According to data obtained by the BBC, “NHS hospital trusts in England reported 55 cyber-attacks in 2016” – 16 more attacks than in 2015. However, NHS Digital claims that this number doesn’t represent an increase in the actual number of attacks, but an increase in the number of reported attacks. Despite this claim, the information that came to the surface following the recent WannaCry attack gave us a clear indication that hospitals were not doing enough to protect themselves from cyber-attacks. And, with plans to make all patient records digital by 2020, the data-security risks will only become greater.
So, what steps can hospitals take to protect themselves from future attacks?
The first and most obvious solution would be to hire more security specialists, which will, of course, cost money. While this may not be a bad idea, Oliver Farnan of the Oxford Cyber Security Centre argues that “Money is only really spent on security once everything else is up and running and in place… it always comes second.”
With this in mind, let’s take a look at some alternative strategies:
Backup and Restore
This is fairly obvious, yet it is still one of the most effective steps that hospitals can take to protect themselves from future ransomware attacks. After all, ransomware attacks only really exist on the premise that someone, somewhere, is willing to pay the ransom. Adopting an effective system for backing-up data will render such attack useless. It is also important to have a well-rehearsed data recovery plan in place. In the event of a cyber-attack, hospitals should be able to get the system up and running again within minutes.
Create a security culture
Educating staff members about cyber-security is also one of the most important steps any organisation should take in protecting their sensitive data. And is also one of the least expensive steps to take. Creating an effective security culture is largely about conditioning, in that, staff members need to be habitually vigilant in spotting potential security threats, whilst still being able to perform their duties without interruption.
Keep track of everything!
It is imperative that hospitals can answer critical questions about “who, what, where and when” changes are being made to sensitive data. They will need to be able to track when sensitive data is copied, moved, deleted, renamed, accessed and created. They will need to know when user accounts are modified or deleted and be able to detect and mange inactive accounts. They will need to track privileged mailbox access, ensure that passwords are regularly rotated, spot anomalous logon failure and detect changes to user permissions. Additionally, hospitals must utilise “threshold alerting” to help prevent the spread of ransomware. For example, if ransomware is renaming multiple (or all) files in a drive, a real-time alert should be sent to the administrator. Also, if a proportionally high number of specified events occur over a short period, an automated response should be initiated. This could be in the form of an alert or the execution of a custom script. A custom script can be used to disable a user account, change firewall settings, stop a specific process or shut down the entire server. For hospitals to detect and respond to changes in this manner, they will need to adopt a sophisticated auditing and monitoring solution, such as LepideAuditor.
Mobile device security
Staff members need to be made aware of the security risks associated with using mobile devices in the workplace. After all, such devices have a tendency to get lost or stolen. Additionally, social engineering attacks can be effective regardless of what device you are using. Hospitals should also implement a data classification system that can be used in conjunction with Data Loss Prevention (DLP) software to ensure that sensitive data is not allowed to be shared outside of the hospital’s IT network. Likewise, specialised encryption software can be used to ensure that sensitive data is automatically encrypted as it moves around the network, as well as outside of the network. Ideally, mobile devices should not be able to connect to the hospital’s main network.
Keep physical devices secure
They may have the most sophisticated cyber-security software that money can buy, but if someone is able to wade in, download information from, or simply steal an unattended desktop PC, it’s not going to help that much. Hospitals may want to consider using cable locks, motion sensing alarms, or DLP software, etc. Additionally, it may be a good idea to disable drives/ports to prevent people from copying data on to USB drives, etc.
There are many other things that Hospitals can do to protect themselves from cyber-attacks, not all are mentioned here and some are easier to implement than others. Perhaps one of the simplest steps mentioned in this article can also be the most powerful – that is, deploying a change auditing solution, like LepideAuditor, to keep track of all unwanted or unauthorised changing taking place to systems and data.