HTN sat down for a chat with Chad Holmes, security evangelist for Cynerio, to talk all things cyber security in the healthcare space.
Cynerio focuses specifically on cyber security within healthcare environments, initially centring round Internet of Things and Internet of Medical Things devices; identifying all devices in an environment and finding ways to secure them. The company has since expanded its scope to include guarding against ransomware attacks and protection of patient data.
Chad explained that his role sees him collaborating with a wide range of people on research aiming to protect the healthcare community, as well as taking the findings from that research and using it to support and educate others. “Effectively, I act as a conduit to the broader healthcare community on how to better secure their environments.”
Notable attacks, and their impacts
Chad stated that the UK has been “ground zero” for a number of cyber security attacks, including the WannaCry ransomware attack in May 2017. “It encrypted 70,000 devices from CT machines to IV pumps and everything in between. It was a wake-up call not just for the NHS but for the whole world, because it really outlined how vulnerable our healthcare environments are.”
Since then, Chad said, there have been “ongoing and consistent attacks – they have typically been mistaken for bad luck, a case of an attack happening to target a healthcare system. But the more we learn, the more we understand that these are specified, focused attacks.”
He noted the recent Synnovis attack, covered by HTN here, and said: “That took a couple of hospitals out of service for a while and impacted 1,400 operations and 4,900 outpatient appointments, with 400 gigabytes of data exfiltrated.”
Then there was the attack on the University of Manchester, Chad continued, where the hacking of the university compromised a research project utilising NHS records; this led to the leak of around one million patient records. Another attack saw Bart’s Health NHS Trust lose seven terabytes of patient data, whilst in Scotland, NHS Dumfires and Gallway suffered a ransom attack in March this year.
“The reality is that this is not a lack of luck. We are the least protected industry. We have a pathway to money for hackers. They are coming after us, and they are coming after us hard.”
Chad reflected: “There’s a message I always try to give out, and it sounds bad but it’s true; things are going to get worse before they get better. In six months’ time, the Synnovis attack will be old news because something bigger will have happened. I’ve been saying this for three years, and each year I’ve been right, because we continue to see bigger and harder attacks.”
On the impact of these attacks, Chad acknowledged the “huge” financial and privacy factors at play. However, he said, there is an impact on patients that he believes the industry should be more aware of.
“There can be a misconception that hackers will get patient data and use it to target individual people and cause harm in their life. In reality, there are probably only 25 people in the whole world who are at risk of something like this – heads of state, for example.”
However, he said, cyber attacks do cause higher mortality rates – and the impact is more significant than it would be if they were targeted against one specific person. “When you take hospitals out of service, whether it be because of a natural disaster or a power outage or a cyber attack, mortality rates go up. We have seen this with previous cyber attacks in healthcare environments. So the attacks do impact patient safety and patient lives; not directly, but because of the collateral damage associated with a cyber security breach.”
The wider trend
Looking to cyber security in healthcare across Europe, the UK and the US, Chad said: “We have all connected our devices to a high level because they provide patient care. An IV pump that is connected to the hospital network allows a nurse at their station to make checks from one central location rather than repeatedly checking on a number of different rooms. That clearly improves care.”
However, he said, healthcare systems have largely put these devices online in unprotected ways; often lack the resources to secure them; and have displayed, in some cases, increased willingness to pay ransoms.
“When we look at the broader healthcare community through this lens, we start to see that the places with the most money – particularly healthcare environments which are commercial – are the most heavily hit. Last year, in the US, one in three patient records were exposed due to cyber attacks; that’s estimated to be 118 million people.”
Chad referenced the Change Healthcare attack from earlier this year, which took Change Healthcare – a subsidiary of global health company UnitedHealth – offline and created a backlog of unpaid claims. “This attack alone exposed the same number of records,” he said. “Last year, those figures marked an all-time high; this year, a single attack led to the same numbers.”
The ENISA Threat Landscape from the European Union Agency for Cybersecurity provides a report on the state of the cybersecurity threat landscape in the EU and neighbouring countries. “From 1 January 2021 to March 2023, they tracked down 215 publicly-reported healthcare incidences – not all necessarily cyber security incidences, but events which were reported and tracked. Half of these incidences focused on hospitals, half on doctor’s offices, clinics and so on. The report indicates that the leading countries being targeted and breached were France, Spain and Germany. It’s very clear that the hackers have picked out countries where money may be available either through selling data on the black market, executing a ransomware attack and getting a ransom paid, or in some cases, going through the data to find people who are known to be rich and extorting them. They’re nasty, but they’re not stupid; they’re following a clear path and focusing their efforts.”
What can be done?
Chad shared his view that cyber incidences in healthcare should be given more coverage in the media and between healthcare systems in order to support preventative education. “When we see an individual breach that impacts patients, like cancelled appointments, that individual breach gets coverage. But very rarely do we get in-depth details about what happened with that breach; why it happened; and how other trusts can protect themselves.”
There are existing vulnerabilities that should be common knowledge, Chad added. “For example, roughly half of the IV pumps connected within healthcare networks have known critical vulnerabilities. Also, healthcare networks tend to be unsegmented. That means that if a Tesla gets on the network – which is incredibly common – and that Tesla somehow communicates with a CT machine, there is now a direct entry point into the hospital environment. We also know that there are old technologies everywhere, such as old operating systems like Windows 7 and Windows 10 which are not replaced because of the cost, and which bring vulnerabilities into the system. That’s one of the key challenges in this space – we have old technology trying to protect against new attacks.”
At organisation level healthcare often lacks the teams, time and resources to do enough about these challenges, he said, even though the consequences can be severe. “We have our hospitals, our trusts, in place to provide care. We don’t want them to have to be cyber security experts, but we are living in times which require trusts to have some cyber security expertise on the team. There’s no way that we are going to poach those experts from higher-paying industries, there’s just no competition if it comes down to finances. But this is our biggest challenge, ultimately; the lack of funding, training and knowledge. We need to find a way to get people to focus on this, and money is usually at the root of that.”
There’s room for improvement with procurement too, he added, commenting that this process often involves completing a basic checklist and taking supplier claims around security on their honour rather than completing due diligence.
“Procurement needs to do a better job at validating the level of security on devices, but organisations also need to extend those practices to ensuring proper deployment and routine check to the highest security standards. Ultimately, even if a device was perfectly secure and unhackable – and no device is – all it takes is one misconfiguration to make it vulnerable.”
Supporting guidance
Looking firstly at the UK, Chad observed that hospital IT teams within the NHS often comprise of a small number of professionals with a specific remit, and noted that the government has stepped in to provide guidance such as the Data Security Protection Toolkit and Cyber Security Assessment Framework.
“The framework provides a very clear, well-defined set of actions that people can start to take to protect their environments. It covers four pillars: managing risks, protecting against attacks, detecting attacks and minimising impact. It’s not perfect, but we have to stop letting perfect be the enemy of good. It provides guidance that people can start working practically against – that’s good.”
Chad commented on the ICB and ICS structure within the NHS and highlighted how this makes it possible for trusts within a specific footprint to adopt the same core set of standards and then work regionally to implement them. Cynerio has recently started working with Cheshire and Merseyside ICB, covering 17 trusts and serving nearly three million people; he explained that the overarching ICB has been to identify the needs of all 17 trusts and then procure software from Cynerio to help them.
“When you combine that regional approach with the steps outlined in the Cyber Security Assessment Framework, it provides a strong path forward to start adopting modern technologies at a quicker pace.”
On a global level, Chad highlighted two efforts from the US and EU respectively. “In the US, there are the Cyber Security Performance Goals. Instead of the four pillars we have essential goals and enhanced goals; effectively what you should be doing today, and what you should be doing in the future. I highly recommend that healthcare professionals look into those.”
In the EU, there is the NIS2 directive, which aims to put specific security practices in place and achieve a high common level of cyber security across a number of sectors including healthcare.
“Taking a step back, we can see three sets of guidance coming out of three developed regions; and they are giving very specific actions that are very powerful.”
Short-term actions
To conclude, we posed a question to Chad: what actions do you think are most needed in health and care cyber security in the short term?
Chad said: “The first thing I would recommend is that people look at the essential category in those Cyber Security Performance Goals from the US. They are the bare minimum you should have in place for any environment, healthcare or otherwise. Regardless of your geographic area, those essential goals will give you ten very basic and very achievable checks.
“This leads to a bigger window of opportunity to adopt new technologies. At Cynerio, we really recommend implementing network detection and response (NDR) tech. If we take ransomware attacks as an example; these attacks can get in, get hold of a lot data and encrypt a lot of devices. Most trusts have built an outer shell of firewalls, but they aren’t really actively looking for what is going on underneath those firewalls. NDR technology like we offer at Cynerio watches hospital traffic and identifies malicious activity. Cynerio’s benefit here is that because we are healthcare-focused, we can identify around 150 more protocols, so we can achieve a deeper vision.”
People should start putting NDR products in place to detect and respond to activity, Chad recommended, calling it “a lightweight activity with huge reward”.
From there, he continued, bigger efforts could include identifying exposed patient data; making sure there is a full automated inventory of devices and strong patch management; and segmenting networks, so if something does get in, it doesn’t spread to the rest of the environment.
“Network segmentation is where the really big win is,” Chad concluded, “but we have to put protections in place as we are working towards that stage.”