When the Wannacry virus struck the UK’s National Health Service (NHS) in May 2017, freezing thousands of doctors and medical practitioners out of their computer systems, the finger of blame was widely pointed at underfunding of healthcare infrastructure.
But the ransomware attack also exposed the skewed priorities of the UK government when it comes to cybersecurity and data protection.
The current UK administration has a bee in its bonnet about basic online privacy protections. It has repeatedly accused encrypted messaging services like WhatsApp of aiding terrorism – claiming the inability of authorities to hack into and read any electronic communication they choose puts national security at risk.
As Home Secretary, current PM Theresa May pushed through some of the most repressive and authoritarian online surveillance powers seen anywhere in the world in the form of the Investigative Powers Act, the so-called Snoopers’ Charter.
And yet while it obsesses over its powers to snoop and intrude on what ordinary citizens do online, the UK government is apparently happy to let frontline public services continue to operate badly outdated IT systems which leave them vulnerable to cyber crime.
This was what left the NHS so vulnerable to WannaCry. The virus targeted backdoor security vulnerabilities in Windows XP, a version of the operating system Microsoft no longer provides security support for. In 2015, 90 per cent of NHS trusts were still using 15-year-old XP systems.
When WannaCry struck, thousands of NHS IT systems had no protection. Doctors and medical practitioners had to resort to arranging appointments and updating patient records with paper and pen, leading to massive delays as the whole system was slowed to a crawl.
The UK is far from alone in its negligence of IT security in healthcare. In the US, hacks of patient records rank second only to business data theft in terms of the overall number of data breaches. Complacency and negligence has led to healthcare IT becoming a soft touch for hackers. That should be a massive concern for all of us.
Why digital security matters in healthcare
In truth, the NHS did not become WannaCry’s most high profile victim by design. Ransomware attacks are indiscriminate. The point is simply to cause maximum disruption in as many systems as possible by locking users out of their own IT systems, and then charge a ransom for decrypting them.
Most cyber attacks on the healthcare industry are by contrast very deliberately targeted. Gangs have been known to single out healthcare service providers to steal credit and debit card details from point of sale terminals, simply because they tend to have poorer security than, say, retail systems.
Lax security also makes healthcare systems a target for identity theft. This was the main motive behind the hacking of US medical insurance provider Anthem, which saw more than 40 million customer records stolen.
No medical records were breached in the Anthem hack. But the black market for stolen medical data has become highly lucrative, adding a sinister twist to healthcare data breaches. It has, for example, been suggested that Chinese hacking gangs have stolen X-ray records to sell to patients with lung conditions such as tuberculosis, to help them get permits to leave the country.
Medical records are highly valuable for hackers on the black market.
Other potential uses for stolen medical records might be people looking to scam a mandatory drugs test at work with a fake urine or blood screening, or even more shadier still, people looking to fake a diagnosis to make fraudulent insurance claims.
Even more terrifying is the potential for cyber criminals to hack networked medical devices. Critical medical equipment such as ventilators, MMR scanners, lasers and surgical robots are increasingly becoming networked. But this creates additional vulnerabilities. Hackers looking to steal data know that networked equipment is often a weak point, with security protocols overlooked. As with many IoT devices, they look to exploit that vulnerability to plant malware and gain access to the wider system.
These vulnerabilities can also be exploited purely for the sake of causing disruption to critical services. If an activist group or a nation state wanted to cause havoc somewhere, knocking out medical equipment with a malware attack would be very effective. Imagine the panic and the threat to patient safety caused by automated pharmaceutical machines, or surgical robots, being taken over remotely. Once under control, the devices can be linked together to form a powerful botnet to deliver disruptive denial of service (DDoS) attacks elsewhere.
The security of healthcare IT systems matters to every one of us. Aside from the risks of financial or identity theft, your medical records are stored, shared and used digitally. As things stand, with the issue apparently way down the list of government priorities, sensitive information about your health and medical history is at very real risk of falling into the wrong hands. Fake insurance claims made against your records could come back to haunt you, invalidating genuine future claims you might make.
At worst, interference with or theft of medical records could lead to serious errors being made in your healthcare on the basis of wrong information, or critical action not being taken at the right time because doctors are missing a vital piece of information. At this point, healthcare data security becomes a matter of life or death.
Governments the world over need to wake up to this reality and reset their priorities on cybersecurity to include healthcare. Here is what needs to happen:
- Funding needs to be made available to update health service IT systems so avoidable incidents like the WannaCry NHS attack do not happen again.
- The outdated bureaucracies which have a stranglehold on public health administration and resources need to be modernized so IT provision can become agile and efficient enough to respond to rapidly changing cybersecurity threats.
- Cybersecurity planning, and IT resourcing in general, for public healthcare services needs to be centralized and uniform. Leaving it up to local providers means there is no real oversight of where the vulnerabilities lie.
- Strategies need to be put in place to keep medical data secure as it is being passed between practitioners and agencies. Hospitals, local surgeries, pharmacies, insurers and many more all routinely share patient records as part of day-to-day care, and these days most of it is done electronically. To keep patient data safe at each point, robust access control protocols need to be aligned with fully encrypted communication channels.
- System monitoring and analytics software needs to be used to keep track of patient data. With so much information being passed digitally between so many hands, coupled with the increasingly sophisticated nature of cyber-attacks, it is impossible for human oversight to keep tabs on what is happening. Powerful Big Data analytics software, on the other hand, can process enormous streams of data in real time, spotting anomalies in use and access that will flag up potential breaches fast enough to take preventative action.
- Finally, all organisational and technological remedies need to go hand-in-hand with thorough training in digital security for all healthcare professionals. The stakes are so high that this should be considered part and parcel of patient safeguarding, and must be driven by regulation.