The Chief Executive of the UK’s National Cyber Security Centre, Ciaran Martin, has warned that a major cyberattack on the UK is a matter of ‘when, not if’, raising the prospect of devastating disruption to British elections and critical infrastructure.
In remarks underlining newly released figures showing the number of cyberattacks on the UK in the last 15 months, Martin said the UK had been fortunate to avoid a so-called category one (C1) attack, broadly defined as one that might cripple infrastructure such as energy supplies and the financial services sector. The US, France and other parts of Europe have already faced such attacks. Some are launched by profit-motivated criminal groups using ‘ransomware’ to lock victims out of their own computer systems until the hackers are paid off. Some are originated by governments, or deniable non-state actors operating on their behalf. And others are the work of politically motivated networks such as the shadowy Anonymous, or of individual hackers ‘showing off’ their skills.
In 2009, Israel and the US allegedly used a computer ‘worm’ called Stuxnet to damage the infrastructure of Iran’s nuclear programme – possibly the first instance of a cyberattack by a state actor on another power. Since then, Russia has been accused of backing thousands of attacks on state infrastructure in countries including Estonia and, more recently, Ukraine – a charge that it denies. The motives for such state-sponsored attacks are political, not financial, but although hospitals have not (so far) been directly targeted, they are at risk of becoming collateral damage when vital public infrastructure such as power supplies and telecommunications is attacked.
Wherever such attacks originate, the problem is now a fact of life – but hospitals, like other vulnerable corporate institutions, have been slow to react and are tempting targets. In addition, they are at risk of becoming collateral damage from attacks not directly aimed at them, such as the cyber warfare being waged against Ukraine and earlier such attacks on Estonia attributed to Russian sources.
Hospitals, like other vulnerable corporate institutions, have been slow to react and are tempting targets
North Korea was blamed for the worldwide release in 2017 of the WannaCry ransomware virus, which posed a serious challenge to Britain’s National Health Service (NHS).
Many hospitals in the UK and elsewhere relied on computers using Windows XP, introduced by Microsoft in 2001. In April 2014, Microsoft ended support, including security upgrades, for Windows XP and warned users that computers running the system would thereafter be insecure and at risk from infection. In 2014, the UK Government signed a £5.5 million contract with Microsoft for the extended support of Windows XP until 2015 but did not renew it. Instead, individual hospital trusts still using XP were left to choose for themselves whether to continue with support. Many failed to recognise the security risks.
“Modern medical devices are fully-functional computers that have an operating system and applications installed on them,” said Sergey Lozhkin, Senior Security Researcher at the global research and analysis team at Kaspersky Lab, a global cyber security company which, in 2010, detected the Stuxnet worm. Kaspersky’s numerous healthcare sector clients include the Dutch hospital and clinic group ZGT, the Belgian AZ Sint Jan hospitals with 1,238 beds in Bruges and Ostend, and the Illinois-based Riverside Healthcare group.
“Most of these devices have a communication channel to the internet, external networks and different types of custom cloud base servers. These devices are full of technologies made for one goal – to help doctors treat their patients at the highest level,” he said.
Security, Lozhkin says, is often given a lower priority. Program design architecture vulnerabilities, unsecured authorisation, unencrypted communication channels and critical bugs in software can all compromise security, he warns.
Despite warnings, many NHS hospitals neglected to migrate to more up-to-date versions of Windows, or at least to patch their systems against ransomware. When WannaCry hit, this proved to have been an expensive false economy.
Extortion and theft
When organised cyber crooks attack hospital systems, their motives are to demand ransom and/or to steal data that they can either use fraudulently or sell on to other criminals.
Hospitals using proprietary software and outmoded operating systems are sitting ducks for hackers looking to steal confidential patient information that can be sold on to other criminals, wrote Dr Krishna Chinthapalli, a neurology registrar at the National Hospital for Neurology and Neurosurgery in London, in the British Medical Journal (January 2018). Hospitals are probably more willing than other organisations to pay for quick recovery of their data, he said.
US hospitals, most of which are also commercial operators with a need to protect their bottom line, are arguably even more tempting targets for criminals (though not necessarily for political players or exploit-seekers) than non-profit healthcare providers such as NHS hospitals in the UK.
According to some estimates, as many as half of all US hospitals have been hit by ransomware attacks. In February 2016, Hollywood Presbyterian Medical Centre in Los Angeles became the first US hospital to admit it had paid a ransom to hackers to regain access to its computer systems. Hollywood Presbyterian reportedly paid the equivalent of US$17,000 in Bitcoins, the digital currency favoured by hacker gangs, and denied rumours that the first ransom demand had been for $3.4 million.
Cyber villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back
Security experts have pointed out that the criminals behind such attacks often demand a relatively small ransom in order to make paying seem a more affordable option.
Allen Stefanek, the hospital’s President and Chief Executive, said paying the ransom was ‘the quickest and most efficient way to restore our systems and administrative functions,’ adding that it had been done ‘in the best interest of restoring normal operations’.
However, just as with old-school extortion, there is no guarantee that paying ransom will end the problem, cautioned the US Federal Bureau of Investigation.
Threats will increase
The threats to healthcare will increase as ever more connected devices and vulnerable web applications are deployed by healthcare facilities, according to another Kaspersky researcher, Denis Makrushkin.
“Every connection, every device, and every piece of data moved across and between networks in the connected healthcare ecosystem is potentially at risk in a cyberattack,” Makrushkin said.
“Health data is extremely valuable on the black market, and medical systems can be life critical, so organisations are easy targets for extortion.”
Kaspersky’s research reveals the extent to which medical information and patient data is left vulnerable to any motivated cyber criminal, he said.
“The risk is heightened because cyber villains increasingly understand the value of health information, its ready availability, and the willingness of medical facilities to pay to get it back.”
Speaking at the European Cyber Security Weekend in Dubin in November, Makrushkin warned that, in 2018, the healthcare sector will face more attacks aimed at extortion, data theft and disruption.
“The concept of a clearly-defined corporate perimeter will continue to erode in medical institutions as evermore workstations, servers and mobile devices go online. Keeping defences and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure.”
Case study: WannaCry and NHS England, May 2017
WannaCry was the largest cyberattack to affect the NHS in England, although there had been previous attacks on individual NHS trusts. In the investigation that followed, the National Audit Office (NAO) highlighted shortcomings in the NHS’s defences. “It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice,” said Amyas Morse, Head of the UK NAO. “The Department (of Health and Social Care - DHSC) and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
As early as 2014, the UK Government had urged NHS trusts to migrate away from the obsolescent but widely used Windows XP operating system by April 2015. Two years later, NHS Digital (the NHS’s IT service) warned organisations to patch systems against WannaCry, but the DHSC had no way of ensuring that local NHS organisations complied. At least 81 out of 236 trusts and a further 603 primary care and other NHS organisations were infected by WannaCry, according to the NAO, but NHS Digital believes no patient data was compromised or stolen. NHS England estimated more than 19,000 appointments were cancelled.
Keeping defences and endpoints secure will be a growing challenge for healthcare security teams as every new device will open up a new entry point into the corporate infrastructure
According to DHSC, NHS England and the UK National Crime Agency no ransom was paid, but the cost of 19,000 cancelled appointments, additional IT support and restoring affected data and systems is not known. The NAO’s report of the investigation, issued 27 October 2017, said the cyberattack could have caused more disruption had a cyber researcher not activated a ‘kill switch’ so that WannaCry stopped locking devices. DHSC had developed a plan for responding to such an attack but had not tested it at local level.
“As the NHS had not rehearsed for a national cyberattack it was not immediately clear who should lead the response and there were problems with communications,” the report said. Email systems had been infected by WannaCry or were shut down as a precaution, and NHS staff had to fall back on using landline phones and personal mobile devices – some of which had also been encrypted by WannaCry.
“NHS Digital told us that all organisations infected by WannaCry could have taken relatively simple action to protect themselves,” the NAO report states. “Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware. However, whether organisations had patched their systems or not, taking action to manage their firewalls facing the internet would have guarded organisations against infection.”
The NAO has acknowledged that, since then, the NHS has accepted that there are lessons to learn from the incident and has taken action, including writing to every major health board asking them to ensure that they have implemented all NHS Digital’s earlier alerts and taken action to secure local firewalls. A case of closing the stable door after the horse has bolted, perhaps – but better late than never.