Is the NHS investment in data security paying dividends? Davey Winder explores
This is an edited version of an article that originally appeared on Digital Health
Time and time again I see warnings that healthcare is a prime target, even ‘the’ prime target, for cyber crime actors. The organised criminals behind ransomware attacks have promised not to target healthcare during the COVID pandemic and, by their actions, proven these to be hollow words. Where healthcare is targeted, and successful attacks confirmed, these appear to be far more plentiful involving organisations across the pond than domestically.
This is far from the only data security dichotomy on my mind though. There’s the fact that, while the Information Commissioner’s Office has reported 3,557 data breaches across the UK health sector in the two years to March 31, most within the NHS, I see very little evidence of this data within the online criminal forums which trade in such things.
Which leaves me wondering if – since I see evidence of plenty of breached US healthcare data for sale – the NHS investment in data security is paying off? Writing about cyber security means that I get access to a lot of threat intelligence and most of the reports I see, as well as insight through threat intelligence feed databases, do little to suggest to the contrary.
Take one recent, very lengthy, report which explored the proliferation of data for sale on criminal forums, amongst other things, focusing on the global healthcare and pharma threatscape. Within the close on 50 pages of this report there was just a single confirmed example of UK health data offered for sale that was referenced, in May 2021, involving 4,000 medical records (scanned clinical records and identity documents) with a total price of just $500 (£375.) I asked the people behind this report if this reflects a better security outcome from UK healthcare compared to other countries, such as the US, whose breached healthcare data was referenced repeatedly?
“The UK healthcare sector is not doing any better, from a security perspective, than that of any other country,” Paul Prudhomme, head of threat intelligence advisory at IntSights, a Rapid7 company, told me.
“There are few UK examples in the report simply because the few UK examples in our existing corpus of customer alerts were not as useful for illustrating the specific points that I needed to make in the paper.”
In other words, it was just a matter of the data sample available, editorial choices and random variation – but surely that doesn’t explain the apparent, relative, scarcity of breached UK healthcare data that appears across multiple intelligence sources? Obviously, I appreciate that the ICO data breach reports include personal error, deletion of files and mishandling, as well as criminal exfiltration, but the dichotomy dilemma refused to depart my bonce.
Unravelling the stolen data dichotomy dilemma
My next port of call, in an attempt to resolve this headache, was David Carmiel, CEO at threat intelligence company KELA. He told me that, yes, KELA had seen examples of UK healthcare data being traded or leaked on the dark web over the last year but “we cannot evaluate the scale in comparison to other countries’ healthcare data since we didn’t perform deep research into this topic”.
That said, Carmiel told me that KELA had seen more than 200,000 credentials pertaining to nhs.uk exposed via third-party breaches, and within compilations of dumps posted to criminal sources during that period. However, he did also say that there wasn’t “a lot of valuable offers featuring UK healthcare data at a first glance”.
Kevin McMahon, CEO at another threat intelligence specialist, Cyjax, pointed out the obvious as it’s often overlooked by journalists such as myself when we smell a story. “Not all stolen data is traded openly on underground forums,” he says. “Private sales are preferred, where possible, as it maximises the value of the data and minimises the risk to the threat actors, so analysing leaks markets doesn’t really provide a good metric for UK exposure.”
Plus, of course, the NHS doesn’t pay ransoms, and threat actors know this, which makes compromising a GP surgery or a hospital a much less valuable option than a US one where monies are known to have changed hands. The US provides, therefore, a much bigger magnet to pull in criminal attention.
Moving the needle on the metrics of data security success
Finally, I turned away from the pure threat intelligence specialists and to a physician-led health IT and cybersecurity regulatory risk management consultancy for answers.
The notion that compromised UK healthcare data is scarcer within criminal trading circles than other nations does not surprise Dr Saif F Abed, the director of cyber security advisory services at The AbedGraham Group; in fact, he told me it is “entirely consistent with how I have attempted to explain the nature of public sector healthcare cybercrime for some time. I would posit that admin credentials are more valuable,” he says, “as they support attempts of the attack of choice right now – ransomware.”
Which moves the needle of the ‘data security success metric’ somewhat, Dr Abed suggests, to how often the health and life sciences supply chain has been disrupted due to a denial of service type attack. A metric that, he posits, is all but impossible to measure without full transparency of a system as complex as the NHS.