The UK Centre for the Protection of National Infrastructure (CPNI) unsurprisingly names healthcare as one of the sectors critical to the functioning of the UK and for this reason, it faces a range of cyber threats on a daily basis. It plays a significant role within society and hosts some of our most sensitive personal information which must be protected. Data gathered within the healthcare system is subject to GDPR regulations as is any personal data of EU citizens, and therefore requires the appropriate protections.
We often think of the healthcare sector as a single entity in the UK thanks to the NHS. Yet in reality, it is a complex set of organisations, each with independent IT systems and governance in place – from doctors’ surgeries to local hospital and health boards, each hosts a variety of protected individual information which requires a system to handle this. Patient data of course has the potential to fall victim to criminal hackers, especially those looking to steal personal information to be sold. Yet we must remember that whether organisations are targeted through ransomware, crypto mining malware or something else entirely, it has the potential to cause catastrophic issues within wider healthcare networks and services. This will become ever more problematic as technology becomes further ingrained in healthcare practices. For example, any biomedical devices or systems which depend on the network may be compromised, affecting quality or efficiency of treatments, putting the safety of patients at risk.
This is arguably why the NIS directive was initially introduced in August 2016, bringing cybersecurity into the limelight to encourage EU member states to reconsider their critical networks. All member states were required to transpose the directive into their national laws by 9 May 2018 to ensure that they were appropriately equipped to handle risk. Under this regulation, the healthcare service was named as an Operator of Essential Services, placing a hefty responsibility on the sector to comply. As such, other countries across the world have also introduced similar structures for continued compliance. For example, in the US, the HIPPA Act obligates health organisations and insurance entities to protect their patient data against cyber security and other threats.
Yet, despite the implementation of these regulations, some organisations will be unsure of where to start when it comes to combatting these issues. Often, much of the protection needed can be offered through good, secure network design and continued assurance can be achieved through automated testing as offered by products such as Titania’s Nipper. Ultimately, this means undertaking configuration audit against appropriate cyber security standards, helping to ensure that basic cyber hygiene is implemented and maintained across the network.Performing this at scale and on a regular basis can help organisations to take a layered approach to cyber security, which is key to mitigating risk. Quite simply, by having confidence that your networks are configured correctly you can focus on more advanced threats to the data.
Up to date Threat Intelligence plays a key role in the assessment and assurance process. By continually updating threat vector databases, products and services can keep up with the vast majority of threat actors and their capabilities. Threat intelligence is produced on a free and paid for basis and can be consumed as part of an automated process to ensure it is applied to the tooling in your NOC, SOC or Internal assessors’ toolkits. The Titania Nipper product consumes the NIST National Vulnerability Database for example, allowing it to assess network firmware and software versions against the latest known vulnerabilities and identify where patching needs to take place to remediate the problem across the enterprise.
Keith Driver, CTO