NHS trusts should seize the opportunity to escape the shadow of WannaCry, boost their cybersecurity and onboard new devices with confidence, says Chad Holmes. By Jennifer Trueland.
In the six years since the WannaCry attacks, NHS bodies have been wary of introducing new “risks” to their technological environments, says Chad Holmes. While a medical device might look as if it will be terrific for patient care and outcomes, the fear that it might pose a cybersecurity threat has led to a more cautious mindset about whether to adopt it or not – potentially denying patients something that could really benefit them.
But what if you could be sure – or as sure as you reasonably can be – that you are deploying these new devices in a way that is as safe as possible? Or that you are certain that you have taken all reasonable steps to make sure that your organisation is protected not just from known cybersecurity threats, but also from those that might crop up in the future?
That’s the message that Holmes is trying to get across. As security evangelist with healthcare IoT (internet of things) security experts Cynerio, he believes that 2023 brings big opportunities for the NHS in terms of being able to bring on board valuable new devices, while being assured that they have secured their environments.
His job title might sound a little fanciful, but essentially it boils down to ensuring that prospective clients have the proper information at their fingertips to make the right decisions.
“My job means I get to work with a lot of really smart people who are doing really interesting research, and find ways of educating the market,” explains Holmes, who has more than 20 years’ experience helping to develop, secure – and break (he has spent time as an ethical hacker or “penetrator”) – a variety of technologies.
“At Cynerio we have a really great medical device research team and a big pool of data to draw on – so my job is about taking deep, technical information and getting as many eyes on it as possible.”
Along with ITHealth, Cynerio has just published a research report that examines the current outlook of connected medical device security in NHS trusts. The State of NHS Trust IoT Device Security 2023 follows on from a similar report last year, which largely focused on the US market.
The UK findings make grim reading. Based on data from a sample of 14 NHS trusts, it says that:
- 46% of devices have at least one known risk that has not been addressed
- 11.7% of these devices have at least one critical risk
- Consumer electronics like those from Amazon, Sony and even Tesla frequently introduce threats to hospital environments
- 2.26% of devices are still vulnerable to risks like SMBGhost/EternalDarkness which operate in the same way WannaCry attacks operated in 2017.
Know your network
So what can health bodies do about it? The first recommendation is always to understand what you have in your network, says Holmes. “We’re always shocked when we go in and say, where’s your inventory, and they’re like, there’s a spreadsheet here and a database there. Then we instal our systems and ask if they know about the 12 Amazon Alexas they have online because people have brought them in, and the gaming systems they have that are unpatched. And by the way, did they know there’s a new doctor who got a Tesla last week and put it on the secure network? So now anything that Elon and team has in their vulnerability chain becomes part of the hospital.”
Understanding what you have is just the first step – securing them is the next. “You have to practise things like proper patching procedures. You have to do something that other industries have been doing for 10 or 15 years called segmentation or micro-segmentation – effectively network level protections, meaning that devices that shouldn’t be talking can’t talk to each other.”
Another important step is adopting new technologies to deal with new attacks, he adds. “Most healthcare systems are still 10-15 years behind other systems – that’s why they are so attacked. So you have to supplement the firewalls and intrusion detection with more modern technologies that detect ransomware, for example.”
A moment of opportunity
Taking these steps doesn’t just secure and protect the current environment – it can also improve confidence in bringing on board new devices, says Holmes. This can be transformational for patient care, but trusts need to act now, he stresses.
The good news, says Holmes, is that the message is getting through to decision-makers in the NHS that this is something they need to take seriously. “One thing that’s been really encouraging is that we’ve been working with the NHS at a high technical level, and they have recently requested guidance on micro-segmentation and other protections, and so we, along with other vendors, are actively working with them to define best practice there. And as people more broadly understand the risks, they are implementing systems very quickly, sometimes in a matter of months.”
The key message is that NHS trusts have a real moment of opportunity in 2023, he says. “They were snake-bitten by WannaCry six years ago. They’ve been reticent to onboard devices – but now they are starting to onboard new devices without securing their environment. So they have this brief moment in time – they can take the security steps and onboard new devices at the same time, and that’s huge for improving patient care.”
Cynerio and ITHealth will host a webinar on the State of the NHS Trust IoT Device Security 2023 report on Wednesday 29 March.