On call: cyber risk on the increase in healthcare
Following a series of cyber-attacks targeting hospitals and healthcare providers, Andy Barratt, UK Managing Director at global cybersecurity consultancy Coalfire, assesses the risk landscape surrounding UK healthcare.
Over the past year, the UK healthcare system has experienced arguably the most challenging and sustained period of pressure since the advent of the NHS more than 70 years ago. The Covid-19 pandemic has become all-consuming, demanding unprecedented resource – be it medical, financial or human.
But Covid has also shifted the way healthcare in the UK operates. Taking an objective view, I’m of the opinion that we will one day look back on the pandemic as having accelerated the evolution of the NHS to a more modern and digitally enabled organisation. In the private sector, the speed at which it has adopted and mobilised new systems in such a short space of time could only be described as transformational and similar processes would no doubt require the input of countless change management consultants.
While hospitals continue to deal with high volumes of Covid cases, we’re already seeing the benefits of this digital transition, with investment in data management and analysis platforms informing the, so far, speedy national vaccine rollout. In the future, this investment, alongside the increase in video consultation and online booking, will shape improved patient pathways across healthcare providers and, ultimately, deliver quicker access to more glamorous innovations in treatments and medtech.
Increased cyber risk
However, such a rapid transition in times of crisis will not have gone unnoticed by cybercriminals and the level of external risk for healthcare organisations has almost certainly increased. Indeed, these unscrupulous individuals have been incredibly active throughout the pandemic – targeting both consumers and commercial organisations. While other sectors may appear more lucrative, the public sector and healthcare organisations have remained high on the target list, largely due to the international outlook of cybercriminals and the potential political motivations of those cyber-criminals backed by nation states.
This was the case in mid-February when two French hospitals were hit by a ransomware attack carried out by a group called Wizard Spider, which is believed to have links to Russia. Much like the WannaCry attack, which affected the NHS in 2017, the group’s use of a crypto-virus known as RYUK led to the shutdown of numerous online systems – including the hospitals’ internet and phone services. Patient records, surgical devices, medication and resource management systems were all affected, with some patients and treatments moved to other hospitals.
This particular ransomware has been around for almost three years now but hackers are still able to use it to lock organisations out of their systems in search of a fee. The bigger or more essential that organisation is, the more valuable a target it presents.
The level of heightened risk also extends to third-party service providers. It is no coincidence that large outsourcing firms including Interserve, Bam and Amey have all been the subject of cyberattacks in the past 12 months. Their proximity to government and public-sector contracts puts a target on their back. Equally, although not attached to its UK operations, NHS Track and Trace operator Serco was targeted and breached recently.
Looking to the future, the security standards of these third-party service providers is likely to represent the most significant risk to the smooth running of healthcare. Given the NHS is free at point of use, the commercial value lies in disrupting those businesses that keep the wheels turning. Those groups that do target the NHS directly are also playing a high-stakes game given its critical nature. For example, the offensive parts of the UK’s cyber arsenal have become more aggressive under the current Government, meaning any malicious actor would be likely to face nation state-level consequences in response.
That being said, this threat remains a reality that healthcare organisations must face into while ensuring their partners’ systems are as secure as their own.
Ransomware remains a common thread through the majority of the attacks mentioned and will almost certainly proliferate as cybercriminals search for the low-hanging fruit that is human error. For example, the RYUK attack in France is most likely to have penetrated the hospitals’ systems as a result of phishing – where Wizard Spider will have emailed hospital staff posing as trustworthy contacts. Educating and training staff in how to spot these approaches is therefore as important as having the right technology behind them.
So much has been achieved in the past year to move UK healthcare forward. As the light at the end of the current crisis comes into sight, healthcare leaders should consider how they can consolidate their security on the back of this digital evolution to ensure an altogether different crisis doesn’t develop.