The 2017 WannaCry attack caused havoc in the health service, but has enough been done to prepare the system for next time? Ethical hacker Gavin Millard, of cyber-security firm Tenable, helps practices understand what they can do to reduce the risk of being infected and reduce the likelihood of it ever happening again
As the Wannacry outbreak demonstrated so clearly, NHS primary care services can be significantly impacted by cyber security issues. It’s unlikely the NHS will ever receive the same level of investment into security as other private sector organisations, but basic cyber hygiene practices need to be followed to ensure patient records remain private and services continue to be available.
A good starting point is the Cyber Essentials scheme, published by the UK Government, which outlines simple controls. Here are the most relevant sections for practice managers.
Secure your internet connection
Install a dedicated boundary firewall between your computers and the internet. All incoming traffic is analysed to determine whether or not it is safe to be allowed into the network. Some routers will contain a firewall which could be used in this boundary protection role; however, this can’t be guaranteed, so specialised software should be considered.
Devices not managed by the practice, e.g third party medical devices, should be on an isolated network, if possible, to reduce the risk of infection if they are leveraged by an attacker.
Secure device and software settings
Default configurations for new software and devices are typically set with ‘everything on’ to make them easily connectable and usable. Unfortunately, these settings are also an open invitation to cyber attackers. Where possible, raise your security posture by disabling or removing any functions, accounts or services which you do not require.
Always use strong passwords
Laptops, desktop computers, tablets and smartphones should always be password-protected – including any personal devices that are used to access work-related materials. Simple password managers – which create a complex password per service – are easy to use, offer a significant improvement to your security posture and are inexpensive to roll out.
Any default passwords that are in use on new devices, such as ‘admin’ and ‘password,’ should be changed before devices are distributed and used. It is also worth considering implementing two-factor authentication – a combination of something you know (password) with something you have (such as a token) or even something you are (aka biometrics which includes fingerprints, iris scanners, voice, etc.). Cloud-based two-factor authentication technologies offer simple deployment and easy management.
Control access strategically
Just as you wouldn’t give keys to everyone in the practice, similarly you should limit staff accounts. Employees should have just enough access to software, settings, online services and device connectivity functions for them to perform their role, and no more.
This includes accounts that have administrative privileges to make changes to the set-up of devices; by removing admin access, many viruses and ransomware threats can be mitigated. Finally, only allow staff to install software from manufacturer-approved stores.
Always use protection
Malware, short for ‘malicious software,’ is designed to infect legitimate software, passing unnoticed between machines – Wannacry being an example. Typical sources of infection might be an email attachment, someone browsing a malicious website or the use of removable storage drives, such as a USB memory stick. Anti-malware is pre-installed in most popular operating software – such as Defender in Windows and XProtect in MacOS. Smartphones and tablets should be kept up-to-date, password-protected and, where possible, you should turn on the ability to track and erase lost devices. If you can avoid connecting to unknown wifi networks, this will help keep your devices free of malware, too.
Apply patches as soon as possible
It’s important to keep all ‘phones, tablets, laptops and computers up–to-date at all times. Manufacturers and developers will release regular updates – not only to add new features, but also fix any security vulnerabilities that have been discovered.
Applying these updates (aka patching) automatically will ensure devices and systems are protected as soon as the update is released. Both Windows and MacOS offer auto updating, and should be enabled by default.
Focus on the basics
As we become more reliant on IT systems for every aspect of our healthcare services, the impact of a major vulnerability affecting those systems shouldn’t be underestimated. According to Tenable’s Vulnerability Intelligence Report, between 18,000 and 19,000 new vulnerabilities are expected to have been discovered in 2018. Almost two thirds (61%) of the vulnerabilities enterprises are finding in their environments are rated ‘high’ or ‘critical’ – the types of flaws favoured by attackers.
Putting in place a robust process for identifying all systems on the network, and assessing how vulnerable they are, is foundational to good security. The patch that could have stopped Wannacry had been available for a month before the troublesome code took down frontline services; applying the patch would have mitigated the issue. Rather than investing in ever more expensive tools, practices should focus on doing the basics really well. This will significantly impede most cyber attacks.
You can’t protect against every virus, but following these guidelines and remaining vigilant to threats can help you reduce the risk of you becoming responsible for another infection that destroys systems and risks lives.