UK healthcare struggles to keep pace with evolving cybersecurity threat landscape

The UK’s healthcare industry operates at huge scale with large amounts of personal data of practically every person in the country—all of which needs securing. Compounding that challenge, the National Health Service (NHS) with its multi-billion-pound budget is in near constant change around digital transformation, has a largely federated operating structure, and relies on many small suppliers.

Yet the healthcare industry and NHS has made progress in their ability to protect their systems and data from attack.

Wannacry: A turning point for cybersecurity in UK healthcare

The WannaCry incident was a global event, but one of the most notable victims was the UK’s NHS. It was a watershed moment for the NHS and how it approaches cybersecurity.

The WannaCry ransomware attack, thought to be created by North Korean threat actors the Lazarus Group, used the NSA-created EternalBlue exploit in the Windows Server Message Block (SMB) protocol leaked by the Shadow Brokers. Though a patch was available at the time of attack, none of the affected NHS organisations had applied the Windows patch despite being advised to do so by a bulletin from NHS Digital’s CareCERT.

According to Government figures, WannaCry affected at least 81 out of 236 NHS trusts as well as 603 primary care and other organisations, including 595 out of 7,454 GP Practices. Up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment were affected. Patient data and email services were unavailable, some healthcare workers had to turn away non-critical emergencies, and some ambulances were diverted.

Cost estimates for the attack have been pegged at around £92 million—£20 million during the outbreak plus £72 million in the aftermath. While no deaths were directly attributed to the attack, admissions were notably affected. A decrease of about 6% in total admissions per infected hospital per day was observed, with 4% fewer emergency admissions and 9% fewer elective admissions. An estimated 19,000 appointments were cancelled.

In the aftermath, the reports were not kind to those in charge of the NHS. Kingsley Manning, former chairman of NHS Digital, told the BBC after the incident that “a lack of focus, a lack of taking it seriously” amongst NHS organisations was a contributing factor to the attack’s success.

The National Audit Office said all affected organisations “could have taken relatively simple action to protect themselves.” It also reported that the Department of Health (DoH) had been warned of the risks around legacy operating systems but “had no formal mechanism for assessing whether local NHS organisations had complied with their advice and guidance and whether they were prepared for a cyberattack.” Despite having a plan outlining the roles and responsibilities of national and local organisations in responding to an attack, the DoH hadn’t tested the plan at a local level.

In the wake of WannaCry, the UK Government came up with a new strategy for dealing with cybercrime, including local action plans for achieving Cyber Essentials Plus accreditation, creating IT guidelines for organisations hosting clinical systems and patient data, appointing data security leads on boards, creating standards for patching diagnostic equipment, and more.

A year after the attack, NHS Digital completed on-site assessments to test cybersecurity and identify vulnerabilities at 200 trusts. All 200 trusts failed the assessment. A Parliamentary committee was told this was because “a high bar” had been set against Cyber Essentials Plus standards, but some trusts failed the assessment “purely because they had still not patched their systems.”

Those shortcomings and a transition to cloud-based systems leave UK healthcare providers open to risk.

Digital transformation adds cloud risk

UK healthcare organizations are undergoing massive digital transformation. According to the 2017 Healthcare Information and Management Systems Society (HIMSS) Analytics Cloud Survey, 65% of hospitals had been using cloud services in some capacity, and most electronic health records are expected to be cloud-based by 2020. However, greater usage of the cloud adds risk of misconfiguration and data leakage, along with a greater reliance on third parties.

“As healthcare organisations embrace the cloud a lot more than before and attackers increasingly target the supply chain, it is important that organisations understand the adversaries targeting them and, critically, minimize the gap between the discovery and recovery of a cyberthreat,” says Jens Monrad, head of FireEye’s Mandiant Threat Intelligence, EMEA.

UK healthcare more vulnerable to attacks, phishing

According to Verizon’s Data Breach Investigation 2019 report, healthcare organisations are more likely to see breaches resulting from privilege misuse, lost or stolen assets, or web application attacks than other industries. Insider incidents, whether malicious or accidental, are more likely to happen than external ones. Healthcare organisations are almost seven times more likely to feature a causal error than other verticals.

At the same time, healthcare is the most vulnerable sector in the UK to phishing attacks, according to Carbon Black’s 2019 UK Threat Report, with half of all breaches reportedly involved phishing. NHS Digital claims it stops an average of a half-billion malicious emails every three months. Despite security training being mandatory for all NHS staff members, a RedScan Freedom of Information request from 2018 shows that only 12% of NHS trusts had reached this mark.

Proofpoint’s Healthcare Threat Report 2019 suggests that 95% of healthcare companies saw emails spoofing their own trusted domain, usually with “urgent requests for payment” or loaded with Emotet malware or ransomware such as GandCrab. Ransomware remains a potential challenge. Though none paid any ransoms, Comparitech found that at least 65 NHS trusts had been victims of a successful ransomware attack since 2014, resulting in 206 days of downtime.

A study by Clearswift found that 67% of UK healthcare organisations have experienced a cybersecurity incident in the past year, almost half of which occurred as a result of introduction of viruses or malware from third-party devices including IoT devices and USB sticks.

Risk from outdated devices, operating systems

Due to limited budgets and the long lifespan of devices, healthcare environments are often full of devices that run on out-of-support software and operating systems, such as x-ray machines and MRI scanners. While this is a risk, the issue is compounded by a lack of segmentation. Palo Alto’s 2020 IoT Threat Report found that 72% of healthcare VLANs mix IoT and IT assets, increasing the risk of contamination from one set of compromised devices to the other.

Though most infected devices during WannaCry were unpatched Windows 7 machines, the NHS still had a large estate of XP machines relying on extended support from Microsoft. Even though Microsoft cut a deal with the NHS to for free, over a third of NHS computers — around a half-million PCs — were reportedly still running Windows 7 in February of this year, ZDNet reported (though these devices have extended support from Microsoft until 2021).

“It is never a good idea to use an out-of-date OS even with extra paid-for support, as it may harm your network should future flaws be found,” says Jake Moore, cybersecurity expert at ESET. “Legacy software is usually the first reason for not doing so, but updating your software to work with Windows 10 will cost far less than having another WannaCry hit the NHS.”

The issue of legacy systems is compounded by a lack of cohesion around patching. A report into cybersecurity in the NHS by Imperial College London notes that the IT landscape within the NHS is “highly heterogeneous and inconsistent” and that no catalogue exists to systematically list all software and hardware deployed within the NHS, meaning there is a “severe lack of awareness of vulnerabilities.” The report also noted that because of the NHS’s complex structure, there is “a lack of clearly defined responsibilities and security preparedness in the face of a cyberattack” that make it “near impossible to assess the NHS’s resilience” and the potential effect an event would have on the health and social care system.

Though all industries will say they struggle for cybersecurity talent, the issues seem particularly acute within UK healthcare. RedScan found that, on average, NHS trusts employ just one qualified security professional per 2,582 employees, and nearly a quarter of trusts have no employees with security qualifications (24 out of 108 trusts).

APT groups UK healthcare needs to watch

Healthcare organizations can make attractive targets to threat actors. Personal and health data can be sold on the dark web, valuable IP can be used to further political goals or aid corporate rivals, and money can be made quickly in organizations where operations are literally critical to life.

“The main threats against healthcare organisations can be split into two motivational sets,” says FireEye’s Monrad. “Firstly, those who target the industry, regardless of security controls, because the data that they are after can potentially improve their state-owned healthcare organisations.”

“The second category is financially motivated attackers, and they could and have historically targeted healthcare organisations, in particular hospitals, because they are a more vulnerable target and are more likely to pay a ransom. For example, it’s likely that these groups will target the healthcare industry now due to the current crisis most nations are facing with Corona/COVID-19.”

APT41 APT41 is a Chinese-related espionage group, thought to operate in line with the goals of China’s Five-Year economic development plan but also gather sensitive intel around upcoming business and political news and events. Active since as early as 2012, the group is known to target companies in the UK and include healthcare organizations in their list of victims. Their attack repertoire is broad and has been dubbed “highly advanced” by FireEye. The security firm has found APT41 targeting pharmaceutical development information, clinical trial data, and intelligence regarding a medical subsidiary’s parent company in the past using keyloggers, spoofed domains, harvested passwords and compromised third-party access software.

APT18 APT18 (a.k.a. Dynamite Panda, Scandium, TG-0416 or Wekby) is another Chinese-affiliated group known to target healthcare. Active since 2009 and known to use zero-day exploits, it is best known for stealing the health data of around 4.5 million people from Community Health Systems in 2014, but has also targeted a number of biotech, pharmaceutical organisations and medical device manufacturers.

APT10 APT10 (a.k.a. Stone Panda, MenuPass, CloudHopper and Red Apollo) is another group that NCSC says has  a history of targeting the UK. This Chinese-associated group is known to hijack MSPs to target other organizations, use the Quasar RAT, and deploy cryptominers as it exfiltrates data.

Orangeworm Orangeworm, first identified by Symantec, is known to target large healthcare organizations across the US, UK and Europe. Its Kwampirs malware has been found on machines used for controlling high-tech imaging devices such as x-ray and MRI machines. Though Orangeworm is presumed to be collecting information for corporate espionage, Symantec has suggested that the group is not state-sponsored.

Other groups also known to broadly target both the UK and healthcare industries include APT1 (a.k.a. PLA Unit 61398 or Comment Crew), Operation Parliament, and APT37 (a.k.a. Reaper Group).

NHS making progress around cybersecurity

Since the wakeup call that was WannaCry, government healthcare organisations in the UK have taken steps to improve their security posture. The Government has invested £60 million since 2017 in healthcare cybersecurity and in October 2018 the DoH and Social Care announced their intention to spend over £250 million by 2021 to protect key services from cyberattacks.

“Due to increased awareness of the targeting of the healthcare industry globally, the UK healthcare is in a better place than before,” says FireEye’s Monrad. “Several initiatives, for example producing a Cyber Handbook, increased focus on potential security gaps, and greater investment, have helped to improve security maturity in the UK healthcare system.”

A new NHS Security Operations Center , NHS trusts have been asked to meet the Cyber Essentials Plus government standard, and NHS Digital has launched a Data Security and Protection ToolKit, a self-assessment tool all organisations that have access to NHS patient data and systems must use to provide assurance that they are practising good cyber hygiene. NHS Digital also provides services including on-site assessments, vulnerability testing, network monitoring and threat intelligence, and the centrally-funded NHS Secure Boundary firewall solution.

“NHS organisations ultimately are responsible for their own cybersecurity risk, however we work together to face and tackle the challenges around cybersecurity,” a NHS Digital spokesperson tells CSO. “We collaborate with all areas of the system to ensure they are aware of potential threats and have the necessary tools and knowledge to improve cyber resilience.”

“In the three years since the Wannacry incident, NHS Digital has developed a range of specific, targeted, and relevant cybersecurity services and capabilities to enable organisations to implement and embed good practice and to deliver strategic, technical capabilities that add a significant layer of protection to local networks and contribute to a defence in depth approach.”

Healthcare organisations have also been taking steps to improve security. Matt Hancock, UK secretary of state for health and social care, last year said that over more than 100 NHS boards have completed GCHQ-accredited cybersecurity training in the two years since WannaCry struck. All but one NHS trust and foundation trusts now have a board member with responsibility for cybersecurity.

Nearly half (45%) of healthcare organisations feel more confident to successfully repel cyberattacks and prevent breaches compared to the year before, according to Carbon Black’s 2019 UK threat report. Comparitech’s report on ransomware in the NHS found that there were just six ransomware attacks on the NHS in 2018 and 2019 (down from 101 in 2017) showing progress has been made.

However, more work still needs to be done. A 2019 report from Imperial College’s Institute of Global Health Innovation (IGHI) suggests more investment is “urgently needed” and suggest a range of new measures and initiatives need to be taken. These include employing more cybersecurity professionals, building “fire-breaks” into systems to allow certain segments to become isolated if infected with a computer virus, and having clearer communication systems so staff know where to get help and advice on cyber security.

“Since the WannaCry attack in 2017, awareness of cyberattack risk has significantly increased,” said the report’s lead author Dr. Saira Ghafur. “However, we still need further initiatives and awareness, and improved cybersecurity hygiene to counteract the clear and present danger these incidents represent…. NHS trusts are already under financial pressure, so we need to ensure they have the funds available to ensure robust protection against potential threats. Addressing the issue of cybersecurity will take time, as we need a shift in culture, awareness and infrastructure. Security needs to be factored into the design of digital tools and not be an afterthought.”