Alexander Lewis
Cyber Assessment Services Technical Practice Lead
Like all other businesses, the Softcat team have been impacted by COVID-19 and we, like you, have been blown away by the heroic work of NHS staff. However, we’re conscious that like the amazing doctors, nurses and healthcare staff who are tired, overworked and stressed, the technology that supports them to do the amazing job they do is also dangerously stretched.
Technology is a critical dependence for so many processes in hospitals and other health-related organisations, from access to patient data, records, test results, supplier data, delivery orders, schedules and payments, logistics, medical equipment to communications (both within the healthcare system and to the public) and research data. Like their users, these systems are currently dealing with a massive 24/7 demand by user numbers for which they weren’t designed and in ways, locations and conditions for which they weren’t designed, such as the hosting of quickly written applications to speed up the clinical process.
On top of that, this is just the kind of situation that cyber criminals look for. As IT functions scrambled to enable everyone to work collaboratively, remotely and securely, human nature means inevitably something could be missed, and this presents opportunity for malicious threat actors. This is by no means anyone’s fault, the long-stated battle between business continuity and security will always be an organisational challenge, and every organisation within the health sector should take pride in the speed they have been able to adapt.
The threats to keep an eye on
The best thing we here at Softcat can do, is give you as much visibility into those security gaps, and the type of opportunistic cyber criminals who seek to exploit them. We spoke with one of our main cyber security partners, PGI, to develop some threat profiles and provide you with some advice to help your organisation defend your information assets.
Criminals
Data Theft: Those who steal staff and patient personal details to trade on dark markets where personal healthcare data is now more valuable than credit card data. The need to share access to patient data across the healthcare system to deliver swift, safe treatment creates many vulnerabilities for criminals to exploit, particularly with so many people needing remote access to the data during lockdown. Ensuring your data is kept secure, and your communications secret, will mean the public will take confidence in your organisations advice and communication.
Ransomware attackers: These criminals generate remote access capability, invariably through phishing attacks , deploy ransomware that spreads and seizes up the IT systems—or the data upon it—and then demand payment to release it. In a crisis, their success rate climbs; the demand for the systems and data is critical, the risk tolerance levels are very low and the need to pay the ransom escalates. It is important to note that these criminals will often steal data before deploying their malicious encryption, either to sell on to other criminals or to instigate a ‘double extortion’ where they will threaten to publicly release the data they have stolen unless a further payment is made, raising the spectre of reputational damage or ICO investigations and fines.
Scammers: These criminals access healthcare financial systems and departments and exploit the current environment of emergency and crisis, understaffed by people working remotely in unfamiliar conditions where traditional controls are less effective. Fake invoices, fake supplier details, and exploitation of the payment systems steal money from the very organisations who desperately need it in order to play their role in the crisis. Additionally, online scams are conducted, invariably using stolen patient data and using messages about the C-19 crisis itself as bait, are targeted against the public using their own stolen data. The public themselves are living in uncertain, unfamiliar and anxious times; domestically, professionally and personally and are particularly susceptible to scams particularly if it appears to come from a trusted origin.
Malign state actors: Take research data, supply logistical data, and all other data relating to our national response. At best, it is to accelerate and improve the speed and effectiveness of their own national response; more worryingly, it is often to identify ways and means to secure their own national supplies and deliveries of equipment and scarce medicines at the expense of other nations. At its worst, it is to win the race for vaccine development; not just for the kudos, but for the ability to control supply chains, price, availability and production in line with their own national priorities.
Malign state actors and their proxies: Every organisation, in every country around the world is worried, and sometimes we can find the international coalition of cooperation can dissipate when national health and economies are at stake. At a time when global situational awareness and societal communication has been driven onto the internet and social media like never before, the power of controlling and manipulating information flow into an anxious, stressed and uncertain population can create a hugely distortive effect.
Shoring up your defences
We recommend looking at the following areas to ensure your defences are as strong as they can be:
Human factors: Most breaches from all types of attackers occur as a result of a successful phishing campaign that gives attackers direct access to the systems. Ensuring the whole workforce knows what to look for is just as important as the technical mitigations. We recommend reviewing password policies, enabling multi-factor authentication, reviewing data access controls and identity management and educating your team via an awareness course. We particularly recommend a phishing exercise and assessment to allow organisations to clearly measure the scale of the risk they carry from such an attack.
Technical mitigations: In addition to reviewing access controls, organisations should conduct regular penetration tests—not to be confused with an automated vulnerability assessment. These tests are systematic examinations of a network or system undertaken by qualified, experienced security experts who have been given permission to exploit the vulnerabilities and misconfigurations they find in external or internal infrastructure to determine the potential impact. Because of the constantly changing and evolving nature of cyber threats, penetration tests should be conducted regularly throughout the year and when changes are made to infrastructure.
Incident response plans: The ever-evolving threat means that eventually an attacker will find a way in. What do you do when that happens? A tried and tested Incident Response plan will ensure that there are processes and procedures in place to mitigate further damage and get systems up and running as quickly as possible.
The road ahead
The entire British healthcare system has been simply heroic; we applauded them every Thursday evening quite rightly and deservedly. We want to be able to look back at a diverse tapestry of organisations who can be proud of their agility, diligence and efficiency of responding to the COVID-19 Pandemic. We don’t want short-, medium- or long-term reputational or financial damage to be inflicted on organisations who don’t deserve it. We want to preserve the undiluted heroism of the extraordinary people who saved lives, preserved health and protected a nation from C-19 and all its consequences. And those heroes and heroines equally in the sector’s Leadership, IT and Risk Management functions.
We have long experience of managing these issues in a crisis. Quietly, effectively and efficiently introducing protective measures and solutions without disrupting the main effort, supporting departments who are continually overstretched. Understanding what’s good enough for the prevailing environment and what is not appropriate. Protecting critical services, supplies, finances, people and reputations. It need not be either hard or particularly expensive, but as a dependency upon which the clinical service depends, it must be done.