The NHS needs to embrace artificial intelligence (AI) and improve security across the supply chain to protect it from cyber criminals, experts said this week following news that yet another attack led to two of England’s ambulance trusts having to resort to paper-based patient records.
Tech leaders spoke out after reports that both South Western Ambulance Service Foundation Trust (SWASFT) and South Central Ambulance Service Trust (SCAS), which together serve around 12 million people, were targeted by online criminals.
Both organisations use Swedish firm Ortivus’s MobiMed software, which was affected in an attack on 18 July.
And, while the company claimed no patients had been directly affected, electronic patient records were unavailable and manual systems had to be used.
A sitting duck
Neither ambulance trust has commented on the ongoing situation and it is as yet unclear what type of attack the company suffered.
However, the reports have led to renewed warnings from technology experts, who fear the health sector will continue to fall victim to hackers if improvements to security are not made.
The nature of the data held in the healthcare sector means it is an incredibly-tempting target for cyber criminals and, when the attack comes via a third party, too often healthcare organisations are left defenceless
Speaking to BBH, AJ Thompson, chief commercial officer at Northdoor, said: “Although at this stage there is little other information about the hack, or how much data has been stolen, it does highlight the increasing threat from supply chain attacks, particularly for those organisations in the healthcare sector.
“The nature of the data held in the healthcare sector means it is an incredibly-tempting target for cyber criminals and, when the attack comes via a third party, too often healthcare organisations are left defenceless.
“No matter what budget is spent on cyber frontline defences, attacks via the supply chain negates all investment as essentially the cyber criminal is entering through an open back door.”
Increasing the risk
He added: “The result of a data breach is not just potential loss of sensitive data and the resulting reputational damage that healthcare organisations have to consider.
“The recent IBM Cost of a Data Breach Report has shown that healthcare data breach costs have increased 53.3% since 2020 and the sector reported the most-expensive data breaches at an average cost of $10.93m.
This latest attack, and the fact that ambulance services have had to resort to paper-based records, has highlighted just how vulnerable organisations remain to a supply chain attack
“This is a huge amount of money and at a time when budgets are stretched more than ever before it can have a catastrophic impact on frontline services.”
On the Ortivus attack, he said: “This latest attack, and the fact that ambulance services have had to resort to paper-based records, has highlighted just how vulnerable organisations remain to a supply chain attack.
“This approach from cyber criminals is only going to increase over the coming months, because it is just so effective and allows them access to huge organisations without attempting to navigate their frontline defences.
“Therefore, healthcare organisations have to place as much emphasis on their supply chain defences as those on the frontline.
“Healthcare organisations tend to have long, complex supply chains and ensuring that your partners’ defences are up to scratch can seem a daunting, if not impossible, task.”
The role of technology
But AI technology could hold the answer.
“Some solutions, using AI, can provide a 360-degree view of possible vulnerabilities within a partners’ supply chain, allowing healthcare organisations to talk to partners and ensuring they are closed before cyber criminals take advantage,” Thompson said.
“Unfortunately, this is unlikely to be the last supply chain hack on a healthcare organisation we will see in 2023.
Some solutions, using AI, can provide a 360-degree view of possible vulnerabilities within a partners’ supply chain, allowing healthcare organisations to talk to partners and ensuring they are closed before cyber criminals take advantage
“However, with technology available to help identify vulnerabilities, organisations can start to fight back against an increasing-determined and sophisticated cyber criminal.”
The latest incident comes a year after the Advanced ransomware attack, which crippled the NHS 111 service.
The attack, which saw client patient management solutions and the NHS 111 services taken offline, highlighted the ongoing risks for the health sector.
In June and July of this year cyber security company, Illumio, reached out to UK NHS trusts under the Freedom of Information Act 2000 to ask about supply chain security.
And more than a quarter (28%) of those that responded admitted to conducting no audits of their third-party suppliers’ cyber security measures in the past 12 months.
Plugging the gaps
Trevor Dearing, director of critical infrastructure at Illumio, comments: “The NHS is doing its best to maintain a high level of patient care and safety, yet a year on from the Advanced attack there are still critical gaps in supply chain security which is exposing the NHS to unnecessary risk.
Attackers know they can increase efficiency and profitability by compromising the supply chain, so trusts must assume a breach will come from one of their suppliers and mitigate risk accordingly
“One of the best security models for improving cyber resilience is ‘zero trust’ because it is based on the mantra of ‘never trust, always verify’.
“And the same ethos must apply to the supply chain – attackers know they can increase efficiency and profitability by compromising the supply chain, so trusts must assume a breach will come from one of their suppliers and mitigate risk accordingly.
At a very minimum, he advises, all trusts should be doing some form of cyber security audit on their supply chain and taking steps to mitigate risk against supply chain attacks.
This should encompass any supplier with connectivity to the network and cover everything from software to catering, cleaners, private ambulances, and more.
And Dearing has laid out a five-point plan to support NHS organisations.
- Map communications to all systems: Once an attacker has infiltrated an organisation, they will try to move to the highest-value assets. This could be patient data or medical devices. A critical step to building supply chain resilience is gaining visibility of all inbound and outbound connections to your suppliers. Identify which systems can communicate and then use this knowledge to identify and quantify the risks faced by any asset or application. This can be based on the vulnerability of each system and the exposure it faces in connecting to other systems and devices.
- Gain comprehensive visibility of your environment: A critical step to building supply chain resilience is gaining visibility of all inbound and outbound connections to your suppliers. Visibility allows you to understand what your normal looks like so that when an unexpected connection happens, or you notice an unexpected high volume of data being transferred, you can detect using existing Security Information and Event Management (SIEM) technologies and take action. Visibility also enables you to understand the dependencies associated with that system and build up a picture of ‘known good’.
- Deploy a strategy of least privilege: For those areas where you have less control, such as your software supply chain, ensure you have good segmentation from the rest of your environment. Implement very-restrictive allow list policies and apply controls based on least privilege to govern and restrict access between resources. Stopping unauthorised communication enables an attack to be contained in a single location and prevents attackers from reaching critical assets and services. This approach is equally applicable for medical devices, data centres, the cloud, and endpoints.
- Ringfence high-value applications: Take steps to ringfence high-value applications that handle any intellectual property, non-public financial data, legal documents, or sensitive and personal information. Ringfencing shrinks the security perimeter from a subnet or VLAN to a single application. It provides the largest impact with the least amount of work, requiring only one line of security policy per application to close off 90% of the potential attack surface for east-west traffic movement.
- Don’t neglect the basics: Most risk exposure comes from bad hygiene, bad process, and human error. Remember, defenders need to be right 100% of the time, but the attacker only needs to get it right 1% of the time to be successful, so there is no room for error. The best way to reduce risk is through the practice of good security hygiene and a defence-indepth approach, which at a very minimum, means regular patching, limiting access to systems and services with known vulnerabilities, and imposing a strategy of least privilege.