A cyber security health check for the most vulnerable

Written by Joseph Poppy on 15/02/2019

Who’s most at risk?

Having covered the start-up vs corporate question before, we thought we would look into which industry is currently most at risk of cyber attack. According to the Wikipedia entry ‘list of data breaches’, which contains a list of data breaches (spoilers), out of 255 data breaches over the last 15 years, historically, the hardest hit industry was ‘web’. Now, this raises several questions. Firstly, what am I doing using Wikipedia for research purposes? Well, that’s easy enough to answer. It got me through university and I’m not about to change my habits now. Secondly, what is meant by web? One would assume it’s a business whose revenue is entirely dependent on online activities. That seems a solid theory to go on until Sony Pictures turns up in this category and ruins everything.

The second most hit industry on this list is more interesting and just a little bit concerning: healthcare. The healthcare industry has suffered a good many data breaches over the years. I don’t want to bring up the whole WannaCry NHS incident again, but we’re talking healthcare and cyber security, so it’s inevitable. Whilst not technically a data breach, this attack temporarily crippled many branches of the National Health Service.

The WannaCry attack cost the NHS £92 million and caused 19,000 appointments to be cancelled

Healthcare is many hackers’ top priority

According to various sources, which have given their top five industries most likely to be hit by a cyber attack, healthcare sits at the number one spot. There seems to be little consensus as to what makes up the other four, but everyone’s in agreement that healthcare is set to be bombarded by digital ne’er do wells.

This is not particularly surprising as hacking has rarely been particularly focussed. Criminal groups tend to operate independently and are simply looking for ways to monetise their misdeeds and it ultimately comes down to hacking what they can. Given the state of many healthcare organisations’ IT setup, this makes them a top target. State-backed campaigns and corporate espionage is a different box of frogs altogether, and trying to say anything concrete on that in these charged and precarious times is difficult.

NHS Website in a browser window
A key motivator for hackers to breach healthcare organisations is financial gain.

Stethoscope on a laptop
Doctor, this laptop requires updates! Damn it, there’s no time!

Sensitive data, bigger risks

Attacks on this kind of institution are worrying for obvious reasons. If someone gets hold of your personal data by hacking a retail company, they’re likely to get email addresses and passwords. In a worst-case scenario, they’ll get credit card details (unencrypted if the company is particularly negligent). A data breach in healthcare could see highly sensitive data fall into the wrong hands. Medical histories, prescription details, addresses and a lot more could suddenly find its way onto the dark web. It’s not inconceivable to suggest that hackers could use this information to fraudulently obtain prescription drugs to then sell on, just as it’s entirely plausible that malicious actors could alter records, putting patients at risk.

You may think that those clever doctors and nurses staffing the world’s hospitals will be able to pick up on this sort of thing. However, recently, a computer error led to a patient getting 38 times his dosage. I’m glad that the biggest mistake I can make is putting an apostrophe in the wrong place, and even then, it doesnt’ really matter.

Perhaps most worrying of all is the fact that scanning activity and even malicious software has been detected on complex medical equipment, such as X-ray machines. Theoretically, if hackers can infect an X-ray machine, they can influence what it does. I’m not trying to suggest that they could give people a more potent blast of radiation than expected, but that’s only because I don’t know how X-ray machines work. The more likely scenario would be that they can be rendered unusable, causing delays in treatment and a tighter squeeze on already strained services, not to mention a distinct lack of superheroes.

Malicious software has been detected on complex medical equipment

Why is healthcare the #1 target?

Whilst there is the possibility that the healthcare industry might be an appealing target for a state-sponsored attacks, the main reason it’s so susceptible at the moment is due to our old friend, out-of-date software. This potent issue was highlighted as the biggest threat in our 2019 Cyber Security Report.

Understandably, the healthcare industry is always the last to update their software. In every hospital there are a lot of computers that are needed to fulfil a lot of different tasks. Most people in hospital are forced by circumstances to be there and coming back a week later, because it is undergoing a technical overhaul, is rarely an option.

Vulnerabilities are being discovered all the time. Whilst most companies (broadly speaking) have the time and resources to update their equipment and software as and when, healthcare institutions worldwide do not. Resources are perennially stretched, and they’re keeping people alive 24/7.

Security target locked onto a desktop keyboard
Out of date software remains a problem for the healthcare industry.

To a certain degree, there’s no such thing as ‘out of hours’ for a hospital. This often means, hacking methods that are ineffective elsewhere are successful here. Hacking groups are not necessarily known for their strong morals, so the fact that they risk damaging patient care is not likely to stop them. As stated previously, hackers hack what they can. Outdated software means they can with ease.


Budget

No other word in the English language is as simultaneously boring as it is profound. The world is effectively run on a budget, and the healthcare industry has an incredibly finite one. Financial restraints also prevent hospitals and care homes from upgrading to more secure operating systems.

Much of the NHS is being kept afloat by Windows 7 or even XP – which is by no means a bad OS, but its final release was ten years ago, and new vulnerabilities are discovered regularly. In some cases, the healthcare industry is so far behind technology wise, that upgrading en masse is not financially feasible. Instead, medical organisations will have to upgrade bit by bit.


Hope for the industry

Of course, in the wake of that (yes here it comes again) infamous WannaCry incident which took advantage of the EternalBlue exploit, deals have been struck to get the NHS upgraded to Windows 10 as soon as possible. Across the globe we seem to be waking up to the threat of a cyberattack in any and all areas. However, the fact that security will soon be ramped up may mean in the short term, we see a surge in malicious activity. Hackers will be desperate to get in there before it’s no longer possible.

In 2018, the NHS signed a new deal to upgrade local NHS computers to Microsoft's Windows 10

What can be done?

First of all, healthcare organisations need to upgrade their systems. It’s a hard task, but it is essential. After that, regular security audits, training, penetration tests, and active monitoring needs to take place. Usually, the first stage of an attack is reconnaissance. Scans are launched against an organisation, probing for a way in. If a business is monitoring the right things, all suspicious scanning can be investigated, and offending IPs can be blocked at the perimeter.

Not just that, many healthcare providers could benefit from active threat hunting. Trained security analysts can investigate other suspicious activities. From unexpected logins or user behaviour to potentially malicious files being transferred and file alterations, anything can be picked up quickly and resolved before any damage is done. We’ve protected businesses from persistent threats that could well have been passed off as nothing if left to monitoring alone.

This may not seem entirely feasible for the likes of the NHS, though certain individual trusts have been moving towards SIEM technology. Adequate segmentation could allow for monitoring to take place on certain problem areas, i.e. the publicly facing assets.

Man monitoring a system at his desk
Real time threat monitoring can stop reconnaissance scans at the perimeter.

Bulletproof security in bullletproof vests
We can protect you and look cool whilst doing it.

Everyone’s at risk. Everyone can be protected.

Whilst healthcare may sit at the top of everyone’s ‘at risk list’, if the right steps are taken this will certainly change. The right steps will be taken out of necessity should a pattern of attacks emerge. In a wider view, it’s important to realise that every industry is at risk and can be targeted at any moment. Hackers are many and varied, they are not all motivated by the same goal and going after the same targets.

All organisations are responsible for their own security posture. This can be strengthened by strong app design and infrastructure management, which can be tested with a thorough penetration test. Ongoing active monitoring with threat hunting can add another line of defence and help with remediation and forensic investigations. Make sure you’re doing your bit to ensure your industry doesn’t creep to the top of the list.


  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.