With the coronavirus pushing many NHS trusts to their limit, our columnist Davey Winder, explores why the health service is still an attractive target for cyber-criminals.
Like many of us, I have a very personal connection to the evolving coronavirus pandemic. As I write this column, my elderly mother is in hospital having tested positive for COVID-19. She’s a tough old girl and it’s looking good that she’ll make it through all this.
However, I do wonder if the security of the NHS will prove to be so resilient. The cyber-criminal industry, by and large, has not hesitated to use the confusion, disruption and fear surrounding the virus to its advantage.
Beware of ransomware
In just the past ten days, the criminals behind the NetWalker ransomware campaign, a particular nasty variation that hides in plain site on Windows 10 machines, has taken to specifically targeting healthcare workers for example. This after two of the most prolific, and dangerous, ransomware gangs had pledged not to target hospitals and medical facilities.
Both the operators of DoppelPaymer and Maze ransomware made this promise as the pandemic started to tighten its grip on the UK. It didn’t take long for the hollowness of such supposedly altruistic statements to ring loud and true.
The Maze criminals had already attacked a research centre that was on standby to test any COVID-19 vaccine and when the attack was intercepted, and systems restored without paying any ransom, they resorted to form.
Having exfiltrated patient data before the attack could be shut down, the criminals promptly and publicly published sample files in an attempt to extort a fee regardless.
And then there’s the advanced threat actors such as the DarkHotel Advanced Persistent Threat (APT) cyber-espionage group, which hails from Russia and which has launched a phishing campaign against World Health Organisation (WHO) agency staff in order to steal passwords that could then be used in an attack against the WHO itself.
The NHS as an attractive target
There is not empathy, no community spirit, no moral compass by which such people navigate a global health crisis. All of which sadly makes the NHS a very attractive target right now, and which is why I was somewhat surprised to discover that NHSX, which is committed to driving forward the digital transformation of health and social care, has hit reverse as far as cybersecurity resilience checks are concerned.
NHS Trusts have been given an extra six months in which to submit their data security and protection toolkit (DSPT) self-assessment.
The NHS Digital announcement states that it’s “critically important that the NHS and social care remains resilient to cyber attacks during this period of COVID-19 response”.
The DSPT is one of the ways that trusts can be sure they are doing just that. While they can continue to submit before the extended deadline of September 30, they no longer have to.
It’s a difficult one, as I fully understand the stresses that all aspects of the NHS are under, including IT in all its guises.
I get that stretched resources need to be prioritised and that nothing can be allowed to impact negatively on the COVID-19 response effort. And therein, dear reader, lies the Shakespearean misquotation. A successful cyber attack, be that of the ransomware, Distributed Denial of Service (DDoS) or network infiltration type, will surely do just that.
The NHSX acknowledges that “the cyber security risk remains high,” and demands all organisations “continue to maintain their patching regimes”.
So, here’s the thing: with Trusts, CSUs and CCGs all having to continue to comply with the strict 48 hour and 14 day requirements relating to the acknowledgement of and mitigation for high severity alerts issued by NHS Digital, how does that play out in an already stressed and stretched IT environment?
Flicker of hope
Coronavirus, like the cyber criminals I have already mentioned, cares not who gets infected nor who suffers as a result. IT teams are likely going to be stretched even thinner in the coming days and weeks. I do, as it happens, have a solution and it comes in the shape of a group of cybersecurity volunteers known as CV19.
CV19 has been put together by some friends of mine in the infosec community, and consists of thousands of CISOs, security researchers, penetration testers and more. What they all have in common is that they have made a pledge that, unlike the Maze criminals, they intend to honour: they will provide cybersecurity support to healthcare services in the UK and EU as needed.
Now is the time to reach out, to break through the red tape, and to accept the help that CV19 is offering. Be it incident response, research, risk management, training or even patching regimes, CV19 is there to help.