Foundations for cyber security need to be strengthened if healthcare is to survive this latest round of attacks

To combat the escalating proliferation of cyberattacks on healthcare, organisations need to ensure their IT and cyber foundations are sound. This seems like an obvious statement to make, but after 15 years of poor investment in health IT, there’s a lot to do. Andy E, former Director of Connected Nottinghamshire, the first chief cyber security officer for a system STP and most recently the first Chief Cyber Security Officer for an ICS at Birmingham and Solihull explores the key capabilities required to improve things. Starting with asset, identity and access management to solve some of the issues. 

There are three main threats to the cyber security of NHS Trusts. These comprise of a legacy debt brought about by the lack of investment over many years; third party suppliers that don’t always ensure products are up to date and protected and; the three C’s - capability, capacity and culture within the Trusts themselves.

Escalating threat levels

The cyber threat faced by healthcare providers (and everyone else for that matter) is evolving at a faster pace than ever before. The Wannacry ransomware attack of 2017 which affected organisations around the globe, had a disproportionate effect on healthcare because the attack preyed on older and unpatched versions of Windows. Then, like now, some of these were past their end of life and poorly maintained, making them a severe security risk. This perfectly demonstrates the danger of lack of investment in basic IT infrastructure. Since then, the rate of change in the volume and capabilities of criminals has shifted seismically and with it the threat levels to the NHS have escalated.

Since the Ukrainian conflict we have seen a huge increase in threat actor activity from all criminal classes, from nation-state espionage to low level financial fraud. A figure I saw recently from a trusted source, reported that in the last year alone we have seen a 1000% (yes, x 10!) increase in malevolent activity in relation to ransomware and other types of cyberattacks.

The rate of change is huge, and it is becoming harder to differentiate between the traditional virus malware type attacks, because attackers are now using our own IT against us.

Add to this the fact that the growing trend for medical history data dumps is for this now to be surface web visible. I have even seen threats in the ransomware negotiations for this data to be marked for index. This would mean ingestion into the search engines we all use. None of us want to see that happen.

For all these reasons, getting the basic foundations in place, like knowing what assets you have and protecting these with simple concepts like least privilege is of great importance. Identity and access management has always been IT’s bedrock and it is becoming increasingly important in mitigating these cyber vulnerability threats.

IT legacy debt

Lack of investment and modernisation across the NHS is making the sector more vulnerable than it needs to be. There may be difficulties around replacing some older specialist systems, however these can be mitigated by introducing extra controls and layers of security, typically that remove the reliance on passwords. These controls include use of technologies such as, multi-factor authentication, single sign on and least privilege access management implementation. These things can be time consuming to implement and manage, but there are tools to streamline and manage that now of course.

Third party suppliers

Vendors and suppliers have a key role to play in the modernisation of NHS systems. Their systems need to ideally keep pace with the rapid evolution of technology, but also be able to accommodate suitable cyber security measures. These requirements are often not new, interoperability with identity and access management controls for example will improve demands on IT departments, an already overloaded resource. At the moment, all too many vendors have very specific requirements for interfacing to other systems, a move to more open standards across the NHS would make life easier for everyone. Let’s face it, we don’t need to invent these, they have been around quite a while.

The 3 Cs, in-house capability, capacity and culture

While it is perfectly laudable to ‘sweat the assets’, 15 years of under investment has taken its toll on our IT infrastructure. And as a subset of IT budget and resources, cyber security investment has suffered accordingly at the very time when we are facing increased pressures. This is one reason why we are not keeping up with the cyber attackers because people don’t have the time, or the skillsets to examine adversaries changing tactics and attack vectors.

Shoring up defences with solutions such as IAM

So how do we solve this many layered problem? It is solvable, and good well-architected IT, supported by robust processes and risk management will go a long way to achieving this.

For example, if a critical system is more vulnerable, say a legacy system, it should not be on the same network as services that require open internet access such as email and web browsing. And access to more vulnerable systems should be even more tightly controlled. However, that doesn't mean to say that we make life difficult for users, it is simply a matter of improving processes around identity and access management.

Identity has several facets to it. As well as authenticating that the user is who they say they are, access can also be controlled by that user being in the right place (an expected location) at the right time (within certain hours). Anything outside of these parameters would trigger an action or alert to be checked.

Removing the requirement for passwords with solutions such as single sign on (SSO) not only saves time, but it also better safeguards vulnerable systems. Using more than one form of authentication, i.e. the place you are, the machine you use, something you have – a token or smartcard, something you know – a PIN, even something you are – biometrics, further improves security, particularly when people are working remotely.

When IAM is designed correctly, people don’t need to log out quite so frequently (or screens simply fade to lock), and they are provided with only the access they require in order to do their jobs at that time (role-based identity management). Taking the least privilege approach means that if an identity is compromised the hacker is limited in the damage they are able to wreak. It takes me seconds to compromise a user with even local administration rights, but a user with only the permissions they need will slow me down. And with so many targets out there, I would just move on to an easier, less resource consuming target.

In short, the baddies are a force to be reckoned with and getting better, and as a result we need to up our game as well like never before. Using the identity management tools that we already have more effectively, combined with improved processes, is a quick win with minimal outlay, which will fortify the foundations that newer systems can be built upon.

In my next blog I’ll be giving more suggestions for dealing with the legacy IT debt. And explaining what happens if you don’t get basics right.