Healthcare sector cyber update
Olly Jones, Head of Research
The UK Healthcare sector is currently regarded as the most at-risk sector to cyber attacks. This follows a report by data security provider Clearswift which revealed that last year in the UK, 67% of healthcare organisations experienced a cyber security incident. To illustrate just how heavily targeted the healthcare sector is in comparison to others, further research from the US has shown that healthcare was also the most breached industry in the first quarter of 2020, accounting for 51% of all breaches, followed by banking with only 13%.
Why target healthcare?
Even before the start of the COVID-19 pandemic, healthcare was regarded as the most at-risk sector for a number of reasons. The sector’s main attraction to cyber criminals is the large amount of sensitive personal data that healthcare organisations hold, in addition to the perception that many healthcare organisations are using inadequately protected systems. This perception was reinforced in the UK by the success of the WannaCry virus against the NHS in 2017.
Criminals targeting the healthcare system typically conduct ransomware and data theft attacks, taking advantage of the high intensity and high urgency of the sector. They know that these features will predispose victims towards “paying up” in order to protect patients and restore operations quickly.
Despite an unwritten pledge from cyber criminals at the start of the pandemic that they would not attack the health system, this has proved too much for them to resist and we have seen increasing attacks across the sector in 2020. Not only have they taken advantage the public’s thirst for COVID information by using that as a subject lure for hundreds of new phishing campaigns, but they have also exploited the rarefied home working environment and improved their chances of success due to people’s increased unfamiliarity, distraction, anxiety, isolation and stress from working remotely.
COVID-19 cyber security challenges
Since the start of the pandemic, many new cyber security challenges and threats have emerged due to the significant changes made to the way people work. While many companies were already working towards digital transformation—increasing their capability for a more flexible and remote workforce—the outbreak accelerated the rate of change and forced organisations to adapt immediately. Other impacts we have seen, which we will cover in more depth later, include:
- An enhanced Bring Your Own Devices (BYOD) security risk
- Many COVID-19 themed spear phishing attacks focussing on subjects including fake pandemic news, Payroll, HMRC, Netflix, Zoom and WebEx
- A significant rise in Business Email Compromise (BEC) fraud scams
We will explore some of these issues in more detail below.
The challenges of remote working
As already mentioned, remote working has increased significantly since the start of the COVID-19 crisis. The number of people working from home is estimated to have increased five-fold and—overnight—organisations have been forced to provide employees with remote access to sensitive company data, most likely via less secure personal devices and home Wi-Fi networks.
The increased demand for remote working presents a significant challenge for IT security teams, firstly from an enforced rush to adopt cloud-based applications, but also partly due to the migration of personal practises and behaviours into the corporate ecosystem. However, one of the main issues is the Bring Your Own Device (BYOD) risk where workers use personal rather than corporate-issued devices to work remotely because corporate assets are not available. The risk is exacerbated because many of the policies and procedures that were designed for an office-based environment—and not a home-working or hybrid environment—now have gaps or different vulnerabilities which can lead to additional errors being made. This not only increases the risk of technical attacks against less well protected personal devices, but the immediate changes in working practices also imposes significant challenges for security teams trying to maintain compliance regulations, such as the GDPR.
In terms of mitigating the threats, the most crucial element is to promote and practice good cyber security hygiene, such as choosing to disable remote desktop services unless required and maintaining increased vigilance to ensure only approved users can connect to remote services. As with every online user, organisations should enforce the use of strong passwords and two-factor (or multi-factor) authorisation on connections, whether they be via a corporate device or BYOD.
Ransomware criminals home in on healthcare sector
While it was hoped that healthcare may be given some respite while it dealt with the COVID-19 pandemic, many unscrupulous criminals quickly began leveraging the virus to continue their ransomware attacks—such as COVID-19 themed phishing campaigns.
As well as directly exploiting people’s thirst for information about the virus itself, the subjects of their malware-infected messages include online streaming services and video conferencing firms such as Zoom and WebEx which have become increasingly popular in recent months. Criminals have also tried to exploit people’s concerns about their job security and income during the lockdown by sending messages about payroll information and HMRC tax rebates.
Such attacks have also diversified, in that the delivery of malware not only includes a strain of ransomware, but also additional malicious software that can enable the attackers to monitor the target network and potentially exfiltrate sensitive data. This threat of a potential data leak is increasingly used by criminals to exert further pressure on a victim who may not immediately pay out an initial ransom demand.
Users should be aware of the heightened threat of these suspicious messages and be extra vigilant on what links and attachments they click on.
BEC fraud is up 200%, but what is it?
Also known as CEO or Wire-Transfer Fraud, Business Email Compromise (BEC) fraud is an attack where CEOs, senior executives and financial representatives are targeted with fraudulent emails. The email invariably contains a request for an urgent financial transaction that is made to look like it is from a known senior executive or supplier. Typically, the message would also contain an element of urgency to pressure staff into authorising a payment, such as, landing late on a Friday or near to a payment deadline.
As cyber security awareness and knowledge of such scams improves, you would expect the success rate of these attacks to be limited. However, the number of groups conducting them is growing, and in April and May alone the volume of BEC campaigns increased by 200%. The healthcare sector has also been specifically targeted by criminals during the COVID-19 pandemic in the hope that vigilance may be reduced because many organisations have been placing focus on acquiring PPE, ventilators and other critical equipment.
The key to mitigating this threat is through improved user awareness and vigilance in ensuring that correspondence involving any change to invoice payments is properly verified by the recipient.
Talk to us about how we can help you address these threats.
We know every organisation is different, which means the solutions to these and other digital security challenges will be specific to them. We don’t believe in exorbitantly expensive blanket solutions; and can help you find the right mix of technical and human controls to address the concerns you have in these difficult times. We can also assist you with your annual DSPT submission.
Talk to us about how we can help, via: