The government recently announced a long-awaited £150 million of extra funding for the NHS to spend on cyber security. It’s a much-needed cash injection given the failings exploited so ruthlessly by the WannaCry ransomware attack last May. But is it being spent in the right places? Connectivity and IoT endpoints increasingly permeate NHS organisations, creating a blend of IT and OT which could dangerously expand an already large attack surface.
Healthcare IT security bosses first need to understand how these technologies are being used in the workplace and then layer up their defences to minimise the risk of attack. In an increasingly regulated environment, it’s the best chance they have of protecting patient data and preventing potentially life-threatening outages.
A welcome move
There’s much to be welcomed in the government announcement. An upgrade for all NHS machines to Windows 10 will certainly enhance security, and the built-in anti-malware tools on each endpoint will feed into a new NHS Security Operations Centre to offer a centrally managed approach to threat detection and response. It is also claimed that individual trusts will have control over all the machines in their estates, and the ability to isolate infected machines.
Much of this, of course, comes in response to the severe outages caused by the WannaCry ransomware attack of May 2017. It forced an estimated 19,000 cancelled operations and appointments, disrupted 34% of NHS England trusts and led to infections at a 603 primary care and other NHS organisations, including 595 GP practices. It’s debatable whether having Windows 10 in place would have saved the health service, as it was an unpatched vulnerability which was to blame for the initial infection. But this new cash — which also stretches to upgraded firewalls and network infrastructure at major trauma hospitals and to address “infrastructure weaknesses” at NHS trusts — will certainly be welcomed.
IoT under fire
However, there’s a growing risk to the UK’s increasingly connected hospitals which isn’t mentioned in the government’s albeit brief announcement. Recent research from Trend Micro revealed that at any given time there could be as many as 80,000 exposed devices running in connected hospitals around the globe. A simple Shodan search revealed the increasing range of internet-connected devices in healthcare organisations (HCOs), including patient monitoring, diagnostic, surgical and imaging equipment; smart air conditioning systems; meeting room IT; connected CCTV, and much more. A lack of effective protection on these devices and systems could allow attackers to access patient databases, medical images, protocols and industrial controllers.
According to Verizon, the healthcare industry suffered more breaches than any other last year, accounting for a quarter (24%) of the global total. A historic lack of investment in cyber security coupled with large numbers of rushed mobile workers and under-staffed IT teams partly explains the risks. But there’s more: many internet-connected machines are both mission critical and too expensive to replace frequently. This is a dangerous combination as it means that they could be running outdated software but are too important to take offline to patch.
When it comes to newer IoT devices, many are left protected only by factory default passwords and potentially even bought without the knowledge of the IT department. The pressures facing clinical staff are such that many may be looking to technology solutions to improve patient care and service delivery, but in so doing they may unknowingly be exposing their employer to greater cyber risk. Healthcare was the only industry in which insider threats (56%) exceeded external attacks (43%), according to Verizon.
Data breaches are of course one of the biggest threats facing the NHS, especially given the new penalties which could be levied by GDPR regulators. The new law has expanded regulated personal data to include test results, X-rays and other images, further increasing the burden on HCOs. But denial of service could be equally devastating, as the WannaCry attack proved.
As the number of IoT endpoints grows, so does the attack surface of an HCO. They could be hacked and used as an entry point to the network in data-stealing raids. They could also be rendered inoperable in a digital extortion campaign, or infected with malware and conscripted into a botnet to launch DDoS or crypto-jacking attacks on other organisations.
Mitigating the IoT cyber threat
The first step towards mitigating these growing risks comes with gaining visibility over all the endpoints in your organisation. Carry out a Shodan search to identify which devices are publicly exposed and vulnerability scan to see which devices need patching. Virtual patching capabilities could also help shield against software flaws on unpatchable systems. With IoT devices, even changing the default password will make them harder for hackers to compromise.
>See also: Securing healthcare: is it possible?
Then it’s all about segmenting the network where possible to keep OT devices on separate or isolated virtual network zones. Firewalls and network IPS can be placed at the border between IT and OT networks for further resilience and breach detection will help continuously monitor network traffic for any unusual activity indicative of an attack.
IT healthcare managers and those CTOs in charge of security should also be looking to scan regularly with anti-malware solutions which combine conventional signature engines with advanced capabilities such as heuristics/behavioural analysis and machine learning, to offer maximum protection. App whitelisting will help to further reduce your risk exposure, and if possible, consider multi-factor authentication to secure user access to devices. Passwords can be easily phished, cracked or guessed by determined attackers today: it’s time to upgrade.
Sourced by Bharat Mistry, Principal Security Strategist at Trend Micro