Cyber Essentials Plus standards by June 2021, which will ensure a minimum level of cybersecurity is maintained; these are to be published in June 2018.
The review also recommends that processes be in place to manage third-party contracts for IT systems and devices, to confirm that security updates are standard practice.
As part of this, NHS organisations would benefit from implementing a network management system that can protect their network and keep all the medical devices secure, thereby reducing the likelihood of another attack taking effect.
Having centralised network access control is non-negotiable from a security perspective, and therefore integrating a system that can provide this effectively is crucial.
WannaCry can be seen as a warning shot, a very successful one at that, but what is most important now is preventing another attack with the potential to bring the NHS to its knees. Now is the time to act, not after the next attack.
PR nightmares: Ten of the worst corporate data breaches
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang
LinkedIn, 2012
Hackers sold name and password info for more than 117 million accounts
Target, 2013
The personal and financial information of 110 million customers was exposed
JP Morgan, 2014
One JP Morgan Chase’s servers was compromised, resulting in fraud schemes yielding up to $100m
Home Depot, 2014
Hackers stole email and credit card data from more than 50 million customers
Sony, 2014
Emails and sensitive documents were leaked, thought to be by North Korea im retaliation for Sony’s production of a film mocking the country’s leader Kim Jong Un
Hilton Hotels, 2015
Dozens of Hilton and Starwood hotels had their payment systems compromised and hackers managed to steal customer credit card data
TalkTalk, 2015
The personal data of 156,959 customers, including names, addresses, dates of birth and phone numbers, were stolen
Tesco, 2016
Hackers made off with around $3.2m from more than 9,000 Tesco Bank accounts
Swift, 2016
Weaknesses in the Swift payment system resulted in $81m being stolen from the Bangladesh Central Bank’s account at the New York Federal Reserve
Chipotle, 2017
Phishing was used to steal the credit card information of millions of Chipotle customers, thought to be part of a wider restaurant customer scam orchestrated by an Eastern European criminal gang