Healthcare organisations (HCOs) have had a year to remember, and one to forget. Despite an outstanding response to the unprecedented pressures of COVID-19, few will want a repeat show in 2021. In many areas, technological advances hold the key to unlocking much-needed extra efficiencies, cost savings and improvements to patient care. But they also risk exposing hospitals, clinics and other facilities to new cyber-threats. It’s a challenge facing many HCOs, but one that has shown how it can be handled successfully is Nuffield Health.
With plenty of forward-planning and a defence-in-depth approach across all layers of the IT environment, the organisation has become a leading exponent of secure digital transformation in healthcare. From the endpoint to its cloud apps, Nuffield shows that HCOs can modernise IT without inadvertently inviting extra cyber risk.
A lucrative target
HCOs have several characteristics that can make them an attractive target for cyber-criminals. Most have a sprawling IT environment mixing new and old, digital and legacy. This can create major headaches in managing and securing everything. Security and compliance blind spots often appear, sometimes because frustrated employees begin using unofficial tools to bypass ossified processes.
Unpatched vulnerabilities are particularly worrisome. It’s a problem in many organisations, but especially in healthcare, where critical OT equipment like drug infusion pumps and MRI scanners can’t easily be taken offline to test patches. In many cases, they’re running on end-of-life operating systems because newer versions won’t support the equipment. If this happens, there aren’t even vendor patches being produced anymore. In the case of smaller IoT devices the problem is exacerbated by the fact that endpoints are typically too small to install security software on. If an agent can be installed the vendor may longer provide support as the security agent is not certified to work with the device
Cloud computing is another area of digital transformation which could invite cyber risk. Although widely seen as an essential driver of greater IT agility, cost savings and employee productivity, there is complexity, as well as confusion over who is responsible for security. A recent Trend Micro study of HCOs revealed that 61% claimed that their cloud provider offers “more than enough security” for their data. In fact, under the shared responsibility model, data security is down to the customer.
With three-quarters (74%) of global organisations estimated to have a hybrid cloud strategy, and even more (93%) investing in multi-clouds, this complexity will only increase. It also comes at a time when it’s harder than ever to find the right skilled practitioners to manage these systems securely. A current global shortfall of over three million cybersecurity professionals has made it tough for even organisations with deep pockets to attract talent.
When COVID struck
Make no mistake, patient data is a big draw for financially motivated cyber-criminals. But over the past year it is ransomware that has emerged as the biggest threat. Attacks on global HCOs increased by 45% from September-October to November-December 2020 versus just 22% for other verticals, according to one report which cited ransomware as the main culprit.
Threat actors were typically quickest to react to the pandemic, leveraging the crisis to craft campaign after campaign of phishing emails, designed to lure recipients into clicking through for more news about the virus. Elsewhere they targeted vulnerabilities in VPNs, and hijacked RDP endpoints which were protected by weak or previously breached credentials. Healthcare IT teams were themselves stretched by the constraints of home working and the need to support the newly distributed workforce.
Ransomware knocked out hospitals around the world, including in Germany, where one critically ill patient en route in an ambulance had to be diverted to another hospital. She later died.
A sprawling estate
The stakes for HCOs like Nuffield Health therefore couldn’t be higher. Yet it has been able to manage such risks pretty successfully over the past year, in spite of major digital transformation projects. Nuffield Health’s Head of Enabling IT, Ed Moss, has a large, distributed estate that covers over 300 sites, including: 32 hospitals, 112 fitness & wellbeing centres, seven clinics and multiple corporate locations. There are 14,500 employees and a further 20,000 consultants and instructors to manage.
The pandemic forced the organisation to accelerate some of its planned IT modernisation projects to rapidly support things like digital consultations and online exercise classes. That meant more cloud infrastructure and applications to secure, alongside legacy systems and software which are difficult to upgrade.
Advanced multi-layered protection
Consolidating on Trend Micro for everything, Nuffield Health has benefitted from several innovations in cybersecurity. Virtual patching capabilities, for example, were a great way to protect its legacy servers from both known and unknown threats, while waiting for an official patch to be realised. Next, the Trend Micro Cloud App Security (CAS) platform was brought in to enhance the built-in protection offered by Microsoft 365. While good, the latter still misses millions of threats each year caught by CAS, including sophisticated phishing attempts.
Nuffield Health complemented these tools with advanced protection at the endpoint (Apex One) and network (Deep Discovery Inspector). The final piece of the puzzle was outsourcing its Secure Operations Centre (SOC). These are a crucial component of cybersecurity strategy for most mid-to-large sized organisations. But it’s increasingly difficult to find the right skills and the funding for what needs to be a 24×7/365 operation. Trend Micro Vision One offers managed XDR for correlated threat detection and response across the entire IT environment — meaning faster response times, improved protection and simple integration into third-party tools like SIEM/SOAR.
Nearly 90% of respondents to our global HCO study said the pandemic had accelerated cloud adoption. It’s unlikely the healthcare sector will reverse these investments, especially when an ageing population and the prospect of endemic COVID-19 will put increasing pressure on vital services. Technology holds the key to the future of healthcare. But security-by-design is an essential pre-requisite.
Article by Bharat Mistry, Technical Director at Trend Micro
