All National Health Service (NHS) and social care organisations in the United Kingdom have always been and will always be a target for bad actors. The nature of their business and the sensitive data they hold make these entities appealing to bad actors who know that legacy systems, and/or, not regularly patched systems, such as those employed by healthcare organizations are easy to penetrate. Such attackers also figure that they can easily use disrupted IT assets within hospitals to get what they want.
These motivations have played out in various ransomware campaigns over the years. Back in May 2017, for instance, the global WannaCry ransomware outbreak succeeded in affecting 34% of NHS trusts in England. Those attacks leveraged a Microsoft SMB vulnerability to compromise users’ machines and spread throughout the infected network. Now years later, we’re seeing that malicious actors are deploying ransomware more quickly in hospitals than they are with other targets. The Wall Street Journal reported that nefarious individuals are doing so because they assume that healthcare officials are more inclined to fulfil the ransom demands so as to continue operating during the coronavirus 2019 (COVID-19) crisis.
Speaking of COVID-19…
It goes without saying that COVID-19 has had and will continue to have a major impact on the IT systems that NHS and similar organisations were using prior to the pandemic. The crisis has forced these entities to adapt to a set of new digital security challenges in a very short time. The challenges include scaled-up connectivity resources and unplanned hardware and application spending—all while dealing with a lack of sufficient budget and resources.
In response, IT teams had no choice but to take immediate action to cater to the “work from home” instructions from the UK government. Their orders were clear: keep the network running as much as possible and provide new hardware/applications to staff as quickly as possible.
This has been a challenging task…and it might not be going anywhere anytime soon. Sarah Wilkinson, chief executive of NHS Digital, intimated as much when she said that some healthcare technology which has been rolled out at scale in response to the Covid-19 outbreak is “here to stay.” She went on to say that the healthcare system will need to review some of its processes to account for the changes introduced by connected medical devices and AI, the cloud and mobile applications that now help to provide new models of care.
Accommodating those changes won’t necessarily be easy. Organisations will need to make changes and implement controls for multiple regulations or standards. As a result, a program of integrated compliance will be required
Here’s a rundown of just some of the security and compliance best practices they’ll need to consider going forward:
- The General Data Protection Regulation (GDPR)
- Cyber Essentials
- Firewalls and boundary security
- Secure configurations
- Access and authentication
- Malware protection
- Vulnerabilities and patching
- The Minimum Cybersecurity Standard
- Networks and Information Systems (NIS) Directive
- Manage security risk
- Protect against cyber-attacks
- Detect cyber security events
- Minimising the impact of cyber security incidents
- Digital service providers are tasked, with meeting a minimum cybersecurity level in the areas of:
- The security of their systems and facilities
- Incident handling and response planning
- Business continuity and backup management
- System and network monitoring, auditing and logging
- Testing and vulnerability assessment
- Compliance with international standards such as ISO 27001
Above and beyond the Compliance and Best practices mentioned above, NHS organisations are investing heavily in electronic health record (EHR) and electronic patient record (EPR) solutions.
Recently, we have seen such large investments from HIVE at Manchester University NHS Foundation Trust (MFT), and others at University College London Hospitals, Royal Devon & Exeter, Great Ormond Street NHS Foundation Trust, and Cambridge University Hospitals NHS Foundation Trust.
As great and as useful these solutions are, they do come with a plethora of security concerns that need to be addressed, such as:
- Achieving system hardening and standards alignment.
- Automating the review of EHR change data.
- Visibility into access privileges.
How Tripwire Can Help
According to statistical research from the University of Portsmouth, UK organizations can help to prevent more than 80% of cyber attacks by implementing some basic security controls. They can then use proof of these security controls to achieve compliance with Cyber Essentials or Cyber Essentials Plus, for instance. That task might prove to be challenging, however, as not all organizations have the necessary time or resources to gather up essential audit information.
Fortunately, Tripwire can help in that regard. In particular, NHS and other healthcare organizations can use Tripwire Enterprise to baseline the state of their IT infrastructure. This information will include evidence not only of IT assets’ configuration status but also percentage reports of how the environment overall measures up against other standards such as PCI DSS and ISO 27001. Additionally, organizations can use Tripwire IP360 to gain crucial insights into potential vulnerabilities as well as Tripwire’s Log Center to document what an ordinary day looks like in terms of network traffic.
Healthcare organizations also need to implement steps that can help to address the security risks associated with newly remote workers and COVID-19. For a list of best security practices on how to extend corporate security policies and processes to cover remote workers, click here.