One year has passed since the crippling ransomware attack on Advanced, a major software provider for the NHS. The attack disrupted the NHS 111 service – the urgent helpline for non-life-threatening situations, raising the pressing issue of much larger critical cybersecurity vulnerabilities within the UK healthcare’s IT infrastructure and supply chain.
While other industries mainly face financial and reputational damages from cyberattacks, in healthcare the consequences can be devastating. Any attack on a hospital could put patient care and even human lives at risk, so having a robust cybersecurity strategy is mission critical.
Cybersecurity vulnerabilities in the supply chain
Research indicates that nearly half of all healthcare professionals experienced disruption in patient care due to ransomware attacks. And while the UK government has outlined a strategy to safeguard the NHS from cyberattacks, a comprehensive implementation plan is still yet to be distributed. Cyberattacks on the healthcare sector show no signs of slowing down. In fact, IBM’s Cost of a Data Breach Report 2023 indicates that the average expense of healthcare breaches surged to almost $11 million in 2023, marking a 53% rise since 2020.
But despite the risks, NHS trusts are still placing too much implicit trust in suppliers to safeguard data, systems, and operations. Our recent Freedom of Information request uncovered that more than a quarter of those that responded have yet to audit third-party suppliers’ cybersecurity measures. At a very minimum, all trusts should be doing some form of cybersecurity audit on their supply chain and taking steps to mitigate risk against supply chain attacks.
The financial provisions for cybersecurity are equally concerning. The same FOI data revealed that 47% of trusts have no dedicated funds allocated for cybersecurity, while another 43% have committed less than 1% of their annual budget to this crucial area.
In a sector where the stakes are immeasurably high and the delivery of exceptional patient care is critical and lifesaving, a lack of cyber readiness and resiliency can have catastrophic consequences. Anything less than continuous, comprehensive scrutiny is synonymous with leaving the door open for attackers, which in 2023, treads dangerously close on malfeasance.
From prevention to survival
For healthcare organisations to truly build cyber resilience, remain compliant, and proactively ensure continuous and consistent patient care, we need to see a paradigm shift in cyber strategy. It’s no longer sufficient to focus solely on preventing attacks; with attacks happening daily, the focus needs to be on survival and maintaining operations even when under active attack.
The starting point is moving to an “assume breach” mentality. An approach that emphasises preparedness, with the focus being on proactively implementing countermeasures to reduce initial risk exposure and mitigate the extent of a breach when it occurs.
“Assume breach” is a fundamental part of a larger shift towards Zero Trust – a modern practice and a security model that operates on the “never trust, always verify” principle. With Zero Trust, every attempt for access is treated as a potential threat, requiring both devices and users to undergo stringent authentication before gaining access to medical resources.
A critical pillar of Zero Trust is Zero Trust Segmentation (ZTS) which reduces the attack surface and ensures that an intruder, once inside, remains cut off from vital systems and sensitive data. For example, in a healthcare scenario, ZTS ensures that an initial entry point with a vulnerable third-party provider doesn’t result in the entire hospital (along with life-saving resources) being shut down.
When it comes to implementing a Zero Trust strategy, healthcare organisations must first identify their most critical assets and determine where potential vulnerabilities or communication risks may exist. Especially with the proliferation of medical IoT devices in a hospital setting, knowing what assets are connected in the environment is essential for assessing risk exposure.
From there, institutes can begin to action on minimising their attack surface. With tools like ZTS, they can limit access to vulnerable systems and block attackers from using common communication protocols by adopting an allow-list approach. They can also utilise context and status information to isolate infected systems, quarantine them during remediation to maintain services, and restore all services once they are verified clean.
A way forward
Along with moving towards a more proactive, “assume breach” approach, regular internal and third-party cyber defence testing is essential in cybersecurity strategies to determine cyber preparedness. This ranges from healthcare providers regularly testing their own security stack to regularly evaluating the efficacy of their software providers, particularly for hospitals that have a diverse range of suppliers, from catering to cleaning and ambulance services.
While it would be ideal for all suppliers to undergo comprehensive cybersecurity assessments, the reality is that full evaluation of every supplier is simply not feasible. Suppliers with direct access to hospital systems should face more stringent testing, and at the most basic level, mitigation and least privilege access measures should be in place for any others.
While the goal is to make hospitals as open and accessible as possible, it’s essential that not everyone is granted access to the operating theatre. The same is true with cyber resilience, we need to provide services to everyone but control who can access the most critical assets.
As the healthcare sector continues to undergo massive digital transformation overhauls, the attack surface inevitably expands, encompassing new medical devices and systems. But while technology evolves, cybersecurity best practice remains the same – the best way to reduce risk is through the practice of good security hygiene and implementation. At the very minimum this means regular patching, limiting access to systems and services with tools and technologies like ZTS, and imposing a larger overarching strategy of least privilege.
With methodologies like Zero Trust in place, healthcare institutions will be better prepared to prevent everyday breaches from resulting in devastating operational impacts and ensure that the risks posed by a vulnerable and ever-widening software supply chain don’t continue to result in widespread disruption to critical health services.
By Trevor Dearing, Director of Critical Infrastructure at Illumio
