Photo by Markus Spiske on Unsplash
Cyber-attacks on the health sector have led to more than 400 personal data breaches since 2018, according to the Information Commissioner’s Office (ICO), the UK’s privacy watchdog.
Freedom of information requests sent to the ICO and all NHS hospital trusts reveal hacking incidents at hospitals and clinics, with one describing itself as under ‘continuous attack’ and Walton Centre NHS trust reporting an unsuccessful ransomware attempt.
Attacks are either specifically targeted at the sensitive health sector or opportunistic, said Dr Saif Abed, Director of Cybersecurity Advisory Services at the AbedGraham Group, a consultancy. In opportunistic attacks, such as 2017’s WannaCry ransomware which encrypted the systems of many organisations, including 81 NHS trusts, criminal gangs spray malware widely, knowing that “they only need to be successful once to be really disruptive,” said Abed.
Ireland’s health service (HSE) said last week that services continue to be ‘severely impacted’ by a targeted ransomware attack that began on 14 May and shut down their entire network. Infected HSE servers only began to be brought back online after the ransomware gang voluntarily handed a decryption key to Irish authorities, who refused to pay the ransom demand
Dr Simon Woodworth, Director of Cyber Risk for Business at Cork University, said even with the decryption key so many aging and underfunded HSE systems collapsed that paying the ransom demand, rumoured to have been US$20 million, would not have reduced the estimated €100-500 million cost of the attack.
US company Colonial Pipeline recently paid a $4.4 million ransom, while the world’s largest meat processing company JBS, paid $11 million in June. “The incentives for a victim to pay are absolutely immense,” said Emily Taylor, Chief Executive of Oxford Information Labs and editor of the Journal of Cyber Policy. “If you’re in organised crime, why wouldn’t you be in cyber? You get economies of scale, transaction costs are almost zero and you don’t have the same risks as with offline crime. You don’t have to worry about violence or going to prison, because the chances are you will never be brought to justice.”
Sometimes cyber-attacks result in unauthorised access to or theft of patient data. Freedom of information data reveals that following cyber-attacks private healthcare providers notified 111 breaches to the ICO, secondary care providers such as NHS hospitals suffered 50 attacks, while GPs reported 14 incidents.
In Ireland the HSE attack resulted in sensitive data on about 520 patients being published on the dark web. According to Woodworth, a good quality stolen health care record can fetch $1500 in the US. They are sold on by attackers and the end-user then fraudulently obtains private health care or sometimes blackmails patients, said Woodworth.
Abed worries the next wave of attacks won’t be about shutting down whole systems or stealing data. “Instead of just making systems unavailable, what if you mixed all the clinical data together? So imagine, taking lab data and shuffling it between patients or resetting early warning systems to normal. That’s really insidious because unless someone notices something’s off and raises the clinical alarm bell that’s really scary.”
These incidents, which Abed terms ‘clinical integrity extortion attacks,’ could move from theory to reality in coming years. He points to a study from Ben Gurion university in Israel where researchers created malware that put fake cancer nodules on CT scans, fooling specialists into thinking they were looking at genuine clinical results.
Many NHS bodies were unwilling to reveal information, saying that national security and crime prevention considerations prevented them from answering freedom of information requests about the numbers of cyber-incidents. However, other NHS bodies answered freely. For example, Bradford District Care NHS trust said it had experienced ten cyber incidents over the past three years, including one malware, three hacking, and two phishing attempts, while Birmingham Community Healthcare NHS trust reported 50 incidents to the Department of Health and 24 to the ICO.
Taylor said that it was revealing that no consistent approach had been agreed between hospital trusts on what they say about cyber-attacks. “Victims of cyber-attacks feel ashamed. But this isn’t their fault. They are victims of crime. There needs to be more transparency as that drives the right kind of change.”
She believes there needs to be a move to protection coupled with resilience, as some attacks will always get through defences. “You are never going to be 100% protected, instead you have to make sure you can recover.” Amid many cancelled appointments Irish hospitals reportedly resorted to pen and paper, just as NHS staff did during the 2017 WannaCry attack.
While the UK government blames North Korea for the WannaCry attack many others originate from Russia, where organised gangs are tolerated by the authorities in return for never attacking Russian targets and occasionally being used as guns-for-hire in offensive cyber warfare. Woodworth said that the Irish government approached the Russian embassy during the recent attack. Although the Russian government offered their help, according to Woodworth, authorities viewed this as a double-edged sword as Russians and other state actors were interested in getting a toehold in the Irish data economy, where about 30 % of all Europe’s data is stored, as many internet giants such as Google and Amazon operate large data centres in the Republic.