There has been an awful lot said about the state of cyber security as far as the healthcare sector is concerned. Unfortunately, an awful lot of it can be filed in the FUD drawer.

Fear, Uncertainty and Doubt – in case you were wondering how that acronym unfolded – is plentiful both in politics and the broader media. Which is why we get Chancellor George Osborne warning that if ISIS successfully attacked hospitals online "the impact could be measured not just in terms of economic damage but of lives lost"; even though there is no evidence to suggest the terrorist outfit is targeting them.

It's also why, as a journalist, I am bombarded with press releases from security vendors hyping the ransomware risk to healthcare in the wake of ongoing attacks. That the vast majority of those attacks were successfully mitigated, that only one healthcare provider paid a ransom, and that all of them were in the United States rather than the UK was almost incidental.

It’s a crisis! It’s over-hyped!

The atmosphere of FUD is unhelpful, because it makes it hard to judge the real risk. This was shown very clearly in Digital Health’s first NHS IT Leadership Survey, which concluded that cyber security was something of a ‘marmite’ issue for the senior IT managers and clinicians who took part.

A quarter of IT directors thought cyber security issues were a ‘big threat’ and ‘high risk’, and just under a fifth of chief clinical information officers thought the same. But around 10% of both groups thought that security risks were ‘overstated.’; and the same proportion said they just didn’t know.

So what’s the truth? Is cyber security a massively under-estimated problem, or one that is massively over-hyped? As always, the truth tends to fall between these two extremes; which makes it important to engage properly with news about what is happening, and debate about what can be done about it.

Doing nothing is not an option, as the risk is a very real one and it isn't going to go away. This doesn't mean believing everything that suppliers of solutions, with a not very hidden agenda, might tell you.

The sky is not falling, but the forecast is stormy. Healthcare is a hugely attractive target for the cyber criminal fraternity, after all, for very good reason: it has lots of data and data equals profit in the dark world of the professional hacker.

Some security researchers reckon that medical data is currently worth about ten times as much as credit card data in the dark markets where such things are traded online, because so much of it can be used to construct fake identities or to go on to construct further attacks.

There are also a lot of devices, and they are increasingly 'connected' these days, which creates a larger threatscape or attack footprint if you like. Worryingly, many devices are even connected via outdated operating systems such as Windows XP, which has reached 'end of life' status and so becomes vulnerable to hackers exploring unpatched security bugs.

We will be taking a closer look at how the Internet of Things (both medical devices in the hospital and fitness devices in the home) can impact upon privacy and security in the months to come.

Identifying the real vulnerabilities

Clinicians know that treating the cause rather than the symptom is key to good health, and that's just as true in the world of cyber security. So when NHS Tayside was unsuccessfully targeted by ransomware eight times over a two year period it didn't sit back and think that as no patient details were compromised or ransoms paid the job was done.

Instead it tackled the cause which, as is often the case, was social engineering through the use of phishing. By educating staff about the risk of being conned into opening a malicious payload, the risk of being infected drops.

Social engineering is ripe across the healthcare industry. Indeed, it’s probably the route one for the hacker, who is less likely to use the nerdy technical vulnerability option than you might think. Simply contacting a clinic reception desk and asking for login information can be hugely successful if the request is framed in a believable way; unsurprising given how busy your average receptionist is.

The Information Commissioner’s Office reckons that the NHS led the way when it came to falling victim of data breaches last year.

That doesn’t suggest to me that health is being targeted more than other sectors, since hackers tend to be pretty scattergun in their approach.  Instead, it suggests that it’s not doing as well as it could in protecting itself and its data.

That might be down to poor handling of records of all kinds – including paper records. It might be down to poor security for data on laptops and portable media, insufficient education of staff in dealing with the social engineering threat, or budgets that cannot keep up with the pace of change.

It doesn’t matter. What matters is that healthcare has to start taking security more seriously. So let's get real about the risk: while acknowledging that there is no suggestion that the NHS is on the verge of some kind of cyber-crisis, either.

There are plenty of things that can be done to correct the issues that exist and there is still time to do so. Now is the time to engage in meaningful conversation about achieving an appropriate level of security; that's the truth of the matter when it comes to hacking healthcare…

Davey Winder


Davey Winder is a three time Information Security Journalist of the Year award winner, and regularly contributes to The Times as well as being Managing Analyst at IT Security Thing.

twitter logo