NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
CareCERT (Care Computer Emergency Response Team) launched in November 2015, offering a national service that helps health and care organisations to improve their cybersecurity defences by providing proactive advice and guidance about the latest threats and security best practices.
A service that initially focused on pushing out alerts about threats will be expanded to include three new services, each of which begins testing this month:
• CareCERT Knowledge – a new e-learning portal to help all health and care organisations train their staff in cybersecurity basics.
• CareCERT Assure – a service to help organisations assess their local cybersecurity measures against industry standards, including recommendations on how to reduce vulnerabilities.
• CareCERT React – advice on reducing the impact of a data security incident.
Public health and innovation minister Nicola Blackwood announced the expansion at the Health and Care Innovation Expo on Thursday. The rollouts come at a time of increasing security threats to UK hospitals and clinics, particularly from file-encrypting ransomware.
Almost half (47 per cent) of NHS trusts have been subject to a ransomware attack in the past year, according to figures from a freedom of information (FOI) request published last month. NCC Group’s FOI is based on requests to 60 trusts, 28 of which confirmed they had been victims of ransomware.
Independent infosec consultant Brian Honan, the founder and head of Ireland’s CERT, told El Reg that the increase in security services ought to be considered as a move to drive security improvements in UK hospitals in general, rather than a specific response to the ransomware threat.
“I do not see this as a reaction to ransomware as a recent FOI request submitted by Channel 4 showed that out of 152 NHS Trusts 39 were affected by ransomware,” Honan explained. “However, with the rising number of threats against computer systems this is a welcome and prudent move to enhance the security of the data, computers, systems, and networks the NHS increasingly relies on to provide its services.”
Posts Tagged ‘#malware’
NHS Digital is set to start expanding the range of cybersecurity services available to UK hospitals and clinics.
Ransomware has caused massive headaches for hospitals. In February of this year, at least a dozen hospitals around the world had been seriously infected with malware demanding cash to retrieve their files. Some even resorted to pen-and-paper systems, and others gave the hackers over $10,000 worth of bitcoin to unlock their systems.
But judging by responses to Freedom of Information requests, UK hospitals are not paying hackers when ransomware strikes.
Motherboard asked National Health Service (NHS) trusts for details on attack figures and payments stretching back to January 2012. Many had been successfully hacked at some point (although on a limited scale, infecting only a small number of computers). Another piece of research carried out by cybersecurity company NCC Group found nearly half of 60 NHS Trusts suffered a ransomware attack in the last year.
All of the hospitals that said they had been successfully infected with ransomware said they had not paid the attackers
But successful infections are not necessarily the most important thing here. Successful payments are: a ransomware operator gets nothing for their time and effort if the victim doesn’t cough up the bitcoin. If a hospital hasn’t paid a hacker, presumably it has managed to protect patient or other files from permanent loss.
That’s exactly what many of the hospitals contacted by Motherboard did. All of the hospitals that said they had been successfully infected with ransomware said they had not paid the attackers.
The East and North Hertfordshire NHS Trust said it had faced two successful infections of “Crypto Locker,” a particularly popular form of ransomware. “In both cases for the Trust, we did not pay the ransom, we simply recovered the data from an internal backup,” Freedom of Information Officer Jude Archer wrote in her response. “We backup all Trust data each and every day. I can confirm that there is no evidence the data that was encrypted [by the ransomware] was copied or moved off site at any time.”
The Health and Social Care Information Centre (HSCIC) had the same strategy, and added that it has a policy of not paying attackers.
“According to records HSCIC has been infected with ransomware on 3 occasions since January 2012, in every instance HSCIC has been prepared for this eventuality and has been able to contain and eradicated the ransomware infection and restore all affected systems and files from full backups, without any breaches to patient data or disruptions to the delivery of patient care,” Information Governance Advisor Graeme Holmes wrote in his response.
The NHS may have a decent track record of not paying hackers, but clearly there is still money to be made elsewhere: Earlier this month, researchers from FireEye spotted an uptick in the number of Locky infections hitting US-based hospitals.
Old breaches led to new breaches as cybercriminals’ ability to use and monetize personal information rose significantly across all industries.
Past cyber-attacks and the tools used to carry them out have led to new breaches, according to key findings in a new mid-year trend report by cyber threat intelligence provider, SurfWatch Labs. In a study of cybercrime events that occurred in the first half of 2016, the stockpile of personal information garnered from old data breaches led to new compromises and lucrative payoffs for cyber criminals.
“When LinkedIn announced in May of this year that their 2012 breach actually impacted 100 million more users than originally thought, other organizations began to see data breaches they attributed to the LinkedIn compromise, widespread password reuse by users and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Other breached organizations only widened the pool of information available to be stockpiled by bad actors.”
No industry was left untouched, and the tactics used were not new or sophisticated, according to the report that offers a breakdown of industries targeted, the effects of cybercrime and the tactics criminals employed.
SurfWatch Labs collected cyber event activity from thousands of open and Dark Web sources and then categorized, normalized and measured the data for impact based on their CyberFact information model. Highlights from the SurfWatch Labs Cyber Risk Report: 2016 Mid-Year Review include:
• IT and global government were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines.
• The consumer goods sector made up the largest share of industry targets with information bought, sold or otherwise discussed on the dark web.
• Credentials theft is on the rise. Credentials stolen/leaked appeared in 12.7% of the negative CyberFacts in the first half of 2016, up from 8.3% in all of 2015. That rise is driven by massive credential breaches such as LinkedIn, which was the most talked about event over the period.
• Ransomware and extortion are the methods of choice. The first half of 2016 saw a significant spike in ransomware and extortion as researchers, organizations, and government officials scrambled to deal with the growing and costly problem of data or services being held hostage.
“Our research indicates the familiar cadence of ‘we were breached by a sophisticated attack but it has now been contained’ actually contradicts what has really happened so far this year,” said Meyer. “By understanding what the bad guys are up to, we can make better informed forecasts of how cybercrime will impact organizations going forward and therefore what should be done to reduce risk in the future.”
The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.
It is no longer a question of if a business will be attacked, but when – and how.
There are still many old style fraudsters who forge cheques, submit false invoices for fictional services or seek a “dear friend” who will help them repatriate several million pounds but these are just a reminder of bygone days when a fraud looked like, well, a fraud.
In recent times a fraud is more likely to look like a genuine email from the managing director asking a member of the accounts team to make a payment to what looks like a supplier.
Closer inspection may reveal that the proposed destination of the cash is not quite what it seems.
Perhaps the language is more polite than one would expect from the MD, maybe the email address of the sender isn’t exactly right – although it looks right at first glance.
Any communication regarding the movement of cash should now be subjected to an additional level of scrutiny. Many businesses have already updated their procedures.
Some will not send cash in response to an email request. Many will make a call to the parties involved to check that everything is genuine and that a payment request originates from who it purports to be from.
There has also been a massive escalation of malicious attacks, usually harmless looking emails that invite the recipient to click on what looks like a harmless link.
Clicking the link unleashes a virus that will attack the recipient’s systems, potentially causing major harm to the business.
There are now many hundreds of thousands of cases of computer misuse, hacking and malicious virus attacks reported each year.
Whilst these threats might be conveyed digitally, many need to fool a human being at some point to be effective. Every organisation should therefore run regular training for employees on how to spot fraudulent or malicious activity.
Insurers will increasingly expect this kind of training as a condition of cover. In the current climate, it is arguably negligent to not train staff properly in this regard.
The IoD conducted a survey of business leaders in December 2015 which showed that just under half provided training in cyber security for their staff.
Given the potential for commercial and reputational damage that can result from the cascading effect of a cyber attack, this is an alarmingly low figure. It shows a high degree of misplaced complacency.
Cyber security is a business “hygiene” issue. Suppliers, customers and staff are entitled to expect that a business has the necessary measures and procedures in place.
There is also a rapidly growing market for defined cyber threat insurance.
This used to be carried by a minority of companies but is now something that needs to be in place for the vast majority of businesses, especially bearing in mind that only around one per cent of respondents in the IoD survey thought their business wholly unreliant on the inter- net.
Alongside greater awareness of the threat, the other primary defensive tool in the armoury is software, with good firewalls and analytics that can pick up the bulk of fraudulent or malicious activity
There is no simple solution to the malice and dishonesty that exist in the digital world.
The price of staying ahead of these threats is eternal vigilance, insurance and up-to-date software.
By Jonathan Oxley