After NHS cyberattack, the future of UK’s medical cybersecurity looks bleak
And it’s going to cost us lives if we don’t fix it. We talk to hackers who saved the NHS, and doctors involved, to identify problems.
On the evening of 12th May, when news broke of NHS institutions across the country being disabled by WanaCry ransomware, infosec Twitter got to work. Inside the echochamber usually insulated with 0-day jokes, an unprecedented collaboration between security researchers and hackers was underway to measure the attack, release tips on protecting data and finally, stop the attack.
“I started a channel on Internet Relay Chat (IRC) as soon as we found out on Friday, and invited people I knew online in the security community to join. There were 121 of us in the channel, with a core group of two dozen,” says Lauri Love, hacker and digital rights activist.
The largest cyberattack till then was stopped when a 22-year old independent security researcher (who goes by MalwareTechBlog on Twitter) located the kill switch for the ransomware which had paralysed 45 NHS institutions. Described as an “accidental hero”, it was not entirely by accident that he located it: like the others, he had been actively looking for a solution to stop the attack.
Even though it was part luck that he found it in time, and part the ineptitude of the cybercriminals who left it in, it brought to mainstream attention again the impact hackers could have on digital and technological infrastructure at a national scale, both in its attack and defense. More importantly, it exposed the increasing entanglement between healthcare and technology, and how ill-equipped we are to defend against its vulnerabilities.
These vulnerabilities occur in two systems in medical infrastructure: digital medical records, such as those compromised with WanaCry; and electronic medical devices themselves, like infusion pumps and pacemakers. In this two-part series, we look at both aspects of medical cybersecurity, and talk to hackers about causes of such attacks, best practices for mitigation, and reforms to safeguard us from future attacks.
Part 01 | ‘The government bears a very high degree of culpability for this attack.’
Behind the scenes of the NHS WanaCry attack, this rag-tag group of volunteers within the IRC chatroom had set up a collaborative notepad to collate verified information from various sources and frame a fact-sheet. “There is a necessity for open collaboration when you’re dealing with a threat that is as rapidly emerging, because there’s no way a formalised body could have responded as quickly due to procedures, rules and bureaucracy,” insists Laurie.
The NHS cyberattack disrupted access to medical records, appointments, critical care reports and cancer treatment information; described by the British Media Association as “another example of the effect of cutting investment to the bone, and a serious wake up call for politicians to the risks of starving the NHS of necessary funding.” The trade union representing 6,200 senior NHS managers, NHS Providers and Managers in Partnership (MiP), also held government underfunding responsible.
In fact, a 2016 investigation by Motherboard had previously uncovered 42 NHS institutions running outdated Windows systems which were vulnerable to attack. “The government bears a very high degree of culpability for this attack. The Tory government in 2015 cut funding to pay Microsoft for out of service security patches in outdated Windows systems”, Lauri explains. “There’s no reason Windows XP machines need to be running internet: where medical equipment is only compatible with those machines, they should have been disconnected. There has been negligence and the NHS is not to blame for it because they didn’t have the resources to exercise due diligence.”
The NHS has been suffering from chronic underfunding due to cuts imposed by the Conservative government, with the Health Foundation reporting an “unprecedented slowdown in funding for the NHS — now halfway through the most austere decade of funding growth since records began in 1948”.
“We warned the NHS in November last year about security problems and it was only a matter of time before they were hit with something like this. We also have been warning about the ShadowBrokers exploits since they were released and analyzed by us online. It appears people did not heed our warnings despite our statement to apply patches promptly,” says Matthew, an ethical hacker and co-founder of HackerHouse, and one of the most active hackers in the mitigation process against WanaCry, and later, Petya.
Home Secretary Amber Rudd denied the attack had anything to do with “preparedness”. When reached for comment, NHS Digital informed us that it had issued a targeted update which included the patch, to both NHS staff and “more than 10,000 security and IT professionals on to alert them to this specific issue” in April. It also issued a guidance in the immediate aftermath of the attack.
However, Matthew points out the lack of response from organised bodies in the time of crisis. “Almost all of the work we saw was done by the hacking community via IRC and social media. Security companies pushed out blog posts as well.
There was some terrific analysis done from that community which was then taken in-house by government; however, they never interacted or reached out to me or my team in anyway. Working with hackers is something they will need to get used to if they want to succeed in their cyber objectives.”
Yesterday, an investigation revealed that 182 NHS bodies across the UK were targeted by ransomware in 424 recorded instances in the past three years. The Data Protection Act of the UK defines patient records as sensitive information and sets forth guidelines for safeguarding digitised records. The seventh principle, which relates to security of data, outlines: “The measures you take must be appropriate to the nature of the personal data you hold and to the harm that could result from a security breach.”
Defence Secretary Michael Fallon went on BBC One’s Andrew Marr Show following the attack, stating that 50 million of the 1.9-billion-pound cybersecurity budget had been spent on safeguarding the NHS from such attacks. Lauri is however quick to contradict this, referring to the GCHQ budget: “There’s no shortage of money being spent on cyber, yet most of the government initiatives on anything digital or cyber has been to grant themselves more power and take away privacy rights.” Earlier this year, the UK government passed the Investigatory Powers Act, previously known as the Snooper’s Charter. The Act legalises usage of a range of interception and hacking tools by security services, and has been described by NSA whistleblower Edward Snowden as “the most extreme surveillance in the history of western democracy.”
“Real security in digital systems is an engineering problem. If you think of UK’s digital infrastructure, it’s a big tower building, like Trump Tower. In order for it to be considered safe, it has to pass the building codes, which are technical definitions. It doesn’t matter how many guns are given to the security of the building, i.e., it doesn’t matter how much power you give to the state, if the underlying engineering problems within security aren’t addressed. Even if the government had its most Orwellian Snooper’s Charter, it would’ve done nothing to stop this attack because of the borderless nature of the internet”, Lauri explains.
Despite facing extradition charges to the US for alleged hacking offences that could sentence him to 99 years of prison, Lauri, who holds British citizenship, submitted identified strings of the malware to GCHQ to help catch the cybercriminals responsible.
“Organised crime is pivoting onto digital. A lot of people come into hacking from videogames, where you collect more points for knocking people off the game, and then transgress. Unless the government creates structures that are more rewarding, either financially, or in terms of fulfilment, the criminal side will find their talent.”
Earlier this week, the NCSC announced ‘free CyberFirst courses’ for students aged 11–17, to introduce them to cybersecurity through one to four day programmes.
Part 02 | ‘I’m only going to deal with my own body’s failures and not the failures of your system.’
If having a surgery cancelled because one’s medical records are being held ransom by cybercriminals is a worrying reality of our times, then the prospect of medical devices being susceptible to hacking is a graver concern.
“We are the generation of doctors transitioning out of using physical medical records. We’re at this electronic medical age where all of the infrastructure, the actual day to day care of patients, not just the data, is technology-determined. So when these things are compromised, patients lives could be impacted by a cyberattack. It’s no longer data-focused, it’s patient safety focused”.
It is June, and in the packed auditorium at Phoenix Biomedical Campus in Arizona, hacker-doctors Jeff Telley and Christian Dameff deliver a presentation on impacts of hacked medical devices. The occasion is a first-of-its-kind cybermedical summit, that has brought together security researchers, health care administrators, policymakers and medical device manufacturers from across the US. Their aim is to address the growing challenges of medical technology and cybersecurity. In their talk, Jeff and Christian describe an escalating crisis scenario where a single cybersecurity incident at a hospital results in an outage in the entire region, similar to the NHS cyberattack.
Their most interesting argument, however, is illustrating the co-relation between hackers and doctors, and advocating for a different approach to medical cybersecurity.
“Doctors are hackers and don’t know it, and we need to unlock this connection. They use the same critical thinking skills to analyse systems around them and recognise that if this ventilator connected to the internet should fail, the patient might die,” says Dameff, an emergency medical physician.
Tully, co-speaker for the presentation, is a trained paediatrician; both Dameff and Tully come from a hacking background and are veterans speakers at US’ largest hacker convention, DefCon. At this year’s DefCon (currently ongoing), they are running a medical device hacking “village”, and hosting a healthcare security meetup called “D0 No H4rm”, along with Beau Woods and Josh Carmen, directors of the Atlantic Council’s Cyber Statecraft Initiative. Beau and Josh are responsible for the creation of the Hippocratic Oath for Connected Medical Devices, which outlines best practices for medical cybersecurity.
Jeff and Christian, on the other hand, look at how potential vulnerabilities in medical devices might impact patient care. “We are seeing a new generation of medical devices for heart conditions like pacemakers or defibrillators, insulin pumps, and these devices are frequently on the internet of things. We’re now at this new frontier where we continually increase the technologic reliance on the system. Perhaps the best example of how ubiquitous this is came with the NHS Wanacry attack. Dozens of hospitals unable to perform surgeries, turning patients away from waiting rooms does demonstrate how disruptive a cyberattack can be,” says Jeff.
The first case that brought the hackability of medical devices to mainstream attention was the Hospira infusion pump hack, where security researcher Billy Rios demonstrated how it was possible to remotely hack into pumps that control medicine dosage through a drip and cause an over/underdose. Both the FDA in the US and the NHS in the UK issued a warning against the versions affected.
More recently, earlier this month in the UK, a recall was issued for haemodialysis machine software that incorrectly saved blood data in critical care.
The first step to finding such vulnerabilities is understanding our dependence on these technologies within the healthcare infrastructure. Christian offers me a hypothetical scenario to explain this: You have a persisting pain in the bottom-right of your abdomen. It’s not going away after a few days, and you have fever; Google tells you it might be appendicitis so you come into the emergency room at the hospital. There, they bring up your medical records from a database that is digitally logged while your body stats are digitally recorded. The doctor evaluates your records for past surgeries, allergies, etc. and prescribes pre-op medication based on accuracy of that data. They take you to a patient room, where you are connected to a monitor with networking capabilities and every heartbeat is being transmitted and also integrated into electronic medical record. If they need to draw blood for imaging, the system that handles all of those lab draws is electronic to prevent samples from getting mixed up. You are hooked up to a CT scanner and so on.
“I don’t believe that you shouldn’t go to a hospital or get a pacemaker because you’re going to get hacked at any moment. What we want is awareness of the subject because this NHS attack is going to be one of many we’ll see this year; and healthcare is vulnerable more than any other industry with comparable financial cost”, argues Christian.
The WanaCry ransomware had spread within the NHS network by targeting vulnerabilities in unpatched Windows XP systems still in use. Yet even now, critical infrastructure in the NHS continues to run on outdated vulnerable software.
But the solution isn’t simply about patching the system: it’s also directly linked to the medical technology in place, as well as the funding needed to patch systems (as pointed out by one NHS IT professional in the first thread):.
“Patches come out every day for a clinical environment. With patching, there is an element of disruption to services. There have been plenty of situations where people have patched systems which have broken them. If that happens to your computer at home, it’s fine, if it happens in a hospital, people could be injured,” says Christian. “When they develop a multimillion dollar equipment like a CT scanner, it’s built to last. So 10 years ago they thought it was a great idea to have it run on Windows XP.”
Early this month, the National Data Guardian (NDG), Dame Fiona Caldicott, released recommendations to Secretary of State for Health, Jeremy Hunt, on updates to health and social data security standards. The reports found “a strong commitment among staff and organisations to keep data secure and that the public largely trusts the NHS to do so”, but suggested improvements in accountability and greater scrutiny to check data standards being implemented.
Like Laurie, Christian argues that the burden of ensuring medical cybersecurity rests squarely with the government. “We want patients to be able to say to their government: When I’m having a heart attack or I’m sick, I want you to assure me that when I go into a hospital, I’m only going to deal with my own body’s failures and not the failures of your system.”
Follow @manisha_bot on Twitter for more.
