Zak Suleman, Healthcare Security Specialist at Smoothwall, discusses the threat of cyber-attacks in hospitals and what can be done to prevent them
It went largely unreported, but ISIS-linked hackers recently infiltrated the UK’s NHS systems to show gruesome images of the war in Syria. Although no information was seemingly extracted, this raised huge concerns about the security flaws in NHS systems used to store and protect sensitive information. The prospect of hacking a hospital can leave some scratching their head; surely if a hacker can find his or her way through a security system, why not go for high-value targets such as banks or businesses where financial data can be stolen and used immediately?
Firstly, hospitals are seen as easy targets; the NHS is seen as more vulnerable than educational establishments and businesses due to operating on tighter budgets and fewer staff. Jeremy Hunt’s recent admittance that his target of a paperless NHS by 2018 is to be ditched because of weak IT systems only goes to show the technological pressures hospitals are under to digitalise. While the NHS should, and will, turn to a paperless system eventually, without the appropriate funding the pressure will fall on staff, managers and systems. Threat actors will see this as an opportunity to pierce an increasingly fragile security membrane.
Secondly, data being shared in hospitals is unusually open; because of the way healthcare operates is increasingly digital, all varying staff functions need to access different sets of data across a range of devices. A nurse may be accessing a patient’s data on a tablet, a doctor could be accessing the same information on a laptop and an administrator could be doing the same from a desktop. Giving more information to more people on more devices heightens the risk of that data being leaked or hacked, particularly if the security systems are flawed and inadequate.
Thirdly, while financial data such as credit cards, bank statements or other commercial data could be more easily obtained from hacking a business, threat actors are able to steal other nuggets of a person’s information from a hospital which they can then build on and exploit fully later. This is what we’re terming ‘social engineering’ – the act of building up a data profile of people over time. Doctors and hospital staff will hold a patient’s contact details, address and other private information which could prove an invaluable dataset to a prospective hacker in the longer term.
In this sense, the NHS is as (or if not more) vulnerable than any large organisation or SME. As services become more digitalised, technology is able to expand the realm of what’s possible within the NHS and can lead to benefits such as cost reductions and a vastly improved service. Yet with added complexity also comes an increase of risk. Ultimately, the challenge for the NHS is that the attack vector is incredibly big, with a massive pool of data at its feet.
It’s therefore never been more important in today’s digital era to ensure collaborations and access rights are as secure as possible – this means a combination of heightened data encryption, filtering and firewalls. Hospitals must ensure they have a managed security strategy to protect both endpoints and the edge. A managed desktop estate (ensuring the correct tools are in place to prevent staff from unintentionally installing harmful botnets or ransomware) to a Secure Web Gateway (the first line of defence that controls, monitors and protects users even before information enters a hospital system) are essentials for hospital security.
Fundamentally, security systems can never be 100% fool proof. One of the challenges for the NHS is human element, from clicking on phishing emails to unmonitored internet surfing; technically, you’re only as strong as your weakest link. But this need not mean neglecting the necessity of a strong, layered defence that serves and protects, coupled with education. Technology shouldn’t be an inhibitor, but rather an enabler that safeguards surgeons, doctors, receptionists and all hospital staff across the entire network. While the threat of cyber-attacks that hospitals face is unprecedented, they can be controlled with the most rigid, smart and up-to-date security ecosystems.