Neil Anderson
While the repercussions of the recent Talk Talk breach continue to percolate, it is worth considering what other organisations store vast volumes of personal data on us, and how well they can protect that data. We don’t hear much about healthcare as a target for cyber security attacks, but evidence shows personal health records are now the target of choice for cyber criminals.
There has recently been a rash of cyber security attacks on healthcare providers in the US. Anthem and Excellus, two healthcare providers in the US discovered severe cyber security breaches this year exposing as many as 80 million customers to identity theft for the rest of their lives.
The result is that attackers are now pursuing healthcare records, and the implications of this are worrying for us in the UK. The NHS holds extensive records on all of us, and recent projects to move these records to electronic systems and centralised databases, whilst pursued through positive motives, means that these records will be more vulnerable to an external cyber security attack.
For obvious reasons, healthcare has a bias towards sharing of data – after all, secure records are no good to you if you are unconscious and the A&E doctor treating you doesn’t know you’re allergic to penicillin.
Medical devices are also a concern. The move towards ever more inter-connected devices within hospitals, and even inside our bodies, means our clinical care will become vulnerable to malicious interference (the implications of a denial of service attack on a pacemaker are obviously catastrophic). Of course, you would hope that no one would be immoral enough to attack clinical infrastructure. Sadly, history has shown that, as a rule, we have been insufficiently pessimistic when predicting how low criminals will stoop.
Why are cyber criminals attacking such organisations? In many ways, it’s down to simple economics. It is clear, for example, that measures taken by the financial industry have been relatively effective in detecting and preventing fraud. This has driven cyber criminals to more lucrative commodities. Cyber criminals run very efficient businesses, with software developers, accountants, CEOs and strategists, just like legitimate businesses.
In cyber security, we try to assess potential attackers (called threat actors) by their capability, motivation and resources. In this context, modern cyber criminals are worrying adversaries: they are capable, well-funded, and highly motivated.
At this stage, we should perhaps consider how mature healthcare providers’ cyber security defences are. Healthcare is not a sector that is usually associated with a high level of cyber security capability, and if the Talk Talk breach is anything to go by, even organisations in what should be highly mature sectors are struggling with the basics when it comes to cyber security.
To pick one example - the attack which caused the Excellus breach, which exposed roughly 10 million customers’ records, started in December 2013 and was undetected until August this year. In other words, the attackers had access to Excellus systems for over 20 months.
While most breaches will not remain undetected for that long, the statistics show that breaches remain undetected on average for over 200 days.
This leaves us with a number of things to worry about. Firstly, we must be concerned that cyber criminals are currently garnering rich pickings through attacking healthcare providers and their record systems. Secondly, we should consider the security of embedded clinical devices, both in hospitals, and even within our bodies. Thirdly, we should worry about the capability of the NHS in the UK to withstand the highly skilled and well-motivated attackers waiting to exploit the market in healthcare data.
We should not stand in the way of progress in healthcare. The move towards greater use of electronic resources to record and provide healthcare is both natural and broadly desirable. What is required is for government at the Scottish, UK and EU levels to ensure all healthcare providers, whether public or private, take their cyber security responsibilities seriously, and put in place resilient and mature cyber security defences to protect us from criminals.
Healthcare providers must also have well documented and tested procedures to follow when they do get breached. In the modern world, we know that all organisations will be breached at some point. We need to be sure that the people responsible for our personal data take all reasonable steps to keep it safe.
Neil Anderson is a security consultant with FarrPoint.
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereComments are closed on this article