Cyber criminals attack firms across every part of the UK economy with no exceptions. Healthcare organisations, both public and private, are a highly targeted part of this. These companies handle a vast amount of information about the users of their services, which is a valuable asset to those with ulterior motives. As well as this, the nature of services delivered by these companies are time-sensitive, meaning organisations are seen as more like to pay up in the event of a ransomware attack to resume normal operation, particularly as any disruption could present a health risk for service users.
The financial and reputational impacts of a successful security breach are unquantifiable, and can be crippling for companies of any size, making any investment into cyber security a valuable one. If organisations are aware of the risks, they are able to be proactive in taking measures to mitigate against them, which is a far easier approach than responding to a successful attack. Nevertheless, good cyber resilience involves having a response plan so that if the worst were to happen, there are steps to follow.
What are the vulnerabilities within the healthcare sector?
One vulnerability within healthcare organisations is the number of electronic devices in operation, which can act as an access point for criminals. Armis Security estimated that there are around 25,000 devices running on any single hospital network globally, every day. Many of these electronic devices, such as cameras and scanners, operate totally unmonitored, either incapable of running security software or using out-of-date versions, despite the fact they are connected to the internet. This lack of cybersecurity can be exploited by criminals, who hack that device to use it as a gateway into accessing the wider network. Armis Security submitted FoI requests to the NHS, and of the trusts that responded, one in five used spreadsheets to manually track any devices added to their network, whilst almost one in six devices were not monitored for any cybersecurity risks at all.
Another vulnerability, one of the biggest and most targeted, is the people within an organisation. Many cyber-crimes rely on social engineering, tricking somebody into making one decision that allows criminal infiltration. Most commonly this happens through phishing, often by email, where attackers will craft a message prompting the recipient to download an attachment or click a malicious link. This may install malware or take the user to a convincing page to input their personal details. Whilst some phishing attempts are obvious, criminals can go to great lengths to formulate highly convincing phishes, with names, information and requests that appear genuine at first. While this problem is impossible to eradicate completely, there are basic cyber practices and common phishing features to be made aware of that can transform your workforce into an effective barrier against these cyber threats.
What would Security Awareness Training (SAT) do for me?
The ECRC offers Security Awareness Training, a service delivered by students working as part of CyberPATH programme. Through CyberPATH, students are trained and monitored by senior ethical hackers to provide a selection of cyber services to businesses, which supports the future cyber talent pipeline and keeps the cost to a minimum. Most people working outside of cybersecurity do not necessarily know what to look for, nor know what to do if they see something that does not look right. With SMEs being an additional target for criminals, SAT is an affordable tool to bolster cyber resilience across your organisation.
Security Awareness Training can be issued across either a full or half day and is tailored to the needs of its specific audience. It is designed to be contextually relevant and accessible for all abilities. For a healthcare organisation, this could be education on what sort of scams are targeted towards the sector, as well as what good cyber practice at work looks like. If all staff are aware of the common features of phishing attempts, they will be less likely to click or download anything and more likely to report it. Furthermore, if your organisation develops a clear policy on online activity, staff will know what they should and should not do on their work network, as well as feel supported in questioning suspicious activity and challenging any bad practice they see.
Armis Security visited hospitals in North America after a series of cyber-attacks and discovered that staff were unknowingly doing things that gave the attackers a much easier job. In one instance, they were operating CT scanners through computers that used Windows 7, which is out of date, and checking their personal emails on the same computer. In another instance, staff were streaming Netflix on the same computer that ran an MRI machine. Without training, these staff are not to know that any of this behaviour puts their hospital at risk. Out of date operating systems are not equipped to manage emerging cyber threats, and accessing a personal email inbox opens opportunities for malware to be installed on a critical computer. Accessing websites like Netflix is an indication of unrestricted internet access, meaning an insecure website could be visited that causes malware to be downloaded. Effective training changes these behaviours and makes people aware of why their cyber practice matters, massively reducing the risk of a successful attack.
The reality is that cyber-crime is a massive issue and a problem that directly affects those working in the healthcare sector. The threat landscape is continually changing and there is no way to remove all attack risk; however, education and training is one of the best ways to transform the people of your company from a risk into a defence, particularly when phishing accounts for the vast majority of reported cyber-attacks. You cannot expect people to know what they do not know but SAT is one way to fill that gap and reduce the vulnerability of your organisation.
What should I do now?
Signing up as a free member of the ECRC ensures you are supported in making impactive choices to improve your cyber resilience. Our free membership enrols you onto our ‘Little Steps’ programme, a weekly email series delivering informative and proactive steps into your inbox, designed to be succinct and accessible. Our communications also signpost you towards the free resources that exist to support SMEs with their cybersecurity needs, which can be accessed from our website here.
As well as SAT, the ECRC offers a handful of other affordable cyber services, all delivered by CyberPATH students. These are ideal for SMEs and are a great step for those who want clarity on their current cybersecurity position, in terms of existing vulnerabilities and the subsequent steps to manage them.
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which isn’t ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)