1 year ago


NHS investment FIRST

NHS investment FIRST SMALL STEPS…. .. BUT A LONG WAY TO GO NHS DIGITAL IS INVESTING £20M IN A NEW CYBER DEFENCE UNIT TO PROTECT CRITICAL SYSTEMS AND SENSITIVE PATIENT DATA FROM THE THREAT OF HACKERS. IS IT ENOUGH, THOUGH? National Health Service (NHS) staff provide a world-class service to patients across the UK each and every day. So, the news that NHS Digital is investing £20m in a new Cyber Defence Unit to sit in the pre-existing SOC (Security Operations Centre) to protect critical systems and sensitive patient data from the threat of hackers is extremely welcome, in the wake of recent attacks. Medical records, personal information, and more, are all details that can easily be used by cyber criminals to commit identity fraud, or hold the NHS and individuals to ransom. As Nicolai Bezsonoff, SVP and GM of Neustar Security Solutions, points out, it's been a turbulent period of late for the NHS, with the global WannaCry ransomware attack impacting 40 NHS England Trusts that were still at that time running unpatched Windows XP systems. "This served to highlight the potentially devastating effect a cyberattack can have on essential healthcare services, even when the organisation isn't directly targeted," he says. "The move to invest in 'ethical hacking', to expose and fix vulnerabilities through penetration testing, represents an innovative first step in protecting the NHS's web perimeter and mitigating the impact of such attacks in the future,” concedes Bezsonoff. "However, with an acute shortage of cyber security skills including analysis, investigation, application security, cloud computing, and white-hat hacking in the IT industry, it is unclear where the NHS is going to find the personnel to adequately resource this new unit," he states. "Earlier this year, job site Indeed indicated that employer demand for cyber security roles was more than three times candidate interest, with the UK having the second worst cyber security skills gap in the world." It could be argued that, given the type of white hat talent the NHS is looking for, the talent pool of ex-black-hats and reformed hackers could be a resource the NHS can ill afford to ignore. "This is a group of people many would understandably be reluctant to even consider for such important roles," he adds. "The threat landscape is such, though, 8 computing security Jan/Feb 2018 @CSMagAndAwards

NHS investment that they may be one of the greatest assets available to the nation's critical infrastructure, with a finger firmly on the pulse of what the latest threats - such as the recently resurfaced Mirai botnet - look like." To secure the NHS, it is critical the Cyber Defence Unit understands where the greatest dangers to the organisation lie, outside of web perimeter defences, he states. "This means ensuring a better understanding of the entire infrastructure of the NHS: the people, the technology and the vulnerabilities. Certainly, there may be significant requirements for a root and branch structural overhaul in the NHS, and not just its IT, to protect against new cyber threats. Changes on this scale are unpopular, but the threat level is unprecedented and current provisions woefully inadequate to defend an organisation of this scale." Although there are presently very few laws in place that directly relate to an organisation such as the NHS's responsibility to prevent cybercrime, the likes of the General Data Protection Regulation (GDPR), coming into effect in May 2018, means the health service will be legally obligated to keep patient data safe. "The investment the NHS is making is an important step in the right direction," further comments Bezsonoff, "but it's got a long way to go before it sorts out the many issues it currently faces." ATTRACTIVE TARGET Certainly, the healthcare industry's poor security posture makes it susceptible to the most basic opportunistic attacks, warns eSentire. "The value of patient records and the critical role medical facilities play in national stability make healthcare an attractive target for both financially motivated and politically motivated attacks. Delivery of ransomware through phishing is a common attack vector experienced by healthcare providers, in addition to point-of-sale attacks and exploitation of vulnerabilities on exposed services," the company points out. To address the widening threat surface, healthcare organisations need dedicated, on-site security professionals and customised strategic direction, in order to implement robust security standards without disrupting standard medical practice, it states. "Once a security team is in place, organisations should follow general cybersecurity recommendations such as patching, raising employee awareness and reducing the threat surface, especially as it relates to critical services." In its 'Industry Threat Report: Healthcare', eSentire points to how cybersecurity is inherently a difficult problem in the healthcare industry, as standard business practice requires decentralised data sharing and specialised network-integrated medical equipment - both of which contribute to a rapidlyexpanding threat surface. "To add to the problem, in general, funds allocated to Information Technology (IT) in healthcare are mostly dedicated to business functions that actually increase the threat surface. Only a small fraction of IT spending in healthcare is delegated to cybersecurity for securing threat surfaces (Harries & Yellowlees, 2013)," says eSentire. "In fact, KPMG reports that 43% of senior executives have not increased their cybersecurity budget, despite having knowledge of recent high-profile breaches - and 42% do not plan to." Using the publicly available Shodan service, the eSentire Threat Intelligence team conducted opensource intelligence investigations on healthcare organisations, putting themselves in the shoes of a potential attacker to assess vulnerabilities - both at the HOSPITAL SENT OFFLINE AFTER CYBERATTACK In what should prove to be a warning for healthcare operations across the UK, Europe and beyond, US hospital Hancock Regional Hospital, Indiana, US, was forced to shut down its computer systems after criminal hackers infected the internal network with file-locking ransomware and demanded payment. The hack impacted emails, online health records and internal operating systems, officials revealed. "The healthcare industry has become a prime target for cybercriminals," comments Gary Cox, technology director for Western Europe at Infoblox, in the wake of the attack. "Not only is the sensitive information held by healthcare organisations immensely valuable on the dark web, fuelling healthcare fraud in the US, but cybercriminals are increasingly seeing the value of the 'ransom over resale e-crime' model, due to the immense pressure that hospitals are under to avoid any disruption. "As ransomware attacks on hospitals become more common, it is unsurprising that 85% of UK and 68% of US healthcare IT professionals have a plan in place for this situation. However, as all good healthcare professionals know, prevention is better than treatment. All organisations must ensure that their security measures are up to scratch: from having all software patched and up to date, and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware." Gary Cox, Infoblox: organisations must ensure that their security measures are up to scratch. @CSMagAndAwards Jan/Feb 2018 computing security 9