Ian Porteous, Regional Director, Security Engineering, UK&I at Check Point outlines the need for cybersecurity in the UK healthcare sector.
Throughout the COVID-19 pandemic we have seen a global uptick in the number of cyber-attack incidents, but it’s hard to think of a sector more vulnerable than healthcare as we move into the new year.
Now, as headlines break about a data breach at The Red Cross – in which half a million vulnerable people’s data was exposed – Security Journal UK hears from Ian Porteous, Regional Director, Security Engineering, UK&I at Check Point about how the risk landscape is changing for healthcare companies.
How serious is the threat to the UK healthcare sector?
According to our data, healthcare has become one of the most targeted industries by threat actors, and we expect that trend to continue through 2022. Globally, we have seen cyber-attacks on healthcare providers grow by around 71% since the beginning of the pandemic.
Last year, we identified an average of 352 cyber-attacks every week on healthcare organisations in the UK. So, the answer to the question is very serious indeed and the pandemic has certainly increased the vulnerability of the sector. Often over-stretched and under-resourced even before the pandemic, resources have been stretched further still during it; security often lags behind when it comes to low cost, rapid digital transformation.
What makes the UK healthcare sector so vulnerable in 2022?
It is important to remember that most threat actors are opportunists and will show no mercy at all when it comes to exploiting healthcare or humanitarian organisations. What we’ve seen in the past few years, and more so in the past 18 months, is the continued digitalisation of our healthcare services.
From patient-facing digital services like online GP consultations, right through to how patient data is stored and managed, the attack surface area for cybercriminals is expanding at an unprecedented rate. The number of people using the NHS app in England, for instance, has boomed over the past 24 months. An NHS COVID-19 app was also launched, allowing users to “self-serve” and access their own vaccination records. Countless non-essential employees such as administrative staff have also been asked to work from home to help stop transmission of the virus, again adding more endpoints to an expanding attack surface. When a private organisation expands its network, its security technology often evolves in lockstep. The public sector doesn’t have that luxury.
When it comes to IoT devices, in addition to all the connected and smart devices you would expect to find in a typical office environment (from printers and TVs to building management systems, HVAC, surveillance cameras and elevators), a healthcare environment also contains critical machinery used for monitoring patient conditions, administering drugs or operating multi-million pound MRI machines – all of which can benefit massively from being ‘connected’; in doing so however, an additional challenge is raised in protecting these devices from misuse should a bad actor gain access to the environment.
Why has healthcare become such a target for cybercriminals?
All data has value and can therefore be sold on or extorted for profit. It’s hard to think of data that’s more private and sensitive than an individual’s medical records, which sadly makes medical data very valuable to ransomware groups and other threat actors.
This valuable data can also be used to obtain expensive medical services and prescription medications or even alter a patient’s information. According to the Ponemon’s Cost of Data Breach Study, at £302 per health record, the healthcare sector demands the highest cost by far to remedy a data breach. This stands in contrast to the average of £166 per record paid by other organisations. These costs include fees to investigate and repair the damage caused by an attack as well as paying fines, ransoms or any stolen funds themselves.
What do you make of the recent cyber-attack on the Red Cross?
As I mentioned previously, cybercriminals are merciless when it comes to targeting humanitarian organisations. They know the data carried by organisations like Red Cross is extremely sensitive and therefore potentially highly lucrative for them. Most hacking groups see hospitals and healthcare organisations as ‘fast money targets’ because they can’t simply halt operations to shut down a breach.
The threat actors involved in the cyber-attack on the Red Cross went straight for the jugular. They went after the organisation’s most sensitive data, seeking to create as much leverage as possible against the organisation. The attack compromised personal data and confidential information on more than half a million vulnerable people, including those separated from their families due to conflict, migration and disaster. If that data were to be leaked it could have life and death consequences for the victims involved – sadly, to ruthless threat actors that just makes the target all the more valuable.
What should healthcare organisations be doing to stay secure?
I’d say that healthcare organisations ought to start thinking about resourcing as opposed to outsourcing. All too often when a crisis arises, remedial action isn’t taken until a certain amount of damage has already been done. Take the infamous WannaCry ransomware attack for instance which brought the NHS to a virtual standstill a few years ago; that particular vulnerability was due to Microsoft dropping security support for Windows 7 which the majority of NHS computers were still running.
Even those that are able to invest more in their technology and plan ahead still tend to stick with legacy technology for too long as implementing new technologies is thought to be time consuming and intrusive. When immediate access is needed to patients’ data across a large range of devices and applications, downtime to update or patch systems is not an option that is easily afforded.
The healthcare sector can appreciate the mantra “prevention is better than cure” more than any other sector, and that’s certainly what’s needed as we move into a new age of cybersecurity. Whenever any industry moves to a prevention approach instead of just detection, there are much fewer cyber-attacks.
To find out more information, visit: https://www.checkpoint.com/
This article was originally published in the February edition of Security Journal UK. To read your FREE digital edition, click here.