Latest attack on the health sector highlights flaws in supply chain security
The attack on NHS software provider, Ortivus, comes a year after the NHS 111 service was crippled by hackers
The NHS needs to embrace artificial intelligence (AI) and improve security across the supply chain to protect it from cyber criminals, experts said this week following news that yet another attack led to two of England’s ambulance trusts having to resort to paper-based patient records.
Tech leaders spoke out after reports that both South Western Ambulance Service Foundation Trust (SWASFT) and South Central Ambulance Service Trust (SCAS), which together serve around 12 million people, were targeted by online criminals.
Both organisations use Swedish firm Ortivus’s MobiMed software, which was affected in an attack on 18 July.
And, while the company claimed no patients had been directly affected, electronic patient records were unavailable and manual systems had to be used.
Neither ambulance trust has commented on the ongoing situation and it is as yet unclear what type of attack the company suffered.
However, the reports have led to renewed warnings from technology experts, who fear the health sector will continue to fall victim to hackers if improvements to security are not made.
The nature of the data held in the healthcare sector means it is an incredibly-tempting target for cyber criminals and, when the attack comes via a third party, too often healthcare organisations are left defenceless
Speaking to BBH, AJ Thompson, chief commercial officer at Northdoor, said: “Although at this stage there is little other information about the hack, or how much data has been stolen, it does highlight the increasing threat from supply chain attacks, particularly for those organisations in the healthcare sector.
“The nature of the data held in the healthcare sector means it is an incredibly-tempting target for cyber criminals and, when the attack comes via a third party, too often healthcare organisations are left defenceless.
“No matter what budget is spent on cyber frontline defences, attacks via the supply chain negates all investment as essentially the cyber criminal is entering through an open back door.”
He added: “The result of a data breach is not just potential loss of sensitive data and the resulting reputational damage that healthcare organisations have to consider.
“The recent IBM Cost of a Data Breach Report has shown that healthcare data breach costs have increased 53.3% since 2020 and the sector reported the most-expensive data breaches at an average cost of $10.93m.
This latest attack, and the fact that ambulance services have had to resort to paper-based records, has highlighted just how vulnerable organisations remain to a supply chain attack
“This is a huge amount of money and at a time when budgets are stretched more than ever before it can have a catastrophic impact on frontline services.”
On the Ortivus attack, he said: “This latest attack, and the fact that ambulance services have had to resort to paper-based records, has highlighted just how vulnerable organisations remain to a supply chain attack.
“This approach from cyber criminals is only going to increase over the coming months, because it is just so effective and allows them access to huge organisations without attempting to navigate their frontline defences.
“Therefore, healthcare organisations have to place as much emphasis on their supply chain defences as those on the frontline.
“Healthcare organisations tend to have long, complex supply chains and ensuring that your partners’ defences are up to scratch can seem a daunting, if not impossible, task.”
But AI technology could hold the answer.
“Some solutions, using AI, can provide a 360-degree view of possible vulnerabilities within a partners’ supply chain, allowing healthcare organisations to talk to partners and ensuring they are closed before cyber criminals take advantage,” Thompson said.
“Unfortunately, this is unlikely to be the last supply chain hack on a healthcare organisation we will see in 2023.
Some solutions, using AI, can provide a 360-degree view of possible vulnerabilities within a partners’ supply chain, allowing healthcare organisations to talk to partners and ensuring they are closed before cyber criminals take advantage
“However, with technology available to help identify vulnerabilities, organisations can start to fight back against an increasing-determined and sophisticated cyber criminal.”
The latest incident comes a year after the Advanced ransomware attack, which crippled the NHS 111 service.
The attack, which saw client patient management solutions and the NHS 111 services taken offline, highlighted the ongoing risks for the health sector.
In June and July of this year cyber security company, Illumio, reached out to UK NHS trusts under the Freedom of Information Act 2000 to ask about supply chain security.
And more than a quarter (28%) of those that responded admitted to conducting no audits of their third-party suppliers’ cyber security measures in the past 12 months.
Trevor Dearing, director of critical infrastructure at Illumio, comments: “The NHS is doing its best to maintain a high level of patient care and safety, yet a year on from the Advanced attack there are still critical gaps in supply chain security which is exposing the NHS to unnecessary risk.
Attackers know they can increase efficiency and profitability by compromising the supply chain, so trusts must assume a breach will come from one of their suppliers and mitigate risk accordingly
“One of the best security models for improving cyber resilience is ‘zero trust’ because it is based on the mantra of ‘never trust, always verify’.
“And the same ethos must apply to the supply chain – attackers know they can increase efficiency and profitability by compromising the supply chain, so trusts must assume a breach will come from one of their suppliers and mitigate risk accordingly.
At a very minimum, he advises, all trusts should be doing some form of cyber security audit on their supply chain and taking steps to mitigate risk against supply chain attacks.
This should encompass any supplier with connectivity to the network and cover everything from software to catering, cleaners, private ambulances, and more.
And Dearing has laid out a five-point plan to support NHS organisations.