NHS Scotland must be on ‘high alert’ amid rise in ransomware attacks, warns cyber boss
NHS Scotland “needs to be on high alert” amid a “huge increase” in the number of attacks on the healthcare sector, a cyber boss has warned.
Deryck Mitchelson, chief information security officer at global cybersecurity firm Check Point, said he fears that 2022 will see a “major cyber attack” on the UK healthcare service.
His comments come on the back of the Ukraine conflict, which has led to a rise in malicious cyber incidents on businesses and government agencies around the world.
Mitchelson, who stepped down from his role as digital director of NHS National Services Scotland (NSS) last year, said that Check Point is seeing a 71 per cent increase in weekly attacks on healthcare, to around 830 per week.
He said: “Given the impact of last year’s ransomware attack on the Irish healthcare service, the NHS in Scotland needs to be on high alert. The threat and number of cyber attacks continues to rise and healthcare is near the top of sectors being targeted.”
A cyber attack on Ireland’s health service last May caused widespread disruption, forcing the organisation to cancel appointments and take its systems offline to protect them from further harm.
Mitchelson said: “Cybersecurity is on the risk logs of most NHS boards in Scotland, but few boards have dedicated security teams and appropriate investment in robust cyber programmes that will deliver end-to-end protection of our services.
“There is such a huge attack surface in the NHS supporting its 200,000 workforce, and with many still working remotely, it only takes a single compromised account or weak remote access control for a threat actor to access our health systems.”
It follows the news that pro-Russian hacker group Killnet threatened to shut down British hospital ventilators after an alleged member of their cyber crime gang was arrested in the UK earlier this month.
Mitchelson said he was “not convinced” that the claims were legitimate. “Killnet is a pro-Russian hacker group, but so far we are seeing them target mainly government websites, the latest of which was several Italian ministries. I would be surprised if they switched focus onto healthcare, but do expect that UK government websites are already a target for them.”
But he stressed the need for the NHS to “up its game” and remove all unsupported operating systems, strengthen remote access, increase end-to-end visibility and monitoring and ensure that “robust” incident response plans are in place.
He said: “The NHS has such a huge threat landscape to protect. I fear that 2022 may see a major cyber attack in UK healthcare and hope it is prepared.
“Collectively we need to raise our game and ensure we are not distracted by any geo-political conflicts.”
How can this be done? “There needs to be a joined-up cyber programme across the NHS focused on delivering improved cyber resilience”, he said.
“This won’t succeed if managed at silo’d board level, it needs to deliver improvements across the entire NHS. For example, malware is capable of infecting millions of devices with a 24 hour period.
“The NHS needs assurance that its defences would stop a malware from deploying its payload and infecting devices.
“If infection occurs then it needs assurance that its end-to-end monitoring capability would detect this at the earliest opportunity and that a highly segmented network would stop the spread both within boards and across to other boards.”
Without a focus on resilience, the impact of a cyberattack could be devastating.
“Any infection would spread and infect in particular un-patched and end-of-life devices, having a detrimental impact on both emergency and scheduled procedures,” he said.
What could an attack on the NHS look like in reality? “I would expect any breach to initially be IT related, but the NHS has a huge number of medical devices, often running older operating systems, which could be easily compromised with ransomware.
“Groups like Conti and Lapsus$ are in it for the commercial gain and they would steal as much patient data as possible, whilst encrypting devices and disrupting operations.
“So much of our healthcare is now dependant on digital technologies that this could have a crippling impact, from appointment scheduling and prescriptions to consultations and operations.”
The pandemic has taught me how to share more – and I feel a better leader for it
As a young professional starting out in the tech sector 30 years ago, I thrived on the fast pace,constant change and demanding workload. I lived in London, Singapore and Australia…
We need to shout about our successes. Liz Fletcher on celebrating women in biotech
Throughout my career in biotechnology and life sciences, I have seen many women leading ground-breaking research studies in their fields of expertise. Yet, and I include myself in this, we…
Getting the best out of patient data is key to unlocking future health benefits in Scotland
It is important that clinicians’ voices are heard in the consultation around Scotland’s new health and care data strategy, which closes this week (12 August). Busy GPs like myself are the trusted…
How motherhood helped me be a better leader
Consider this an open letter to anyone I have worked with before I became a mother and before I fully understood how being a parent is actually a prized asset…
‘We cannot achieve our goals without entrepreneurs’ – Kate Forbes on vision for new ‘tech scaler’ network
From the very start of my ministerial career, I have had responsibility for the Scottish tech sector – and I can still say what I have said from the start,…
Finding a role in cyber was ‘tough’ for Cheryl Torano. Now she’s determined to help other women join an under-represented industry
When I decided to upskill to change careers at the age of 30 and dive into the digital world, I knew I would be starting out at the bottom of…
Why innovation and marketing are the perfect partners to make changes that matter￼
With the rapid evolution of traditional marketing and the appearance of digital marketing, technology and innovation has become part of any marketer’s life without the need of working for a…
Transitioning to a four-day week – CEO’s vow to strike a healthier balance in the workplace
I came to Scotland nearly 20 years ago from Ireland, with no contacts but a lot of determination. While Ireland will always be my home, Scotland has given me amazing…