Matt Lock of Varonis argues that an increase in connectivity has left health-service IT vulnerable

May’s WannaCry ransomware attack was a wake-up call like no other. Affecting numerous hospitals across the UK, the cyberattack managed to bring critical services to a standstill; non-urgent operations were cancelled, doctors had to resort to using pen and paper; and patients at some hospitals were advised not to attend A&E departments. 

The scale of the attack has highlighted how a trend towards accessibility, and an increasingly interconnected network, can pose risks, at a time when we’re more reliant than ever on digitised services.  When critical services, including A&E departments, are compromised in this way, we need to take stock and apply the lessons of how to better protect the systems which keep our health service running.  

Connectivity is King 
In the post-mortem following WannaCry, factors such as lack of investment and staff training were cited as the causes behind the debilitating impact to services. Certainly these play a part, but we also need to look more closely at how the systems within hospitals are designed in order to diagnose why, when the attack struck, vital services were suspended so quickly. 

Key to this is that, in recent years, there’s been a trend towards improving accessibility and integration of systems and data so that information can flow freely. The digital transformation that’s been core to the delivery of services brings convenience, but this shouldn’t be at the expense of security. 

Related content​

• NHS ransomware attack one month on: “The people who didn’t patch Windows 7 should be sacked”
• WannaCry NHS attack – busting the myths
• ‘They should have planned it on Google Earth’ – UK cybercrime chief on the Hatton Garden heist’s folly and why WannaCry is a watershed moment

This approach means that the attack surface expands: when an attack like WannaCry strikes, the shockwaves are felt more widely across the network, and ransomware can spread quickly across interconnected systems. It meant that A&E departments which, in the past, would not have been connected to other hospital systems, were affected.  Added to the challenge is that we’re building on ageing, legacy systems with unpatched and out-of-date software which poses a significant risk.  These are exactly the vulnerabilities that attackers will exploit. 

Essential services should not be vulnerable in this way: we need to isolate critical infrastructure with air-gapped networks that are not connected to the internet, or to any devices that connect to the internet. This reduces the risk vector and means that, when at attack strikes, the impact can be contained.  

We also need to ensure that we get better at protecting the data itself.  When access to data isn’t managed or monitored, organisations are at far greater risk from cyberattacks.  In the case of ransomware, for example, if the compromised individual has global access rights, all the data that they can access will be encrypted.  Setting ‘least privilege’ models for access, so that only those that ‘need to know’ can access sensitive data, ensures greater level of security and protection for personal data. 

If we are to improve security we need to learn the lessons from these attacks; protecting the perimeter is not enough. As the ransomware epidemic will continue to grow, we need to re-examine how we protect vital systems once an attack has breached the outer security defences.