Healthcare has always been an easy target for hackers. Its IT and IoT systems were never designed to be secure. Flat sprawling hospital networks just like those of universities were designed to facilitate cooperation and collaboration between different groups and departments. Access controls to critical systems were basic and by the fact that a user was a doctor or a nurse, meant that access was pretty much open to anyone who needed to access a clinical system or clinical data because these clinical users were trusted. There was little concept of segmentation or roles-based access control (RBAC). And while banks and other financial institutions were being pillaged by cybercriminals, the broad opinion inside healthcare was “who in their right mind would want to attack healthcare?” Consequently, little changed very quickly.
Indeed, this mindset is largely reflected in our healthcare security regulation. It was not designed to protect security, but to ensure privacy and a patient’s access to their own medical data. In fact, in nearly all national jurisdictions, regulation is still myopically focused upon the protection of ‘confidentiality’ rather than the far more important protection of data ‘integrity’ and systems and data ‘availability’. Together these three pillars make up what is known as the CIA triad, which forms one of the basic tenants of what we now call cybersecurity.
Under regulation, breaches of confidentiality – a fax being sent to the wrong number, personal health information (PHI) being exposed to the internet, or accessed by an unauthorised individual, had to be reported, and it soon became evident that the healthcare industry as a whole, was woefully insecure. Theft of personally identifiable information (PII) and PHI data quickly became endemic, but more importantly so was the wholesale theft of intellectual property and the commercial trade secrets of research hospitals and pharmaceutical companies.
China responsible for biggest healthcare breaches
Most of this cyberespionage was, and still is, being conducted by the Peoples’ Republic of China (PRC). Unlike other cybertheft activities this is strategic, and state-sponsored. Its purpose is to boost the PRC’s own state-owned industries, with China thought to employ close to 100,000 PLA soldiers to hack into other countries’ businesses and governments to acquire cutting edge research and trade secrets. This was brought to light most famously by the publication of Mandiant’s APT1 Report in 2013 which exposed the nefarious activities of just one of many PRC advanced persistent threat (APT) groups – China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398) active since at least 2006. These Chinese APT groups are responsible for nearly all of the largest healthcare breaches.
While the PRC is the greatest cybersecurity adversary of western nations measured in volume of stolen information, Russian language groups are probably the highest profile cyber-attackers. Through a combination of official Russian state military and intelligence groups (GRU, FSB, etc.) and a sprawling network of organised crime syndicates, who often act as a proxy for the Kremlin, these groups are active in ransomware and DDoS cyberextortion attacks against hospitals across the west. This is significant from a national security perspective because healthcare is considered a critical national infrastructure (CNI) industry. The Kremlin can, and has, used attacks against CNIs to bully and cajole nations that are actively opposed to Putin’s invasion of Ukraine. By using a proxy, the Kremlin can then claim plausible deniability while inflicting costly damage on its foreign adversaries. This extends beyond healthcare to many other CNIs including the attack earlier this year on the Royal Mail which occurred not long after the UK agreed to ship new weapon systems to Ukraine. Then, most recently the suspected Russian backed attack on the MOD which saw thousands of documents leaked online on the UK’s most secretive sites.
A new report by the UK government warns that cyberattacks on critical infrastructure could endanger life. Attacks against the NHS are of particular concern given the broad impact it would have. The report, updates how the government identifies and evaluates risks and the type of data collated. Russia and Russian-aligned actors are increasingly targeting governments and organisations that are critical of Putin and his war in Ukraine, so the government needs to be on its toes looking for indications of attack or compromise, of all UK CNIs, especially healthcare which is perhaps the most vulnerable. Cyber-attacks and terrorist attacks now top the list of risks that the government tracks, as cyber increasingly becomes the grey war weapon of choice for pariah nations.
If you liked this content…
The war on ransomware and what this means for the healthcare sector
Healthcare organisations lose 20 percent of sensitive data in every ransomware attack
Using biometrics to prevent data breaches and identity theft in healthcare
Most NHS staff not confident in current cyber defences
Experts react to worrying findings in Government’s Cybersecurity Breaches Survey
Since the devastating WannaCry cyberattack that crippled much of the NHS in 2017, there have been many changes across UK healthcare providers in the past five years including the introduction of the DSPT and NHS Cyber alerts. However, the fact remains that all UK CNIs face an elevated cyber threat landscape despite much better preparation. The healthcare industry in particular, is undergoing a massive and far-ranging digital transformation. This includes all kinds of new functionality for doctors and patients that are helping to drive up efficiency and improve patient outcomes. But this comes at a cost as more and more medical and other healthcare IoT devices are connected to medical networks and to patient record systems. This expands the potential attack surface for cyber criminals meaning that security needs to be improved alongside these advances in technology. The problem is that cybersecurity has not been allowed to keep up. The result is a growing gap between IT or digital maturity and cybersecurity maturity. This is the Maturity Paradox facing healthcare and many other industries.
Insecure medical devices
Today, only 25 percent of devices that connect to hospital and clinic networks are managed by the IT and security teams of NHS Trusts and private providers. The other 75 percent are a mix of medical and IoT connected devices including Xray, CT, Ultrasound, EKG, radiotherapy, infusion pumps and patient telemetry and management systems. Being added quickly to this list are a number of robotic systems for pharmacy, transportation and surgeries all helping to drive up efficiency.
If attacked these systems could have a devastating impact to patients being treated by them as well as to the integrity of the medical network. Some 64 percent of security professionals in healthcare cited insecure medical devices as their biggest security concern as few UK hospitals can currently identify with certainty what devices actually are attached to their networks. Even less have an accurate risk assessment of these unmanaged devices or have compensating security such as network segmentation controls in place when these devices cannot easily be patched against known security vulnerabilities.
This list of healthcare IoT also includes a growing list of hospital and clinic building management systems for HVAC, thermostats, lifts, security cameras, proximity card door locks, fire alarms and much more. These are now connected via the internet to remote management companies who service this equipment and ensure that everything remains running. Without most of these, hospitals would be unable to operate and would have to go on divert, as many did during WannaCry.
Add to this, changes in healthcare practices since COVID, including less hospital care and more care in the home. In many cases this means medical devices are being sent home with patients to report on their recovery across the internet. It also includes more healthcare employees and consultants working remotely from their homes or physician practices and connecting remotely back to hospital and trust systems. This further broadens the attack surface and the area that must be secured by cybersecurity teams.
Healthcare appears to be in the middle of a perfect storm. Massive changes to information technology enable delivery of services to patients that is rapidly increasing the size of its attack surface while a criminal and geopolitical threat environment continues to grow, intent on attacking CNIs for the monetisation of ransomware and other extortion campaigns, or the terrorist political value of disabling a national critical industry.
