In a column for Digital Health, Davey Winder, explores whether data security in healthcare is doing its job correctly.
Time and time again I see warnings that healthcare is a prime target, even ‘the’ prime target, for cybercrime actors. The organised criminals behind ransomware attacks have both promised not to target healthcare during the Covid pandemic and, by their actions, proven these to be hollow words. Where healthcare is targeted and successful attacks confirmed, these appear to be far more plentiful involving organisations across the pond than domestically.
This is far from the only data security dichotomy on my mind though. There’s the fact that while the Information Commissioner’s Office has reported a stonking 3,557 data breaches across the UK health sector in the two years to March 31, most within the NHS, I see very little evidence of that data within the online criminal forums that trade in such things.
Intelligence reports reveal comparatively little UK healthcare data on underground markets
Which leaves me wondering if, seeing as I do see evidence of plenty of breached US healthcare data for sale, the NHS investment in data security is paying off? Writing about cybersecurity means that I get access to a lot of threat intelligence and most of the reports I see, as well as insight through threat intelligence feed databases, do little to suggest to the contrary.
Take one recent very lengthy report which explored the proliferation of data for sale on criminal forums, amongst other things, focusing on the global healthcare and pharma threatscape. Within the close on 50 pages of this report there was just a single confirmed example of UK health data offered for sale that was referenced, in May 2021 and involving 4,000 medical records (scanned clinical records and identity documents) with a total price of just $500 (£375.)
I asked the people behind that report if this reflects a better security outcome from UK healthcare compared to other countries, such as the US, whose breached healthcare data was referenced repeatedly?
“The UK healthcare sector is not doing any better from a security perspective than that of any other country,” Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid7 company, told me.
“There are few UK examples in the report simply because the few UK examples in our existing corpus of customer alerts were not as useful for illustrating the specific points that I needed to make in the paper.”
In other words, it was just a matter of the data sample available, editorial choices and random variation.
But surely that doesn’t explain the apparent, relative, scarcity of breached UK healthcare data that appears across multiple intelligence sources? Obviously I appreciate that the ICO data breach reports include personal error, deletion of files and mishandling as well as criminal exfiltration, but the dichotomy dilemma refused to depart my bonce.
Unraveling the stolen data dichotomy dilemma
My next port of call in an attempt to resolve this headache was David Carmiel, CEO at threat intelligence company KELA. He told me that, yes, KELA had seen examples of UK healthcare data being traded or leaked on the dark web over the last year but “we cannot evaluate the scale in comparison to other countries’ healthcare data since we didn’t perform deep research into this topic”.
That said, Carmiel told me that KELA had seen more than 200,000 credentials pertaining to nhs.uk exposed via third-party breaches and within compilations of dumps posted to criminal sources during that period. However, he did also say that there wasn’t “a lot of valuable offers featuring UK healthcare data at a first glance”.
Kevin McMahon, CEO at another threat intelligence specialist, Cyjax, pointed out the obvious as it’s often overlooked by journalists such as myself when we smell a story.
“Not all stolen data is traded openly on underground forums,” McMahon says.
“Private sales are preferred where possible as it maximises the value of the data and minimises the risk to the threat actors, so analysing leaks markets doesn’t really provide a good metric for UK exposure.”
Plus, of course, the NHS doesn’t pay ransoms and threat actors know this, which makes compromising a GP surgery or a hospital a much less valuable option than a US one where monies are known to have changed hands. The US provides, therefore, a much bigger magnet to pull in criminal attention.
“Their for-profit health system means that there are so many more companies involved in health care,” McMahon says.
“With a huge supply network that provides so many more opportunities to threat actors.”
There could also be geopolitical reasoning coming into play, Ian Thornton-Trump, the Cyjax CISO says, as our public health systems are seen as being far closer to the national interest.
“Another WannaCry-like attack on the NHS could result in a NATO article 5 response,” he told me.
That article basically states that an attack on any individual NATO ally is considered an attack on all of them.
Moving the needle on the metrics of data security success
Finally, I turned away from the pure threat intelligence specialists and to a physician led health IT and cybersecurity regulatory risk management consultancy for answers.
I’ve known Dr Saif F Abed, the director of cybersecurity advisory services at The AbedGraham Group, for many years now. If anyone can bring me some concluding perspective on this, it is he.
The notion that compromised UK healthcare data is scarcer within criminal trading circles than other nations does not surprise Dr Abed, in fact he told me it is “entirely consistent with how I have attempted to explain the nature of public sector healthcare cybercrime for some time”.
He makes the same point as Cyjax in that the business model for public sector healthcare data is simply not a particularly valuable one when compared to that of the private sector one across the Atlantic as its utility is rather limited.
“I would posit that admin credentials are more valuable,” he says.
“As they support attempts of the attack of choice right now: ransomware.”
Which moves the needle of the ‘data security success metric’ somewhat, Dr Abed suggests, to how often the health and life sciences supply chain has been disrupted due to a denial of service type attack. A metric that, he posits, is all but impossible to measure without full transparency of a system as complex as the NHS.
One thing that Dr Abed is sure of, however, is that the NHS, in particular in England, has invested significantly in its people, processes and technology since the game changer that was WannaCry.
Indeed, it was amongst the first systems to recognise healthcare as being national critical infrastructure.
“This has placed us in a more resilient position than our European neighbours,” Dr Abed.
“At least for the moment when considering comparable healthcare systems.”
Continued success will, Dr Abed concludes, “require a nuanced focus on contextualising threats based on their impact on a single key business metric: patient safety”.