Now

HTN Now: combatting ransomware in healthcare with network detection and response technology

A recent HTN Now webinar saw Chad Holmes, security evangelist for healthcare-focused security company Cynerio, deliver a presentation on how healthcare organisations can combat ransomware with network detection and response (NDR) technology.

Chad discussed some high-profile cyber attacks and their impacts, the limitations of current defences, and provided insight into NDR technology and how it can help organisations protect patients, systems and finances.

The problem

Chad started by highlighting how healthcare is a prime target for cyber attacks, stating that on a global level, hospitals are estimated to experience a cyber attack every 6.8 minutes. “Not every attack is successful – a lot are identified and stopped. But when you have this level of attacks, it is inevitable that they evolve over time, becoming more mature and powerful.”

The UK, according to statistics, has experienced the eighth most reported incidents in Europe between 2021 and 2023. Of the healthcare-focused attacks in Europe in this time period, Chad explained, over half were targeted against hospitals and half were targeted against clinics, practices and other settings.

“The WannaCry attack in 2017, and the clear focus on the NHS, has contributed to a slower onboarding of new technologies in this area than many areas and countries, particularly the United States,” he said. “That slower level of adoption has actually increased NHS protection against cyber attacks in some regards, because attackers haven’t been given as many entry routes into the NHS because there hasn’t really been a huge surge in technologies. However, adoption of devices is accelerating, because there are significant benefits to be found for patient care. But it’s important to bear in mind the other side of that coin – they do also introduce more risk.”

Cynerio estimates that the number of NHS devices with critical risks is expected to increase five times over in the coming years, based on comparative research with the US and other countries.

“The really scary thing is that when a cyber attack hits a healthcare organisation like a hospital, in-hospital mortality rate increases by up to 35 percent,” he said. “When we think of the real risk of a cyber attack, we need to acknowledge the impact of outages and delayed care.”

Attacks and impacts

Chad shared some more insight into the WannaCry attack, which he described as “hitting the whole world but with a very clear focus on the NHS”. The overall cost to the NHS was estimated to be around £92 million.

“At the time, it was earthshaking – nobody thought that attacks would turn on healthcare, or that the cost of recovery would be so high. But it painted a certain picture for attackers. They quickly realised that healthcare has vulnerable environments that can be exploited, and that those environments could lead them to money. They are completely motivated by money – their motive is purely to drive revenue. Patient data can’t be cancelled like a credit card once you realise it’s been stolen, and its identifying data can help in committing fraud. So it’s incredibly valuable on the black market; we estimate that a single record can be sold for between £40 and £200, in comparison to a social security number here in the states which can be sold for around £1. And that’s not the only way they can make money – there are ransom payments too.” In the US, the ransom is paid around half of the time, leading to a loss of $80 million in 2023 alone. “Ransoms should never, ever be paid – but if people think that there’s a small chance that paying will help them restore the care they desperately need to give, they might do it.”

Chad moved on to highlight the increasing trend for cyber attacks against healthcare system, including the 2021 attack against Ireland’s Health Service Executive which encrypted 80 percent of their IT systems and led to outages for five months.

“From there, we saw acceleration in these attacks,” Chad said. “From the research I referenced earlier, we know that there were 215 healthcare-related events in the EU and neighbouring countries between 2021 and 2023. I believe that in truth the figures are probably three or four times higher than that, but these are the ones which were publicly reported.”

From 2023 the number of attacks kept rising, including one against Bart’s Health NHS Trust which saw seven terabytes of data exposed, exposing 2.5 million patient records in turn. 1.1 million patient records were also exposed due to an attack on the University of Manchester, which was undertaking research with the NHS at the time.

Attacks so far in 2024 have included three terabytes of data exposed from NHS Dumfries and Galloway, and the recent attack against Synnovis which impacted healthcare organisations in London. Attackers reportedly demanded $50 million and exposed 400 gigabytes of data, leading to an estimated 6,000 appointment and procedure cancellations.

“I want to be very clear about this – Synnovis is not the last attack. Six months from now, we will likely look back and think the attack on Synnovis is fairly small in scale. The reality is that hackers have found very vulnerable environments that lead to money, and they will continue to hammer on the healthcare systems – particularly in countries that they deem to have access to higher funds.”

Medical engineers, and the adoption of healthcare security

“We have to think about the teams on the ground,” Chad stated. “We usually have IT teams and security teams in place, but they are often under-staffed and over-stretched.”

He highlighted the importance of roles such as medical engineers, as they “are becoming more and more focused on cyber security – not as a priority in their role, necessarily, but because of their role’s overlap with cyber security”. For example, Chad noted that the priorities of medical engineers can include the safety, security and reliability of devices; equipment repair; and implementing security controls.

“They are the ones who are actually working on the ground, laying hands on devices. They are interacting with technology in a way that means, if they are given more information and more support, they are well-placed to make those devices better secured than they are today.”

Security teams, Chad continued, tend to focus on areas such as automated security analysis and guidance; real-time inventory and visibility; and device, network and usage insight.

“All of this to say – when security teams are feeling the pressure, it’s worth remembering that your organisation does have people who are working with devices on a daily basis, just not in the security team. Of course, they have their own roles and they’ll be busy too; but you can always try to find efficiencies.”

Chad noted that people can often believe that they have already invested a lot of money into securing their trust, such as firewalls, data encryption, anti-phishing tools, an incident response plan, patching and updates, cyber training, and more; and therefore that should be sufficient.

“Despite their best efforts and investments, we continue to get attacked, so what we need to realise is there is a difference between what is necessary and what is sufficient. We lay down the framework for good security practices, but it’s not sufficient for protecting against modern day attacks. Effectively we are battling against brilliant cyber attackers. They’re awful, they’re exploitative people; but they are very intelligent and they have the tools and capabilities to attack systems in a way that we struggle to defend against.”

Therefore, Chad said, healthcare organisations should look to examples of good cyber security in other industries and also to other healthcare organisations who are doing a better job, in terms of the make-up of their teams and the expertise they bring in as well as the tools they use.

“Leading environments in this space are extending the practices we have in place, not replacing; and they are enhancing their capabilities.”

Catching the critical moments

“There are critical moments within each of these attacks – if we are looking for them, because the traditional systems we have in place are not – that can be used to stop an attack before it spreads.”

Devices that people don’t think to check such as treadmills, finance PCs and vendor laptops can all become infected, as well as devices such as microbial detection units which do not even necessarily have a screen or a user interface.

“There’s no magic solution to secure all environments completely, but if we put an additional layer of detection in place and then respond quickly to incidents that are detected, we can likely stop attacks from spreading,” Chad explained. “If an infected treadmill is detected, it might take a couple of hours to be quarantined and reset, and that’s a much better outcome than the attack spreading from the treadmill to the entire hospital.”

Developing guidance

Chad noted that attacks tend to drive developments and improvements on global guidance. WannaCry occurred in May 2017; in April 2018, the UK brought out the Data Security and Protection Toolkit and the first version of the Cyber Attack Framework (recent versions here and here). He also highlighted the Cyber Security Performance Goals from the US, which provide essential goals and enhanced goals.

Commenting on the Cyber Assessment Framework in particular, Chad highlighted two of the framework’s four pillars: detecting cyber security events, and minimising the impact of incidents.

“That’s exactly what NDR technologies are built to do,” he stated. “They’re not going to solve all your problems, but they are going to help with the two pillars of detection and response.”

Extending protections with NDR

NDR tech is designed to monitor network traffic, and detect and respond to threats.

“A physical appliance sits in your network and monitors copies of your traffic. It doesn’t interfere with traffic flow, it doesn’t slow down the network. It doesn’t send patient data outside your walls. It just sits there and monitors, and when unusual traffic enters the environment, the NDR detects it and sends it off for further analysis,” Chad explained.

Commenting on the limitations of traditional tech, Chad pointed out that although these technologies can be valuable, they work by looking for specific signatures patterns within networks which limits their scope. They can also be noisy, resource intensive and add additional burdens to over-stressed teams. “Ultimately,” he said, “they don’t provide the level of analysis needed to keep up with modern attacks.”

Emerging detection and response technologies, by comparison, are “highly automated and integratable” and offers a reactive method for protection.

“Proactive is good, but it can also take longer and be more resource-intensive,” Chad added. “Detection response can offer protection from the day it is installed.”

By focusing on network traffic, NDR can help organisations detect risks such as anomalies, lateral movement, ransomware, data exfiltration, and other attacks that may not be visible at device level.

Chad also commented on the other tech possibilities in this space, including endpoint detection and response technology (EDR), which focuses on endpoint devices such as workstations, laptops or mobiles, and is designed to analyse data focusing on individual devices; and extended detection and response (XDR), which consolidates data sources for analysis and provides a holistic view to identify broader attacks. There is also managed detection and response (MDR), which means provision of outsourced services; people with expertise to help roll out these technologies.

“Every environment is different, and everyone is comfortable with different technologies. There isn’t one specific way to adopt these technologies, but if you start to understand the difference between them, you’ll get an idea of what is the best solution for your environment.”

From his own perspective, Chad said that he tends to prefer to roll out NDR first, “because it gives immediate, easily deployable benefits whilst you look at the other options – but again, what you do is unique to your environment.”

Highlighting that the Cynerio team can always sit down with people to talk about their own specific environments and provide advice on the best roll-out strategy, Chad added that the team has also developed an NDR buyer’s guide which provides a tech overview, insight into functional details, and highlights how the tech can help to address healthcare challenges. More information can be found on Cynerio’s website.

Thank you to Chad for sharing his experiences and insights. To watch the full webinar, please click here.