Cyber Security Advisory Series 1, 2017
In the first of Digital Health Intelligence’s new quarterly cyber security advisory series, Davey Winder looks at network security health check for 2017.
The truth is that the threatscape for 2017 looks pretty much the same as it did for 2016, certainly before you zoom in and get a more detailed picture at any rate. Before doing that, however, it’s useful to remember that the wider view has not changed; that way you don’t overlook the myriad threats that are still there to defend against.
Top three threats of 2017
If we were to compile a top three threats of the year, across all industry sectors, then ransomware, Distributed Denial of Service (DDoS) and phishing would make the list.
Fortunately, the only healthcare DDoS attack to hit the headlines in 2016 was when someone accidentally sent an email to all 850,000 people with a NHS.net address and caused it to slow to a crawl in November. Phishing and ransomware, sadly, posed very real threats to the health sector.
The Digital Health NHS Cyber Security Survey Report 2016 revealed that nearly one in five (18%) of the NHS IT leaders questioned had experienced disruption to systems and data courtesy of a phishing attack.
Ransomware, the most common attack in 2016, looks set to continue
Meanwhile, 43% of those surveyed reported being on the very sharp end of a ransomware attack during 2016. Neither look like slowing down this year, nor do they look like standing still in terms of threat evolution.
Although the basic phishing concept of sending email bait out to the unwary in hope of catching a victim who either follows a malicious link or opens an infected attachment stays the same, the methodology is a-changing. Highly targeted attacks, known as spear-phishing, will become the norm and that’s bad news for healthcare.
Spear-phishing set to become bad news for the NHS
Bad news because the very fact that these emails will target specific departments, roles or employees makes them harder to defend against. It’s one thing to educate the workforce regarding the following of links or opening of attachments incoming with scattergun email phishing campaigns, but quite another when realistic looking bait is attached to a hook that really isn’t out of place within the recipient inbox.
Ransomware probably won’t display a massive evolutionary change, after all why fiddle with something that’s making so much money as it is? While we wait for the full year figures to come in, the FBI reckoned that during the first quarter of 2016 alone some $209 million (£170 million) was taken in ransom.
In the US, that figure has included the Hollywood Presbyterian Medical Center which paid 40 bitcoins (around £12,000) to get control of its computer systems back after being offline for a week.
£345 ransomware attack led to critical incident at Lincs and Goole
In the UK, the highest-profile cyber-attack within the NHS has probably been when ransomware hit the Lincolnshire and Goole Foundation Trust in October 2016. While the £345 ransom wasn’t paid, the attack was declared a ‘critical incident’ leading to operations being cancelled for three straight days.
One NHS IT director told the Digital Health report that “it’s just a matter of time before a trust is taken out by a cyber security attack” and they are right, with ransomware being the most likely culprit.
Prevention better than cure
While there will be many a new incarnation of the threat, with the days of everything being a CryptoLocker clone long gone, the direction ransomware heads is open to much speculation; none of which really matters. After all, from the healthcare perspective it really doesn’t matter if patient records or medical devices are being held to ransom: lives are at risk either way. As any doctor will tell you, prevention is better than cure so ensuring that backup mechanisms and system continuity controls are not only in place but working as expected should be considered a bare minimum check.
Interestingly, while ransomware targets may be changing the delivery mechanisms are largely not. These will remain entrenched within the familiarity of the past, and for the most part that means our old friend phishing. About the only change here will once again be a move away from scattergun catch-what-you-can campaigns towards highly targeted spear-phishing outings.
Familiar threats of BYOD remain
The threatscape map for 2017 is almost fractal in design, as you zoom in the detail looks like it is changing but you soon realise that we are back looking at the original patterns once more. So just as phishing keeps rearing its head, so does the Bring Your Own Device (BYOD) problem. BYOD creates all kinds of security, or more accurately risk, problems. Not least of which is the challenge of bringing proper visibility of device security status into the healthcare environment. It’s hard enough knowing who is using what to do which, if you’ll excuse the grammar, but it’s even harder to know how securely they are doing it.
Which doesn’t mean that you must accept that BYOD blind spots are inevitable. If a clinician is determined to use their personal smartphone for clinical communications purposes, such as using Whatsapp, because it is the most efficient method at the time, then all the security policy in the world will not stop them. Instead of adopting a finger-waving attitude, it makes better data protection sense to support them in their secure usage of those devices.
Beware of ‘data shadows’
Our Digital Health Cyber Security Survey suggests 62% of respondents had not been troubled by mobile device threats (only 11% said they had) but this doesn’t mean that a mobile threat does not exist, nor that BYOD doesn’t serve to amplify it. There is, dear reader, many a ‘data shadow’ between device and network, your job is to shine a light in all the corners.
User education key to more secure 2017
One thing should, hopefully, be clear by now; user education holds the key to a more secure 2017. Getting the secure message through to staff, at all levels across the breadth and depth of the organisation, cannot be overemphasised.
We found that 64% of respondents to our survey provided threat awareness training, which is good news. That 27% provided no such training, less so.
One Chief Clinical Information Officer hit the awareness message bang on the head when commenting for the report that the workforce is at once the greatest threat and strength. “They will spot aberrant behaviour and raise alerts appropriately, but could also be the vector to allow threats in. Money spent on education is probably better value than kit…”
The latter point being especially relevant when you consider that good awareness training can establish a security-conscious culture within the organisation.
In need of a security health check?
How should NHS organisations respond to the growing number of cyberattacks targeting them?
Attacks in healthcare are rising
The NHS is under attack. A recent Freedom of Information (FoI) request found that 47% of health trusts in England had been targeted by ransomware over the past 12 months. Losing access to critical data or computer systems could quite literally be a matter of life or death for an NHS trust, which is why, the criminals’ thinking goes, they may be extorted into paying a ransom to recover access to core systems.
Indeed, Northern Lincolnshire and Goole Trust took the unprecedented step of suspending all its operations earlier this year in the wake of what is believed to be a ransomware attack. The Trust’s press statement underlined that patient safety was of paramount importance, and that it was deemed safer to cancel appointments and operations so that they could isolate and destroy the source of the attack. This was a wise move – but in the meantime it meant that all major trauma cases had to be transferred to other hospitals, and that IT systems were forced offline for days.
As yet, no NHS trust has been reported to have paid a ransom in order to recover data or systems – but in the US, the Hollywood Presbyterian Medical Center paid $17,000 in bitcoin earlier this year. The Los Angeles hospital stated that, after critical systems were forced offline and patient care was affected for several days, paying the ransom was ‘the quickest and most efficient way to restore our systems and administrative functions’. Efficient in the short term maybe; but every time an organisation pays such a ransom, the malicious hackers are encouraged to try more – and more insidious – attacks.
What’s more, another FoI request by Sky News to uncover the scale of cybersecurity incidents at NHS trusts across the UK found that last year, personal data breaches in the health service totalled 4177, compared with 3133 in 2014. These numbers are big – and getting bigger – and yet the sums spent by trusts on cybersecurity remain small, averaging just £23,000. So as attacks and breach incidents increase, what should trusts do to ensure they can better protect their critical systems and the sensitive data they hold?
Prevention is better than cure
The first principle in protecting against the growing wave of ransomware and malware exploits is to prevent them reaching networks in the first place. Detecting the threat after it has infiltrated the network is no longer good enough, as malware can cause significant disruption in a matter of minutes – it needs to be blocked before it can reach users. This is where next-generation threat prevention comes into play, using advanced sandboxing.
Sandboxing delivers quarantined inspection of all incoming attachments and documents, so that malware that has not yet been recognised by security vendors and added to antivirus signature banks can be extracted before entering the network. However, new ransomware variants are even able to get around sandboxes to infect networks, using a two-stage delivery infection process using document macros.
Because macros are small and benign-looking, they can often bypass even advanced sandboxing technologies. The macro is embedded in a harmless looking attachment, which is sent to targeted individuals using social engineering techniques. If the targeted user opens the document containing the macro and activates it, the macro will then download the full ransomware payload, which will start encrypting files on the host PC, and on any other machines that it can access on the network. This form of attack is difficult to defend against, as the user has effectively ‘invited’ the infection onto their machine.
However, document sanitisation techniques, which remove active code such as macros from email attachments, add a vital layer of defence against these new ransomware variants – blocking the infection before it can perform any malicious actions.
This is not to say that traditional signature-based antivirus no longer has a place in NHS trust’s cyber defences – it still provides a crucial first line of protection against the huge volumes of known malware that still circulates. However, it needs to be used in conjunction with advanced sandboxing and document sanitisation in order to defend against constantly-evolving malware and ransomware variants.
Protection against the wave of cyber threats facing NHS organisations doesn’t stop there, however. It’s also vital to consider the wide range of endpoint devices on hospital networks. Desktops, laptops, smartphones, tablets – these have long been part of the endpoint ecosystem in a typical hospital, but more recently they have been joined by the proliferation of smart, connected devices. This means many more potential entry points into the hospital for cybercriminals.
A sophisticated and specialist endpoint protection system, which applies to connected medical devices as well as the computers and smartphones, is therefore crucial for today’s NHS organisations. What’s more, mobile devices that regularly leave hospital networks, join others and then rejoin the hospital, must receive the same levels of protection as devices that never leave the hospital, since attacks may occur outside the network perimeter.
Mobile device management (MDM) solutions have become inadequate, since a great deal of malware is now tailored to specifically target mobile devices. Instead, specialist mobile threat prevention solutions and secure containers for devices are essential.
Another crucial element of cyber protection that NHS needs to consider is the fact that patient health records have an extremely high black-market value – higher even than credit cards and other financial data. This is because health records cannot be quickly blocked and reissued – they are permanent and highly personal. Breaches of patient data are a great boon for cybercriminals – and a huge headache for hospitals.
In turn, this means that it is critical for hospitals to prevent threats from actually taking hold on networks in the first place, rather than detecting them after they have happened. Data Loss Prevention (DLP) solutions, which detect when sensitive data is actually being sent outside the organisation, are also an essential part of the overall security posture.
A holistic approach to healthy cybersecurity
Simply to continue their day-to-day operations, as well as protect patients’ confidential data, NHS trusts need to strategically implement all of these complementary cybersecurity measures. They need advanced threat prevention, incorporating sandboxing and document sanitisation, a robust endpoint security programme with specialist mobile device protection, and a DLP system to quickly detect when the worst has happened and patient data is being siphoned out of the organisation.
Criminals have widened their range of targets from private-sector enterprises to healthcare, with the aim of increasing the number of targets to extort. The NHS is under (cyber) attack because it has a great deal to lose. Sophisticated cybersecurity is essential for its future health.
Put your existing security defences to the test, and find out exactly which malware and threats your company is exposed to with Check Point’s unique Security Check-up Report. It’s free of charge and 100% confidential.
The Security Check-up Report gives you a comprehensive overview of your company’s real security status, highlighting all the vulnerabilities in your organisation and showing how to remedy them. You get an easy-to-read graphical report, at no risk to your network environment.
Your business has got a lot to lose if your security isn’t good enough. So what have you got to lose by doing a free Security Check-up with Check Point? To schedule your free, on-site analysis, simply REGISTER NOW.
How healthy is your IT security?
From healthcare organisations to financial institutions to universities to retail stores, every single business that collects customer data – whether it is personal details, credit card information or real-time behaviour – is a target for threat actors looking to steal that information. And this is the case for organisations of every size.
Attacks in healthcare are rising
Earlier this year the Ponemon Institute released its Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data. According to the study, nearly 90 percent of healthcare organisations experienced a data breach in the past two years, and 45 percent suffered more than five data breaches during that same period. And like in years past, criminal attacks were the leading cause, making up 50 percent of breaches within the healthcare industry.
To put this in a financial perspective, cyber incidents could be costing the healthcare industry $6.2 billion, with the average cost of a data breach now totaling more than $2.2 million. Because of this, it’s perhaps no surprise that some of the largest breaches in the last few years have been within the healthcare industry. This includes Anthem Healthcare which saw nearly 80 million patient records stolen following an attack in 2015.
Impact of DDoS
One of the most prevalent attack types that this industry should be aware of is the Distributed Denial of Service Attack (DDoS). DDoS attacks have been used recently on a number of high profile organisations, including those affiliated with the Dyn attack in October 2016 which brought down sites such as Twitter, The Guardian and Netflix. This type of attack floods the network with traffic, knocking it offline and ensuring that no one else can gain access to it.
Previously this type of attack was confined to the service providers supplying internet connectivity, but now many hackers are launching attacks directly targeting organisations via their application layer in their data centre. This is particularly dangerous for the healthcare industry which not only holds sensitive data, but needs the network to keep critical organisations running.
According to Arbor Networks’ annual Worldwide Infrastructure Security Report, DDoS attack size has grown over 60% in the last decade. As well as this, in the first six months of 2016, 274 attacks registered over 100Gbps were monitored, highlighting the continuing escalation in both the size and frequency of DDoS attacks.
With attacks continuing to get bigger and high profile attacks in the media continuing to highlight the lack of preparedness of organisations, something needs to change. Businesses need to act quickly and for healthcare organisations in particular, there must be appropriate measures in place to effectively prepare for the worst. The key difference for healthcare is the sensitive data this sector stores, as well as the potential fatal effects of a network outage.
Getting on the front foot
The answer is for businesses to implement multi-layered solutions, using on-premise tools coupled with cloud-based solutions. On-premise solutions and intrusion detection system products are able to deal with smaller and much more sophisticated attacks, however can’t prevent the much larger application layer attacks. A cloud solution is able to deal with the larger volumetric threats however it is not comprehensive enough to stand on its own.
To successfully deal with a DDoS attack, healthcare organisations need these specialised defences so that cloud-based protection can be called upon when an attack is large and saturates the Internet connectivity, while on premise firewalls can protect the network proactively for smaller attacks.
With the cyber-criminal industry developing each day, businesses can no longer afford not to have multi-layered DDoS solutions in place to combat attacks. Healthcare organisations need to be proactive and assume they will be attacked at some point, and have dedicated security solutions in place that that are designed to keep the business running, even when a DDoS attack has occurred.
The healthcare industry faces some of the steepest cyber security challenges. With the combination of a proliferation of connected devices, a large amount of sensitive data, and often tight security budgets, many cyber-attackers are specifically targeting healthcare organizations.
Medical devices connecting to the internet have allowed a number of new opportunities for healthcare organizations to become more efficient, but they have also left open new vectors for attack. They often go unprotected and can be hijacked by attackers to spread ransomware or used as a way to gain access to the rest of the network. These Internet of Things (IoT) devices are vital to the modern healthcare organization, but without proper security in place, they can do more harm than good.
Given the amount of sensitive data that healthcare organizations hold, data theft and ransomware have proven to be lucrative for criminals. The well-documented success of these attacks will only increase the number of attacks to come. As more devices become connected and more information is digitized, it is imperative that healthcare organizations and hospitals are able to protect their data and defend from attacks proactively.
Threats by Numbers
- 33% of all records compromised came from the healthcare industry.
- According to an industry report, over 33% of all records compromised in 2015 were from the healthcare industry, the most of any industry vertical. Nearly 100 million records were compromised in 2015, and that number is growing in 2016.
- 55% of incidents were carried out by someone with insider access.
- Whether malicious or not, insiders carry a great security risk if not properly monitored. Phishing attacks remain a plague to the industry, and even the best-trained employees can fall prey to well-disguised attacks.
- According to a study by the Ponemon Institute, lost or stolen healthcare records can cost up to $363 per record. This is 136% higher than the average cost of a stolen or lost record in other industries.
NETconnection Systems has deployed solutions to a number of healthcare organizations that assists them to get ahead of an evolving threat landscape and proactively defend their sensitive information.
In the healthcare industry, NETconnection Systems approach can find and help stop a wide range of threats, including fast-moving ransomware, aggressive malware seeking to compromise credentials, and malicious insiders attempting to exfiltrate sensitive data. With the extensive challenges facing firms in the healthcare industry, a proactive stance on cyber security is needed.