The cyber-attack against Norway’s largest health authority could be one of the biggest of its kind in healthcare, sources have told Digital Health News.
Norway’s specialist Police Security Service (PST) is reported to be investigating for “Etterretningsvirksomhet mot statshemmeligheter” – intelligence activities against state secrets – following an “advanced and persistent” attack on Health South East RHF on 8 January.
The attack appears to have been a concerted and highly professional effort to target electronic patient data, connected to a Nato exercise scheduled for later this year.
One line of inquiry investigators are said to be following is that the hackers were aided by somebody inside Health South East RH parent company, Sykehuspartner.
According to Norwegian publication Aldrimer, assailants targeted two lots of information, one being patients records and the other being the health service’s interaction with Norway’s armed forces, including upcoming military operations.
Specifically, it has been suggested in the Norwegian media that hackers were looking for data relating to Trident Juncture 18, a major NATO exercise taking place in Norway in October later this year.
It’s currently unclear to what extent data was compromised, although the involvement of Norway’s Ministry of Health and Ministry of Justice and Public Security in the matter has been noted by Norwegian media outlets.
Norway’s Health South East regional health authority (RHF) was breached on 8 January, following a cyber-attack on Sykehuspartner’s servers.
A knowledgeable source within the Norway’s e-health community told Digital Health News it was “clear” that the attack was “very professional”, leading investigators to theorise that it may have been carried out by a foreign spy agency or state agency.
“They suspect a foreign professional actor is behind, and they don’t know if sensitive information on patients has been compromised,” they said anonymously.
The investigation into the breach is being coordinated by Norway’s State Cyber Coordinating Centre (FCKS), which consists of a number of specialist police and intelligence tasks force including National Security Authority (NSM), PST and the National Criminal Investigation Service (Kripos).
Norway’s Health South East RHF holds information on approximately 2.8 million people living in Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder.
HelseCert, Norway’s healthcare IT security centre, first raised the alarm after noticing unusual activity on hospital IT systems. South East RHF said it took measures “to limit the damage” after being made aware that a cyber-attack had taken place.
The incident has been described as “very serious” by Cathrine Lofthus, CEO of Health South East RHF.
Unlike the WannaCry outbreak that affected health services in England in May 2017, the attack on Health South East RHF appears to have been a targeted attempt to access patient data.
One aspect that remains unclear is the attack vector used to access the data: namely, whether was an exploit of a known vulnerability, or result of a more targeted campaign.
NHS cyber security expert, Gary Colman, head of IT audit and security services at West Midlands Ambulance Service NHS Trust, suggested that the cyber-attack could have been a two-pronged effort.
“It wouldn’t surprise me if it followed the route of simple attack to gain initial access to the relevant networks, followed by much more skilled post-breach exploitation to get at the health records,” Colman said.
“Unfortunately, if an actor has sufficient resources and skills available then they will usually find a way into most systems and networks. The trick is finding the balance between resourcing patient care and appropriate levels of security, to ensure the overall risk and impact of successful attacks is minimised so far as practical.”
The incident in Norway once again raises the question of whether health services – which are becoming an ever more appealing bulls-eye for cyber-criminals – are taking appropriate measures to secure the masses of data it holds on citizens.
Mark Jackson, principal information assurance architect at Cisco UK, told Digital Health News: “They say the attackers compromised millions of records. How is it that this volume of data was exfiltrated from what one would assume is a highly sensitive system without any alarms going off? Why weren’t the records encrypted?
“Defending against such an attack should start with first knowing where the data is, and then ensuring that a range of controls are in place to protect them. This should include all of the usual good cyber-hygiene controls such as robust patch management, enforcing strong and audited access control and given the sensitivity of the data, putting in place detection mechanisms that would catch mass exfiltration.”
NHS Digital was unable to comment specifically on the incident, however a spokesperson pointed to work the it was carrying out with health and care organisations to build resilience against threats from cyber-space.
This includes CareCERT, which provides both general guidance and specific alerts to NHS organisations in the event of a security incident.
NHS Digital has also grown its capacity to support local organisations by developing an enhanced Security Operations Centre. It is hoped this will increase the organisation’s ability to monitor local network and perform penetrative testing on NHS networks.
However, Colman pointed out that the work NHS Digital is doing does not offer “blanket cover”: instead, it should be regarded as a supplement to the security assurance procedures trusts must perform themselves.
“The work that NHS Digital is doing around a national security operations centre and the roll-out of security testing should assist in reducing the likelihood of attacks against the NHS succeeding.
“The problem is that overall IT security is only as strong as the weakest link in the chain, and we are still finding a lot of weak links… We still identify many NHS-related organisations – both within the public sector and also private providers of services to or within the NHS – that allocate little time to comprehensive, valuable IT audit and assurance provisioning.”