How can the NHS prepare for a possible WannaCry 2?

Richard Staynings discusses the challenges of protecting our NHS and healthcare system against the real world threat of cyber attacks, as the NHS continues to strive to digitally transform

The Russian attack against Ukraine has begun, amplifying the real risk of a cyber attack upon Western public services. In addition, the government last month launched its first cyber strategy to increase protection for these very same services – critical services like our healthcare system, that patients rely upon 24/7. A cyber attack, penetrating our healthcare data, could mean critical patient data is held to ransom, ambulances are re-routed, medical IoT devices are compromised, and the hospital’s network of mobile devices are breached. Hackers are playing with life or death at the click of a button.

Elevated cyber threat landscape
Vladimir Putin’s invasion of Ukraine has made headline news the world over. A few hours before Russian tanks began rolling into Ukraine, Microsoft raised the alarm warning of a never-before-seen piece of ‘wiper’ malware FoxBlade that appeared aimed at the country’s government ministries and financial institutions. ESET Research Labs, a Slovakia-based cyber security company, said it too had discovered another new ‘wiper’ while Symantec’s threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware which renders computers inoperable by disabling rebooting, HermeticWiper. As part of its offensive, Russia combined military and cyber weapons to engage in a multi-front hybrid war.

So, could another cyber attack like WannaCry take down the NHS?
The global WannaCry ransomware attack in 2017 was devastating to the NHS and many of its hospitals and clinics. The cyber attack caused critical healthcare IT and IoT systems to be unavailable to caregivers resulting in hospitals being unable to treat patients and causing the diversion of emergency ambulances, the postponement of scheduled procedures, and the inconveniencing of the general-public. It was also a major patient safety scare, as those in need of medical intervention were in many cases denied immediate treatment.

When the dust finally settled, an investigation determined that a large amount of the IT and IoT NHS systems were end-of-life and needed to be replaced, while other systems had not been updated or patched with critical security updates in accordance with recommendations from Microsoft and other vendors. The government intervened, making new finances available for equipment replacement, while NHS trusts and NHS Digital put in place improved practices around patching of IT systems and security. But addressing the security vulnerabilities in highly regulated IoT equipment like medical devices was, and still is, another matter.

Medical and other healthcare IoT (HIoT) devices comprise systems that are used to diagnose, monitor, manage, and treat patients. They are more than often connected directly to the patient on one side and to hospital networks on the other side. They include everything from infusion pumps used to administer drugs to patients, to large imaging systems used for diagnosis, to radiological cancer treatment systems used to shrink tumours. Many of these systems if compromised by cyber attack could result in significant damage to patients and those treating them. The risk impact therefore is high.

HIoT devices demand special security considerations and compensating security controls such as isolation and network segmentation. But before that can happen, security administrators need to accurately identify, profile, and risk assess each device connecting to the network so that segmentation doesn’t break the functionality of devices. The medical device profile is also used as a baseline such that abnormal behaviour can quickly be identified by SIEM tools and the security operations center (SOC) alerted.

As part of the government’s strategy of increasing the security of the health service, it recently implemented the Data Security and Protection Toolkit (DSPT), an assessment tool for the NHS to measure and understand its security standpoint against the National Data Guardian’s 10 data security standards. Thankfully, Cylera customers can pull the asset-risk data needed for DSPT reporting easily from the Cylera reporting console.

Trusts are also required to respond to NHS Digital Cyber Alerts with details, quantity of affected devices, mitigation plans, etc. To facilitate this, Cylera recently announced the launch of its Cylera Cyber Alert Dashboard. Customers can search by CA number and see immediately if they have any devices affected. The dashboard also has a unique feature that provides suggested remediation measures, mitigation plans, and interim compensating security controls.

However, compliance is one thing, security is another. To be secure, administrators need good visibility into what and who is connected to hospital networks and what each of those systems and users is doing. That’s why Royal Bolton Hospital, Cylera, and Core to Cloud, joined forces to protect patients against another devastating cyberattack.

The Royal Bolton team was conscious that they didn’t have the time to be actively searching for breaches and attacks 24/7. They wanted a solution that could understand the behaviours and patterns on the network, perform analytics, and automatically solve issues where necessary. In the event of WannaCry part 2, they didn’t want to be underprepared. The Core to Cloud team combined Cylera with Vectra and Pentera, allowing the detection of threats in real-time and conduct automatic pen tests to uncover exploitable weaknesses on the network. The end solution resulted in zero impact to existing systems and processes during deployment or ongoing operation, thus removing concerns about disruptions to patient care.

Commenting on the Bolton NHS implementation, Mark Liddle, COO of Core to Cloud, said: “Our dedicated healthcare team have a depth of knowledge from working within this sector for many years and we are delighted to be working with Richard Staynings and all his Cylera colleagues. The senior team at Core to Cloud work closely with some of the central teams in around 45 of the UK’s largest NHS trusts to help ensure our technology solutions are aligned to the needs of the health sector.”

Thanks to the implemented real-time threat detection software (a combination of Vectra, Pentera, and Cylera), the solution now quarantines hostile threats with industry-leading accuracy rates.

Richard Staynings is an internationally renowned expert in the field of healthcare cyber security, is an Adjunct Professor of cyber security and health informatics at University College Denver, and serves as Chief Security Strategist for Cylera, a pioneer in the space of medical device security. Richard has served on various government committees of Inquiry into some of the largest healthcare breaches and is a regular presenter at healthcare and security conferences across the world.

He will be presenting this week at both the global HIMSS Conference in Orlando and at Digital Health Rewired in London.