It’s been a dramatic 12 months for cybersecurity in the healthcare sector, which is still feeling the after-shocks of the Wannacry global ransomware outbreak.
As NHS Digital attempted to move past the dreaded W-word, a report from the National Audit Office reopened old wounds by highlighting just how underprepared Britain’s healthcare service was for an attack from cyber-space.
The NHS is aware of the steps it must take to improve its resilience, though, and has in 2017 taken demonstrable steps to ensure that the next cyber-attack – which experts have insisted will happen – does not knock it for six as it did in 2017.
As 2017 draws to a close, Digital Health News spoke to leading cybersecurity experts about their predictions for the digital landscape in 2018. Buckle up, things are about to get bumpy.
Mark Jackson, principal information assurance architect, Cisco UK public sector
The EU General Data Protection Regulation (GDPR) has been a hot topic during 2017 as organisations have worked hard to decipher the legislation and take the steps necessary to ensure compliance. As we head in to 2018, there will be an increase in activity as organisations – many of which have left things too late – scramble to adapt and improve existing processes and procedures in time to meet the May deadline.
Along a similar theme, it is likely that 2018 will see regulators exercising their new powers provided by GDPR leading to the issuing of the new, larger penalties for both breaches of personal data and breaches of meeting GDPR obligations.
The supply chain has come under increasing focus as a significant attack vector during 2017 and its use led to major breaches, including the Ukrainian M.E.Doc accounting software and the popular CCleaner utility.
Whilst these attacks are not trivial to undertake, they represent a significant shift in attacker behaviour as they exploit the trusted relationships that users and organisations have with their software suppliers. 2018 will likely see attackers continue to target these vectors for this very reason and organisations should look carefully at their how they might detect and remediate such a threat, And those that develop their own software, will need to consider how they can improve secure development practices to reduce the risk of attackers infiltrating their own code.
The final prediction is that sadly, 2018 will see organisations failing to deliver on the basics of good cyber hygiene. Known and patched vulnerabilities will continue to be exploited and will lead to breaches of data and be used as a means of spreading ransomware. Getting the basics right is not easy of course, and because of this, organisations must shift their approach to cyber to be much more defence-in-depth by deploying more segmentation within their networks ensuring that a single breach does not lead to total compromise.
Organisations should also focus heavily on breach and incident readiness. This should be in the form of a set of well-developed plans, but also through the exercising of those plans.
Rusty Carter, vice president product management, Arxan Technologies
This coming year, we can expect to see an increase in attacks on the medical industry and technology, that outpace the adoption of security practices that can prevent or mitigate damage. While awareness is growing within the industry and measures are starting to be put in place, the variety and quantity of opportunities for attackers to have a significant impact is perceivably higher than in other industries.
Leading the way will likely be attacks against hospitals and other clinical settings. The network-based attack that seeks unsecured or easily compromised vast amounts of data is becoming much better known, and theft of individual medical data can lead to a variety of attacks ranging from identity theft to extortion.
In clinical settings where network security has started to be addressed, we’ll likely see a rapid increase in threats against the devices themselves, particularly via the mobile or desktop apps that control them. Many of these will go undetected as “proof of concept” attacks are implemented against devices not monitored for attacks. Any of these proving particularly damaging or profitable could become a surprise very quickly.
Attacks against implantable devices will continue – particularly devices like insulin pumps and pacemakers – while device manufacturers in this area will likely be increasingly rolling out security to protect against threats. The awareness of the mobile app being the primary vector of attack will result in a rapid increase in both prevention and detection of threats against the mobile apps themselves, which will result in other devices – such as clinical instruments for IV and medicine delivery and diagnostic devices like MRI and CT scanners, following the lead from the implantable devices.
Dr Saif Abed, founding partner, AbedGraham
If this past year can be considered eventful for cybersecurity in the NHS then I predict that 2018 will be a year of reckoning. It is inevitable that there will be further incidents; the only question is whether they are more targeted and sophisticated than the attacks of 2017 and what happens as a result. It’s clear that CIOs and CCIOs are mindful of this both centrally and locally but what remains unclear is to what extent this challenge has permeated the C-suite overall.
For all the investments that are being made to shore up cyber capabilities at a technical level, the NHS’s overall digital footprint is increasing, which means its surface area for cyber harm is increasing too. It is my view that central government and CIOs across the NHS will start to reframe what cybersecurity is all about. It’s not just about firewalls and patching updates: the success of an effective cybersecurity strategy will be defined based on clinical service resiliency, patient safety and business continuity.
The planned adoption in May 2018 of the EU’s NIS Directive by the Department of Digital, Media, Culture and Sport (DCMS) supported by the National Cybersecurity Centre (NCSC) has already stated that it is no longer acceptable for critical services such as healthcare to be significantly disrupted due to a cybersecurity incident. Accordingly, organisations will gradually start appointing Chief Information Security Officers (CISOs) and start training and integrating their CCIOs increasingly in service-resiliency planning and to ensure clinical end-users are supported to follow-up best practice in terms of cyber hygiene. I believe this will apply centrally too and I envisage the appointment of more experts in cybersecurity both technically and, particularly, clinically.
There’s much work to be done in 2018 but to get caught up only in the excitement of the technical capabilities of cybersecurity solutions would be myopic. Ultimately, a focus on people and processes will be the key to the NHS’s success.
Chris Moyer, CTO security, DXC
Cybersecurity spending will increase in healthcare by at least 15% due to the value of health records to cyber criminals. Healthcare has lagged behind other industries in terms of spend, so this is just closing the gap, not implying that Healthcare will spend more than other industries.
Network attacks, including ransomware, will continue to escalate, driving tighter network segmentation and inclusion of non-IT environments like embedded systems into IT control.
Risks in patient monitoring systems will be exposed, causing further network segmentation and enhanced identity protection.
Bring-your-own-data (BYOD) will become more common. Individuals will have ‘verified copies’ of their health information to share with trusted healthcare organisations as they choose. Cyber criminals will target individual patient information to create misleading information that causes added insurance premium, manipulates wait lists or fraudulent payments.
Collaboration between clinical environments and life sciences will increase to improve data precision and control leading to more personalised medicine. Artificial Intelligence and machine learning will allow consumption of more data and results driving added value to companies that innovate in this area.
Medical device manufacturers will embed security in designs, use third parties for validation and vulnerability and ongoing compliance. Like other IoT environments, the focus will be on identity and the ability to manage and change devices after installation.
Wim Nauwelaerts, data privacy lawyer, Sidley Austin
With both GDPR and the Directive on Network and Information Security (NIS) Directive coming into effect in May 2018, we are likely to see an increase in the demand for appropriate cyber insurance. Especially operators in so-called critical sectors – including the health sector – will be keen on addressing residual cyber risk through specialised insurance.
The problem is that the EU cyber insurance market is still at an early stage of development. A recent study published by the European Union Agency for Network and Information Security (ENISA) shows that there is a lack of harmonisation and standardisation in the cyber insurance market that stifles the development of insurance products tailored to the needs of critical sector operators. Unless this problem is tackled quickly, critical sector operators in the EU will be in a disadvantageous position compared to their counterparts in, for example, the U.S.
Next year we will also see an emerging need in all NIS Directive sectors for cybersecurity awareness training. It will be crucial to make sure that relevant staff are adequately trained on all aspects of cybersecurity management, and that they are familiar with the organisation’s data incident response plan. Cyber training should take into account the specific needs of critical sector operators, and should also reflect their obligations under the upcoming GDPR. Operators in critical sectors face dual reporting duties – under the GDPR and the NIS Directive – in case of a data breach, so proper training will be key to ensure that their staff act swiftly in case of a cyber incident.
Dr Jason Nurse, senior researcher, department of computer science, University of Oxford
One of the most challenging issues going forward into 2018 is that of the vast increase of internet of things (IoT) devices, and their adoption into society without a clear appreciation of the risks accompanying them. From a healthcare perspective, wearables are a good case example. These devices are extremely useful as they allow tracking of health-related activities, measuring of heart rates and a plethora of additional functions.
However, if we consider the other side of the coin, if a malicious entity was to gain access to a running route, they could determine where the individual lives, and when they were or were not at home. Heart rate data may seem benign, but this can shed real insight into a person’s health, and could negatively affect them if exposed. Smartwatches could pose similar issues regarding privacy, but especially because of all the other data that may be gathered without a knowledge of the user. It may be at this point, users are focused on functionality and convenience without thinking about how they may be at risk.
The issues above are likely to be substantially exacerbated in 2018 in two ways. Firstly, there is very likely to be a significant increase in the number of low-quality health devices – specifically wearables – available on the market. These devices will be much cheaper than well-known, more expensive brands and therefore will appeal to consumers. The problem, however, is that these devices often lack any consideration of data security or user privacy; the low development budget simply does not allow for it. This places consumers at a higher risk to their data being leaked or potentially sold without their knowledge.
Secondly, the number of corporate data breaches generally is constantly increasing (2016 and 2017 exemplified this perfectly) and the healthcare sector is not immune to this trend. The concern, therefore, is that as such companies are increasingly targeted, they may be breached and expose troves of private data – especially if we assume low-cost devices will be adopted by the masses. Pairing this reality with the data mentioned above which providers are likely have about individuals, in addition to demographic information (date of birth, friends, and so on), the risk to consumers in the new year is significant.
Viktors Engelbrehts, director of threat intelligence, eSentire
Healthcare organisations are hesitant to dedicate budget to cybersecurity, yet they continue to spend in other areas of IT. This mindset will likely shift and likely in response to a catastrophe rather than as a preventative measure. Organisations that aren’t prepared for the next big breach will have to allocate a larger share of funds to incident response, causing them to fall behind in the continuously evolving cyber-arms race.
Organisations that take preventative measures, on the other hand, will avoid the costs (and risks to their patients) of a major breach and will be able to focus on maturing and developing cybersecurity standards that adapt to how threats continue to evolve in the wild.
From the technical perspective: phishing as the main delivery method, ransomware, and information stealing Trojans as the most prominent malware, lack of relevant user awareness, and weak passwords are likely to keep healthcare security personnel awake at night.