In 2017 Daniel Brodie began studying the now infamous WannaCry attack which impacted hospitals worldwide. As his research progressed one theme became obvious – facilities routinely deployed hundreds of medical devices on their networks with minimal security protections. Fueled by the challenge of securing healthcare and insight from family members in the medical field, Daniel and Leon Lerman co-founded Cynerio in 2018 with a simple goal – to secure every IoT, IoMT, OT and Unmanaged IT device in healthcare environments.
Daniel recently shared his thoughts on the growing adoption of security technologies in the NHS, why healthcare is a primary target for hackers, and how generative AI will alter the future of cybersecurity for everyone.
What motivated you to focus on securing healthcare?
Daniel Brodie: Prior to co-founding Cynerio I had quite a few years of experience in the cybersecurity industry, both from offensive and defensive sides. As I worked in industries ranging from mobile cyber security to malware detection, it became more and more obvious that incredible technologies were being created, but those technologies were rarely used in a way that provided benefits to the greater good.
At the same time, cyber attacks on healthcare facilities were starting to become more common. As I learned more about those attacks, including WannaCry, the opportunity to create real value in the form of innovative technologies that would help protect real people became very enticing. Soon after, Leon and I took a chance and started Cynerio, because we truly believed that we could quickly and effectively build a company that protected patients and the facilities they rely on.
Your team recently published a study on the state of NHS Trust cybersecurity (explore here >). What did the study find?
Daniel Brodie: Our team is really proud of the NHS Trust Security report we published earlier this year because it helps provide real numbers to the trends everyone knew were happening but were struggling to convey. The report studied 35,000 devices at 14 NHS Trusts, resulting in some really eye opening findings.
First, the good. Since the UK was hit so hard by WannaCry in 2017, there has been an understandable hesitance in onboarding connected devices. So the rates of connected devices like Infusion Pumps or CT machines with critical risks or known vulnerabilities are lower than what we’ve seen globally.
Unfortunately there is also bad news. Nearly half of the 35,000 devices (46%) still had at least one known risk, and nearly 12% had one or more critical risks. And in all likelihood those numbers are going to rise. The understandable hesitation to connect devices is noticeably going away. Driven by improved patient care and easier device management, the connection of devices is expected to increase significantly. Because of this our team projects that the risk rates seen globally will be seen in NHS Trusts by the end of 2024.
Why are healthcare facilities considered prime targets for cyber attacks?
Daniel Brodie: It’s no mistake that these attacks increased soon after WannaCry spread globally. That attack did not focus on healthcare, but the impact it had on hospitals showed attackers how little effort was required to exploit decade old vulnerabilities in the industry.
At the end of the day, ransomware attackers take a very business-like approach and calculate cost versus value. In this case, it’s the cost of their time versus the amount of money they can collect from victims in the form of ransom payments or sales of patient data on the black market. So, if you’re looking at it from a purely business perspective, the weak protections of healthcare environments compared to other industries provide many low cost, high value ways to drive revenue. As long as healthcare is the easiest way to drive revenue we will continue to see a bullseye placed on the industry.
What do you see as the biggest cyber challenges facing NHS Trusts today?
Daniel Brodie: NHS, and the global healthcare vertical in general, are at a very important intersection in terms of adopting new technologies for patient care and experiencing evolving attacks. The connectivity of medical devices is driven by the positive impact on patient care. By providing more accurate data in a more timely manner, caregivers provide better care more quickly and more accurately than ever before.
But this connectivity is also introducing new attack vectors never before considered. To further complicate matters, it’s very common for these medical devices to have the ability to communicate with other systems in a hospital, ranging from patient admission to human resources. The results of this unbound connectivity can be devastating, resulting in one compromised device being responsible for widespread outages within a matter of hours.
Of course, all of these challenges stem from one main issue – a widespread lack of resources. A lack of expertise, funding and investment has left healthcare environments among the most immature in the world. Until the resourcing issue is addressed it’s going to be difficult to improve protections.
Where have you seen the biggest improvements while working with the NHS?
Daniel Brodie: Open communication to evolving challenges has been key. As individual team members have more openly discussed the types of attacks they experience, the impact of those attacks, and how they can be avoided, individual leaders have begun to better listen. This open communication has had a cascading effect where more discussions lead to better understanding, and in many cases better funding.
Of course, there is still a long road ahead of us, but in most cases the days of ignoring cybersecurity teams appear to be behind us. Now the real work can begin.
You speak frequently about the future of Generative AI in healthcare. How do you see it impacting cyber protections going forward?
Daniel Brodie: Generative AI (GenAI) really helps target one of the biggest challenges we mentioned in healthcare – a lack of resources. As GenAI is adopted across a number of verticals, we’re quickly realising the ability it has to close the gaps seen with personnel and time. A number of routine technical tasks that were once done manually are starting to see huge benefits with the application of GenAI. From analysing risk to stopping cyber attacks, this is going to allow smaller teams with limited training and funding to do much more in healthcare environments.
Relative to other industries, we’re also seeing faster improvements with GenAI due to the similar nature of the environments it’s operating in. Where more commercial and industrial environments must account for wide ranging, unpredictable factors, the more predictable nature of healthcare environments is allowing for more focused and effective adoption of this new technology.
What’s the one piece of advice you have for NHS Trust employees searching for ways to improve protections?
Daniel Brodie: Cybersecurity projects take time. The earlier you start, the quicker you’ll begin to benefit from the efforts. Even if you don’t have the full team, budget or technologies in place, kickstarting efforts today will almost always result in improved protections tomorrow. Even better, these efforts will better inform the larger projects as the resources are made available.
When people ask how they can learn more about securing healthcare environments, what resources do you provide them?
Daniel Brodie: We’re starting to see governments provide really valuable resources to the global healthcare community. For example, in the US both CISA and the FDA have recently released valuable healthcare-specific guidance in the form of playbooks, guidance and even legislation. In the UK we’re also seeing approaches like the Data Security and Protection Toolkit (DSPT) which has proven to be a valuable first step on the evolving journey of securing patient care.
Of course, all responsibility doesn’t fall on government bodies. Improving protections will require the combined efforts of private organisations, public facilities and government bodies. In the UK our team has been particularly impressed by the communication between members of individual NHS Trusts. This cross-collaboration should be further fostered and as much knowledge as possible captured in an effort to shift from the efforts of small groups to widespread adoption of best practices.
—
About Cynerio
Cynerio has one simple goal – to secure every IoT, IoMT, OT and IT device in healthcare environments. With capabilities ranging from microsegmentation and improved device insight to identifying exposed ePHI and stopping ransomware, Cynerio provides the technology and expertise needed to protect hospitals from a variety of cyberattacks. Learn more about Cynerio at cynerio.com or follow us on Twitter @cynerio and LinkedIn.
Learn more about Cynerio’s efforts in the United Kingdom by scheduling a call with our team.