Written by Kate Dadlani, Head of Security Advisory Services, Logicalis
Cybercrime is without a doubt a national scale issue with the current cost to the economy being estimated at £27bn. This cost is only expected to increase, especially with the growing adoption of hybrid working, the continuation of the skills shortage and the ongoing war in Ukraine. When combined, these circumstances have created the perfect storm for state-sponsored cyber-criminals to target unpatched vulnerabilities within the public sector – specifically health services like the NHS.
As an organisation with such a large target on its back, the NHS must prioritise a robust cybersecurity strategy. The healthcare sector handles a lot of sensitive data, making it a goldmine for hackers. Cybercriminals are intelligent, and always one step ahead. The challenge for the public sector is to ensure its prepared to prevent or quickly overcome vicious attacks thrown its way.
Is a repeat of the WannaCry crisis on the horizon?
Back in 2017, the WannaCry attack brought the NHS to its knees by exposing an unpatched hole in the network. During the WannaCry outbreak, NHS England reported at least 80 out of the 236 trusts were affected besides 603 primary care and other NHS organisations, including 595 GP practices. A report also found that this cyber-attack was estimated to have cost the NHS around £92m. Ultimately, a cyber-attack committed by cyber-criminals on the NHS can lead to potentially fatal consequences, with devasting economic damage.
The likelihood of another attack is high – not only because the NHS is an integral organisation in the UK, but also because the NHS is heavily reliant on technology. The digital revolution has opened a gate to more efficient operations, may this be surgical or administrative. With so many employees and potential points of entry, the NHS will always be attractive to state-sponsored cyber-attacks.
It’s extremely important the NHS has a strong defence. This year, the ICO reported a steady and significant increase in attacks against UK organisations over the past two years. For all industries, it’s a matter of ‘when’ they’ll experience an attack, not ‘if’. Therefore, the NHS must have the ability to quickly overcome any attacks which fall through the gaps.
The NHS’ own staff pose a threat
NHS England encourages its administrative staff to make the most of the flexible working styles offered to them. Whilst this type of working model can boost retention, contribute to good well-being and ultimately improve patient care, it also poses a new security challenge. The NHS workforce has a larger surface area than ever, again creating multiple points of entry.
People can now work from wherever whenever. May this be from their kitchen table or their favourite local café. However, home and public WIFIs do not offer the same protection as office routers. Public WIFIs can leave the individual completely exposed to threats. Everyone has the ability to look at the sites others are accessing unless extra security precautions are made. Furthermore, with staff working away from the office, organisations have less oversight into what websites employees are accessing. Dramatically increasing the likelihood that employees are accidentally clicking malicious sites.
Moreover, doctors and nurses are preoccupied with saving lives and carrying out their roles to the best of their ability. They’re understandably not thinking about how they can ensure they’re keeping themselves safe against attack when doing tasks like paperwork.
Creating a more diligent workforce
One of the best answers to a better protected NHS is a better cyber-educated workforce. Employees need to learn what risks they pose just by carrying out their day-to-day working tasks. With public sector staff being so busy, it’s difficult to even give this a second, or even first, thought. With phishing scams becoming more of an issue, they could simply create a vulnerability just by replying to a scam email.
There’s a misunderstanding that cyber-attacks are carried out by nerdy teenagers, hacking websites just for fun. But state-sponsored attacks are on the rise. Technology, whilst being able to elevate our quality of life, also has the potential to ruin it. All NHS employees, including doctors and nurses, need to be educated on cyber security.
It is important to remember that cybercriminals are cunning. They will create minor distractions to trick organisations into thinking they are well equipped to deal with an attack. Meanwhile, the hackers will fully immerse themselves in another vulnerable entry point in a network—granting them access to sensitive data
Educating NHS staff on how intelligent hackers are and how cyber-crime is now being carried out as a service would benefit the organisation greatly. The NHS must increase their defences by developing their coordination, being aware of which machines connect to what, upgrading old systems and persistently patching where needed.