White paper explores how the NHS can improve cybersecurity

A new whitepaper from Imperial College London discussing how the NHS can improve cybersecurity has been presented at the House of Lords.

In 2017 the NHS experienced a ransomware attack which affected around 16 health service organisations across England and Scotland. The ransomware, developed by the US to exploit the CVE-2019-0708 weakness in Microsoft, demanded payments of $300 and $600 to regain access to obscured data, leading many practices to resort to pen and paper, send patients to other hospitals, and warn people to only use their local hospital for emergencies. The attack affected most systems, including telephones. The ransomware also affected public organisations in Russia, Ukraine, Singapore, Taiwan, and India. It is estimated that the ransomware cost the NHS £92million. Over 19,000 appointments had to be cancelled, costing around £20million, and the upgrades to IT systems and clean up in the aftermath cost £72million.

Following the attack, the NHS signed a deal to upgrade local service computers to Windows 10. The ransomware uses EternalBlue exploit, developed by the NSA, which gains access through weaknesses in older Windows operating systems such as Windows 7, Windows Vista, and Windows XP. The same weaknesses aren’t present in Windows 10. Microsoft issued a patch to remove the weakness in older systems that made the attack possible. The NHS also increased infrastructure spending by £60million following the attack, focusing on vulnerable services such as trauma and ambulance services. In 2o18, the government released a report titled ‘Security and Cyber Resilience in Health and Care’. In the report the NHS was promised:

  • £150million investment over the next three years
  • A new Cyber Security Operations Centre
  • A new Data Protection toolkit
  • The implementation of changes recommended by the Chief Information Officer for Health and Care’s review of the May 2017 WannaCry attack
  • Support for 25 local NHS organisations through the ‘Blue Teams’ pilot
  • A full estimation of the cost of the cyber attack.

According to Kaspersky Lab, 75,000 of their clients reported WannaCry attacks since the NHS was affected in May 2017. The data also showed that WannaCry was responsible for 28% of attacks in the third quarter of 2018, up by two-thirds compared to the third quarter of 2017. Many organisations installed the fix released by Microsoft but many remained vulnerable, including Boeing, which was hit in March 2018 as the patches were not in place. The ready availability of these fixes meant they were able to recover from the attack quickly. Kaspersky recommended that organisations stay informed of updates and patches available for all operating systems.

The Imperial College London whitepaper comes from the Institute of Global Health Innovation and was lead by Professor the Lord Ara Darzi. The paper points to outdated systems, a skills deficit, a lack of investment, and a lack of awareness of cybersecurity as the main issues still leaving the NHS open to ransomware. The report, which compiled evidence from the UK and from health systems around the world, praised what has already been done but recommended further investment. It also recommends employing cybersecurity professionals on IT teams, installing ‘fire breaks’ into their systems to isolate certain parts if they become infected, and enforcing communication systems that allow staff to access information on cybersecurity and what to do in the event of an attack. The report also detailed the need for cybersecurity to be at the centre of new medical technologies such as robotics, implant devices, and gene-based medicine.

New reports suggest that ransomware is becoming more sophisticated. Attacks can affect all levels of NHS systems, including test results, medical records, and could even allow hackers to steal a patient’s identity. The greatest risk involves patient data being altered, which could result in them receiving the wrong care or major issues being unrecognised. Wannacry attacks on Singapore healthcare systems in 2018 compromised 150million patient records. Most modern hospital records, test results, and patient information details are stored digitally, making it crucial to ensure they are protected. The financial impact can also cause huge problems for the NHS, which is currently undergoing problems with funding.

Dr Saira Ghafur, one of the main authors of the whitepaper, said: “Addressing the issue of cyber security will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.”

“NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats.”

The main focus of the report is the need for investment. Lord Darzi recommended further investment into research on how the NHS is vulnerable and how it can be strengthened. The report includes details of the recommendation from the Department of Health that the NHS create a Care Computer Emergency Response Team to support cybersecurity. However, they said that all staff across the NHS must be made aware of how to maintain cybersecurity. This includes measures such as not sharing passwords, never leaving computers unlocked, and not emailing data, especially sensitive patient data, to personal email addresses. Staff being made aware of these simple changes could prevent malware from entering into computer systems.

The main target of the Wannacry malware was SingHealth, the healthcare system in Singapore. One factor was website defacing, which was done through SingHealth sites mounted on WordPress. A report from the CSA examined the lasting effects of the attack and how cybersecurity has changed in the country since. A year on from the attack, there was a 30% drop in phishing URLs with a Singapore link, 16,100 in total. The number of phishing attempts increased during major events such as the US-North Korea summit in Singapore. This year, Singapore’s independent privacy watchdog fined SingHealth $750,000 for failing to secure patient data. Advanced threat detection software has been installed across SingHealth networks access to dedicated workstations has been restricted. Database monitoring has been put into use to spot vulnerabilities in coding. SingHealth representatives have spoken about their commitment to improving cybersecurity and reacting quickly to any threats.

If you would like to join our community and read more articles like this then please click here.

The post White paper explores how the NHS can improve cybersecurity appeared first on Defence Online.