Plugging the gaps to improve healthcare cybersecurity
Posted: July 20, 2023 Filed under: Uncategorized | Tags: cybesecurity, healthcare, IoMT, ISMS Leave a commentThe UK’s health service turned 75 recently, and its IT infrastructure is starting to show its age. The challenge for cybersecurity professionals working in the sector is one felt by those across many verticals. It’s about mitigating risk even as digital transformation expands the cyber-attack surface. And doing so in an industry where the stakes for failure couldn’t be higher.
I spoke to some experts for a recent ISMSonline feature to find out more.
Raising the stakes
Ransomware represents probably the biggest single cyber threat to healthcare organisations (HCOs) today, whatever country they operate in. A recent report from EU agency ENISA revealed that ransomware accounts for over half (54%) of all cyber-threats targeting the sector, with 46% of all incidents aimed at stealing or leaking data. HCOs don’t just store lucrative personal, medical and financial data in prodigious amounts, they also have a low tolerance for ransomware-related outages.
“When another critical industry is attacked such as the electrical grid for example, power outages ensue, offices and factories shut down during the outage unless they have backup generators and an hour or two, or a day or two later in most cases power is restored, and business and daily life continues as normal,” Richard Staynings, Chief Security Strategist for UK healthcare security specialist Cylera, tells me.
“When healthcare is attacked, clinicians can no longer optimally care for the sick and dying. The industry has changed a lot since the days of Florence Nightingale and today our doctors and nurses are heavily reliant upon health IT and IoT systems such as medical devices to diagnose, monitor, and treat patients.”
In fact, a link between cyber-attacks and patient outcomes has already been established. Studies have shown that a correlation between mortality rates and cyber-attacks, with one report claiming a link between data breaches and heart attack fatalities.
Where are the biggest gaps?
There are so many security gaps that it’s difficult knowing where to start, Staynings says.
“Hospital networks were never designed with cybersecurity in mind so are flat and open access to anyone with credentials. Compare that to a bank or the MoD which have highly compartmentalised access and segmented networks. We are essentially trying to retrofit cybersecurity into healthcare but with limited resources and many other competing projects,” he adds.
“Another area of concern is third party risk. Healthcare uses thousands of vendors, suppliers and outsourcers who provide a wide variety of services necessary for hospitals and clinics to function. Yet Trusts do not adequately vet the security of these vendors or require ISO27001 certification or a SOC2 type attestation of security effectiveness. We have seen the impacts of vendor lapses in security with the 111 attack last year and many others.”
Staynings also points to insufficient staff training on security awareness – unforgivable at a time when most attacks still begin with phishing.
“Insisting on a year-round security awareness programme makes immense sense and probably represents ‘the biggest bang for the buck’ as far as spending on cybersecurity is concerned,” he argues. “Every NHS employee, consultant, contractor, and vendor should be trained, armed and ready to defend against cyberattacks. Currently however, they are not.”
Mohammad Waqas, CTO for Healthcare at Armis, tells me that IoT medical devices (IoMT) represent a critical risk, especially as security teams often don’t have sufficient visibility. A recent survey conducted by the vendor found that a third of NHS Trusts have no method of tracking IoT devices and 10% use manual processes or spreadsheets to do so.
“It’s a common saying within the cybersecurity community that you cannot protect what you cannot see. Complete visibility allows hospital security teams to better understand what devices are connected to their network, when and how they are being used and what are the risks associated with said devices,” he tells me.
“Understanding that context will allow the healthcare organisation to take action and remediate any security need.”
While HCOs might have their PCs locked down, that’s not usually the case with IoMT, Waqas argues.
“The proliferation of IoMT is driving innovation and ultimately improving delivery of care, however its adoption has rapidly enlarged the attack surface. What increases the risk is that existing medical devices on networks are generally running legacy operating systems that no longer receive security patches. These are prime targets for attackers and can be impacted during ransomware attacks,” he explains.
“It’s important to appropriately segment these devices to limit communication as much as possible. Without this, medical devices can very well become non-functional and thereby greatly disrupt patient care—sometimes for weeks. Encouragingly, more than two-thirds of NHS trusts mentioned cybersecurity of medical devices is currently a project on their roadmaps for the upcoming year.”
What’s the government doing?
The good news is that the government’s strategy for a more cyber resilient healthcare sector appears well thought out and fairly comprehensive. The challenge, though, will be implementing all of its recommendations. Staynings argues that a greying population, above-inflation price rises for drugs and equipment, and employee wages will all stretch the budget like never before.
“I would like to believe that this policy document is different from all the others which have come before it, but I can’t help thinking it’s just another excuse to rearrange the deckchairs on the Titanic. It all comes down to funding and the NHS continues to be chronically underfunded, perhaps more-so now that at any time in its history,” he concludes.
“So, while the government’s intent to build-up and expand the healthcare cybersecurity workforce is great in principle, in practice unless the NHS is prepared to adjust salary bands and pay market rates to attract and retain its cybersecurity staff, this initiative will likely fall flat on its face. It all comes down to funding and the will of the government to follow through and deliver on its promises—something that all British governments have a lousy record of.”
Trump on Cybersecurity – Where’s the Beef?
Posted: November 16, 2016 Filed under: Uncategorized | Tags: backdoor, baker Botts, china, cybesecurity, democratic, email security, encryption, ITIF, obama, patriot act, republican, san bernardino, trump, trump cyber Leave a comment
As the dust settles on Donald Trump’s extraordinary ascent to the White House, what do we know of his plans for cybersecurity? I’ve been speaking to a variety of experts for an upcoming Infosecurity Magazine feature and, believe it or not, the majority are not particularly optimistic of the future.
His official website, outlining the Trump ‘vision’ for cybersecurity, focuses on some easy wins:
- An immediate review of critical infrastructure and federal cyber “defences and vulnerabilities” by a Cyber Review Team comprised of members of the military, law enforcement and private sector
- The same team to establish “protocols and mandatory awareness training” for all federal employees
- DoJ to create Joint Task Forces to co-ordinate federal, state and local law enforcement cybersecurity responses
- Defence secretary to make recommendations on enhancing US Cyber Command
- Development of offensive cyber capabilities
Doug Henkin, litigation partner at Baker Botts, said the focus on awareness raising is a positive.
“This appears to be a good development for setting a positive tone to lead from above with respect to best practices for protecting against cybersecurity threats and is also essential for corporations seeking to ensure good cybersecurity preparedness,” he argued.
“It is essential to increase training as the new administration has recognised, while also remaining vigilant to how cyber attacks occur.”
That’s pretty much where the good news ends.
It might be too early to judge president-elect Trump on his cybersecurity credentials. But it must be remembered that, despite his bluster over ‘Crooked Hillary’ and her email blunder, his businesses were found to be a whole lot worse when it comes to security. Independent researcher Kevin Beaumont scanned publicly available records last month and found many of Trump organizations’ messaging servers are running the no-longer supported Windows Server 2003 and Internet Information Server (IIS) 6. He also found 2FA unsupported, meaning user accounts are vulnerable to password phishing or brute force attacks.
What’s more, as a briefing document from think tank the Information Technology and Innovation Foundation (ITIF) tells us, Trump has promised in the past to apply tariffs against China if it “fails to stop illegal activities” and to “adopt a zero tolerance policy on intellectual property theft.”
Given what we know about China, this is a dangerous game to play. Beijing will continue to pretend it is abiding by the agreement between presidents Obama and Xi to stop state-sponsored economic cybercrime. And that could lead to heavy reciprocal penalties on US tech firms in China, such as Apple. The state-backed Global Times has already warned China will adopt a tit-for-tat approach if Trump plays it tough.
Silicon Valley scares
Trump’s election is also a disaster for Silicon Valley. The former reality TV star has expressed support in the past for the FBI’s stance in trying to force Apple into building a backdoor to unlock the San Bernardino shooter’s phone. He even called for a ban on Apple products in response to the firm’s refusal to do so. We can therefore expect more pressure on them to undermine encryption, which would be a disaster for businesses and consumers everywhere, as well as the American tech firms themselves.
As if that weren’t enough, he’s also a big fan of the Patriot Act and will inherit a fearsome surveillance apparatus from Obama. The Democrat is already being blamed for failing to overhaul the huge encroachment on civil liberties enacted by the Bush administration. Writing in the Guardian, Freedom of the Press Foundation executive director, Trevor Timm, had this:
“What horrors are in store for us during the reign of President Trump is anyone’s guess, but he will have all the tools at his disposal to wreak havoc on our rights here at home and countless lives of those abroad. We should have seen this coming, and we should have put in place the safeguards to limit the damage.”
Let’s hope he surprises us all.
phil muncaster 