One cannot escape the daily occurrence in the news of a successful cyber-attack resulting in significant disruption to organisations and compromising sensitive data. At an Audit Committee Chairs round table forum for TIAA’s Community Trust clients, it was once again high up on the agenda. This prompted Paul Kamminga, Digital & Cyber Assurance Specialist to prepare this briefing based upon the team’s recent experience across the NHS.

Ransomware Attacks

Ransomware attacks have become a prevalent threat in the healthcare sector, with cybercriminals encrypting critical data and demanding payment for its release. For example, Synnovis, a third-party pathology provider for several NHS trusts, resulted in widespread disruption of blood testing, diagnostics, and scheduled procedures across London hospitals.

NHS Hack Spurs Tougher UK Cyber Rules – MedTechNews

Controls to implement:

  • Regular Data Backups: Implement automatic, encrypted backups stored offline to facilitate recovery without yielding to ransom demands.
  • Patch Management: Ensure all software and systems are up-to-date with the latest security patches to close known vulnerabilities.
  • Endpoint Protection: Deploy advanced threat detection and response solutions across all of your devices to identify and neutralise ransomware before it spreads.
  • Zero Trust Security Model: Assume nobody can have access to anything until specific exemptions are demonstrably approved.
  • Employee Training: Educate staff on recognising phishing emails and other social engineering tactics commonly used to deliver ransomware.
Phishing and Social Engineering

Phishing attacks involve deceptive communications that trick individuals into divulging sensitive information. This typically looks like emails received from people you know (or think you know) that try to make you click a link to do something important. The National Cyber Security Centre (NCSC) has reported a significant increase in severe cyber attacks over the past year, warning of a widening gap in the nation’s ability to combat such threats.

To mitigate this risk:

  • Employee Training: Conduct regular cybersecurity awareness sessions to help staff recognise phishing attempts and follow secure password practices.
  • Email Filtering: Implement advanced email filtering solutions to detect and block malicious communications before they reach inboxes.
  • Multi-Factor Authentication (MFA): Require MFA for accessing sensitive systems to add an extra layer of security against unauthorised access.
Insider Threats

Insider threats, whether intentional or unintentional, pose significant risks to the NHS and other healthcare providers. Employees, contractors, or third-party vendors with access to sensitive information can inadvertently or maliciously compromise cybersecurity.

To address this threat:

  • Access Controls: Implement stringent access controls to ensure individuals have access only to the information necessary for their roles.  The implementation of a zero-trust culture is the most ideal – see Ransomware above.
  • Monitoring and Auditing: Regularly monitor user activities and conduct audits to detect and respond to suspicious behaviour promptly.
  • Employee Training: Educate staff on the importance of safeguarding sensitive information and the potential consequences of data breaches.
Legacy Systems and Outdated Software

The NHS continues to rely on some legacy systems and outdated software, which often lack necessary security updates and patches. These systems are susceptible to attacks that exploit known vulnerabilities.

To mitigate this risk:

  • System Modernisation: Prioritise the modernisation of systems and ensure regular updates to mitigate vulnerabilities. In the interim, ensure that these systems are isolated in such a way as to restrict access to them as much as is feasible.
  • Regular Patching: Where extended support is present, establish a routine for applying security patches to all software and systems to address known vulnerabilities.
  • Asset Management: Maintain an up-to-date inventory of all hardware and software to identify and address outdated components so that you can plan adequately for replacement in good time.  It is recognised that many outdated devices are very expensive to replace, hence the isolation tactic described above may be the only short-term solution.
Inadequate Data Encryption

Inadequate data encryption exposes patient information to unauthorised access during transmission and storage. Implementing robust encryption protocols is vital to protect patient privacy and maintain the integrity of healthcare data.

To enhance data security:

  • End-to-End Encryption: Implement end-to-end encryption for data at rest and in transit to ensure unauthorised individuals cannot access sensitive information.
  • Key Management: Establish secure key management practices to protect encryption keys from unauthorised access.
  • Regular Audits: Conduct regular audits to ensure encryption protocols are effective and up-to-date.
Connected Medical Devices

The proliferation of Internet of Things (IoT) devices, including connected medical devices, introduces new avenues for cyber threats. These devices often have vulnerabilities that, if exploited, can have severe consequences for patient safety and data security.

To secure medical devices:

  • Device Hardening: Implement strong security measures for IoT devices, including regular updates and monitoring.
  • Network Segmentation: Isolate medical devices on separate networks to limit the impact of potential breaches.  See also section four above.
  • Vendor Management: Collaborate with device manufacturers to ensure security vulnerabilities are addressed promptly.  See also section four above.
Supply Chain Vulnerabilities

Third-party vendors and suppliers may inadvertently introduce vulnerabilities, and attackers may exploit these weak links to gain unauthorised access. In the wake of a significant cyber attack on the NHS by a Russian group, which caused major disruptions for thousands of patients, the government plans to implement stricter cyber security measures for private providers of essential public services.

NHS Hack Spurs Tougher UK Cyber Rules – MedTechNews

To strengthen supply chain security:

  • Third-Party Assessments: Conduct thorough security assessments of all components in the supply chain to identify and mitigate potential risks.
  • Contractual Obligations: Include cybersecurity requirements in contracts with third-party vendors to ensure they adhere to security best practices.  This must include ensuring that they have demonstrably tested incident management plans that take account of their clients’ own plans.
  • Continuous Monitoring: Regularly monitor third-party systems and networks for signs of compromise.  Ensure that you review the security assessments mentioned above periodically to demonstrate that those controls continue to be present or are improved from before.
Regulatory Compliance Challenges

The NHS must navigate strict data protection regulations, such as the General Data Protection Regulation (GDPR) and the Data Protection Act. Non-compliance not only exposes you to legal repercussions but also heightens the risk of data breaches.

To ensure compliance:

  • Regular Audits: Conduct regular audits to assess compliance with relevant regulations and identify areas for improvement. This includes the annual DSPT audit, which we can provide assistance with.
  • Policy Development: Develop and enforce comprehensive cybersecurity policies that align with regulatory requirements.  Ensure that these are reviewed regularly.
  • Staff Training: Educate staff on regulatory obligations and the importance of maintaining compliance to protect patient data.