Interview with Shobhit Gautam: Recently, NHS England confirmed a significant patient data breach managed by the pathology testing company Synnovis due to a ransomware attack. The cyber-criminal group Qilin has taken responsibility, releasing almost 400GB of private information on their darknet site. Although NHS England stated there is “no evidence” that test results have been published, investigations are still underway. The cyber attack has disrupted over 3,000 hospital and GP appointments. Still, NHS England has reassured patients to continue attending their appointments unless otherwise notified and to access urgent care as usual.

In light of this recent cyberattack on the NHS, we had the opportunity to speak with Shobhit Gautam, Staff Solutions Architect for EMEA at HackerOne, to gain valuable insights into the incident and the broader implications for cybersecurity in the healthcare sector. Shobhit Gautam talks about what steps healthcare institutions should prioritize to fortify their cybersecurity defences against such threats.

Given the recent ransomware attack on major hospitals in London, what steps should healthcare institutions prioritize to fortify their cybersecurity defences against such threats?

To prevent these types of attacks from happening again, healthcare organizations must ensure that patient personal data is always securely stored, encrypted with strict access controls, and regularly backed up. Data must be classified and stored appropriately based on the classification with the privilege policy implemented.

Email spam filters are a good first-line defence against most questionable content, placing it in the Spam folder before it hits the inbox. However, not all phishing emails get caught, making them so dangerous. Therefore, it’s important to implement an email filtering system and configure it to effectively analyze incoming emails for malicious content and flag them before they do damage.

Third-party vendors must be vetted and meet the required standards of security controls. Ensuring they follow the same (if not higher) level of security compliance as the organization is vital, and monitoring and identifying any exceptions or deviations are recommended. Looking at past incidents and how they were handled would also need to be added to the third-party assessment checklist.

Finally, organizations should educate their employees, ensuring they are aware of cyber and social engineering attacks and have trained them to identify and avoid methods to avoid being easy targets.

How can partnerships between healthcare providers and cybersecurity firms, like HackerOne, enhance the resilience of critical infrastructure against cyber-attacks?

Prevention is the only effective defence against cyber threats. Increasingly, even more traditionally conservative sectors – such as the UK’s Ministry of Defence – are adopting new security strategies to reduce risks. This includes engaging with the ethical hacking community through Vulnerability Disclosure Programs (VDPs) and bug bounty schemes.

Ethical hackers worldwide collaborate continuously, leveraging their extensive expertise to monitor vulnerable systems across different time zones. Their ability to discover and evaluate security vulnerabilities provides valuable insights that enable organizations to improve their remediation speed. By identifying malicious activities early, ethical hackers assist critical infrastructure security teams in stopping cybercriminal efforts before damage is done.

Furthermore, VDPs and bug bounty programs offer a platform for security experts to discover emerging and sophisticated vulnerabilities, such as the ‘back door’ flaws exploited by bad actors to infiltrate critical networks. This collective improvement in cyber practices enhances the safety of interconnected essential infrastructure networks, creating a mutually beneficial partnership.

What are some best practices for healthcare organizations to implement in their contingency planning to mitigate the impact of potential cyber incidents on patient care and operations?

The medical industry is known to have a comparatively lower level of investment in cybersecurity and is often left vulnerable to attack. Medical and healthcare organizations often follow the bare minimum requirements to meet compliance standards but fail to implement holistic measures to protect systems and data.

Here are the top recommendations to the medical and healthcare industry to prevent security breaches:

Employee education and training: Humans are often the weakest link. Investing in employee training and education can ensure they are aware of cyber and social engineering attacks. This involves training staff, conducting regular security awareness campaigns, and integrating security best practices into everyday workflows.

Implement strong access controls and encryption: Ensure strict enforcement of access controls for patient data. Access should be restricted to authorized personnel based on their specific roles. It is also crucial to employ encryption for sensitive data when it is stored and transmitted. In the unfortunate event of a breach where data is leaked but encrypted, the encryption significantly helps the organization by rendering the stolen information useless to unauthorized parties. Additionally, having encrypted data can demonstrate the organization’s commitment to robust security practices, potentially reducing legal liabilities and mitigating reputational damage.

Regular security assessments and vulnerability management: Conduct regular security assessments to identify and address vulnerabilities in systems and applications. Patch vulnerabilities promptly to minimize the window of opportunity for attackers.

Regularly update software and systems: It is crucial to keep applications, third-party components, and operating systems up to date. Ensure that the latest security patches are in place to prevent attacks. Outdated software can contain vulnerabilities that malicious actors could exploit.

Third-party onboarding and vetting: Healthcare organizations often depend on various third-party vendors. These vendors must be thoroughly vetted and meet the necessary security standards. Ensuring they adhere to the same or higher level of security compliance as your organization is vital. Any exceptions or deviations should be identified and monitored. The assessment checklist should also review past incidents and how they were handled.

Compliance with regulations: The healthcare industry is guided by stringent regulations such as HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Security Act). Adhering to these regulations guarantees a strong security foundation for patient data and promotes trust and integrity in our healthcare system.

Incident response planning and training: Develop a comprehensive incident response plan that outlines steps to take in case of a security breach. Train staff on how to identify and report suspicious activity and how to respond to a breach effectively.

Prioritise security and build a security-first culture: Build a culture where security is viewed as a continual priority, not an afterthought. Fostering a culture where security is everyone’s responsibility would help decrease human error, increase vigilance, and enhance overall security posture.

Furthermore, organizations may also want to consider the following actions:

Invest in and build a security team: Establish a dedicated security team with the expertise to manage your organization’s security posture. This team can be responsible for:

Threat detection and prevention

Vulnerability management and patching

Security assessments and audits

Incident response and recovery

Communicate Security Breaches with Peers: Build and establish a process for communicating security breaches with relevant peers in the healthcare industry. This would help:

Sharing lessons learned to improve collective defences

Identifying potential threats affecting multiple organizations

Collaborating on remediation efforts.