Security

Making healthcare organisations secure from hack attacks

Healthcare organisations are an obvious target for hackers seeking to capture personal data which they wish to use or sell on for financial gain. Not only do they hold a vast pool of confidential information, public sector bodies are often perceived as soft targets that have failed to spend the requisite time or resources on securing their IT networks. This is a perception not helped by high profile data loss news stories, such as those seen in December 2007, when eight NHS trusts were named and shamed for mislaying computer disks storing patient records.

But stolen discs are not the only IT security threat facing health organisations. In an increasingly financially motivated market, hackers are using a myriad of tricks to extract confidential data from so-called ‘secure’ networks. Furthermore, with the NHS National Programme for IT now well underway, involving the transfer of 50 million patients records onto a centralised network, just one breach could theoretically expose every NHS patient’s personal details. A method for effectively securing data is vital in order to safeguard citizens and maintain public confidence in new online systems.

Gone are the days when simple anti-virus protection was enough to defend IT networks. In the current threat landscape, and across sprawling networks, health organisations need to be aware of malware of all kinds, including viruses, spyware, Trojan horses, as well as worms and spam. Not only are cybercriminals directly attacking desktop computers and other endpoints, they are also infecting bona fide web pages. Anyone surfing the internet could unwittingly download software code that will attempt to steal passwords and other critical information, simply by clicking on an infected weblink or pop-up.

So, how can IT managers and systems administrators recognise the threats and how can they stop hackers in their tracks before they are able to compromise patient records? Furthermore, how do they take control of their systems to ensure that employees and visitors can only gain access to appropriate files and parts of the computer network, and are not able to run riot wherever they choose, forging holes in the organisation’s infrastructure?

The threat of data loss

The threat of confidential data loss has never been more high profile. In addition to the disclosure that eight NHS trusts had lost disks holding patient records, over the last few months there have also been news headlines about similar incidents involving the DVLA and HMRC.

In November 2007, a disk containing the names, dates of birth and addresses of 160,000 children was lost on its way to St Leonard’s Hospital in Hackney. While all these misplaced disks were fully encrypted and password protected, the media frenzy around these stories means that IT managers are facing unprecedented pressure to ensure that all security systems are as robust and watertight as possible.

A more common — but less sensational — method by which healthcare organisations can lose confidential data is via email. In a recent poll, Sophos found that 50% of computer users have accidentally sent an email to the wrong person. In hospitals and other healthcare organisations, where the subject matter of emails can be highly sensitive, this could have disastrous consequences.

While human error can never be completely eradicated, organisations can work to thwart the risks of both intentional and unintentional data leakage by deploying an email security solution that scans outgoing messages for sensitive data and that uses encryption to ensure the secure transit of critical emails. Effective solutions will also identify and block confidential attachments, including those that have had their file type disguised by the sender.

Educating users

If this technology is combined with user education which clearly sets out what constitutes responsible IT behaviour, it is highly unlikely that any confidential data will slip through the net. Unfortunately however, many UK users are not sufficiently aware of the risks and this can be a particular problem for healthcare organisations, where employees do not necessarily spend a great deal of time on PCs, and therefore may not be as IT-literate as staff in other industries.

It is vital then that employees are made aware of the dangers, and are given education covering everything from warning users not to open attachments from strangers, to refraining from disclosing personal details (such as passwords) in response to unsolicited emails that request them — otherwise known as phishing attacks.

These attacks are one of the most profitable kinds of spam campaigns and are an increasingly common method of online theft. By posing as legitimate emails messages or websites, they trick computer users into supplying confidential information.

The latest tactic to come under the phishing umbrella is "spear phishing". This involves a handful of users, which could be the employees of a particular organisation, being targeted in order to gain unauthorised access to confidential data.

Network access control

The benefits of developing a single, consolidated network over which all health professionals can access patient records are undeniable, but this improved access opens up a new can of worms in terms of security. With a joined up network, if an employee’s computer is infected by spyware while surfing the web, the successful hacker may then be able to access sensitive and confidential data held anywhere on the healthcare IT system.

One way of mitigating this risk is to implement a security policy that outlines acceptable employee network and online behaviour. However, within a healthcare environment, where so much sensitive data is at risk, it is dangerous for organisations to solely rely on staff compliance.

Organisations would therefore be wise to investigate and implement a Network Access Control (NAC) solution that provides individual employees the correct level of access to suit their respective roles, as well as block or quarantine access to unauthorised or malware-infected computers.

Effective NAC solutions will enable organisations to simply determine and enforce access rights, and will be flexible enough to change them as and when necessary. These access rights can be judged on a combination of factors, including department, level and role within the organisation, as well as whether the employee is accessing the network remotely or from a shared PC.

This allows health organisations to effectively control mobile workers, agency staff and frequent visitors, which may require access to certain parts of the network and the internet, but would not need the same level as IT administrators or front line medical personnel.

To ensure that the NAC solution is as economical as possible, and does not impact on the rest of the IT systems in place, it should also integrate seamlessly with existing network configurations, and be flexible enough to house new security strategies as they arise.

Sprawling networks

A further complication that can be particularly problematic for healthcare organisations is maintaining the security of wide area networks. Some NHS trusts may have a number of separate sites to maintain, and when these multiple sites share one computer network, holes can often appear which can be exploited by crafty hackers who are well-practised at pinpointing network vulnerabilities.

Effective management of IT security across the board is a key issue to address, and whether the decision is taken to manage the network centrally or to designate responsibility to each individual site, ease of management and the optimum performance of the solution have to be taken into account.

However, organisations should be aware that deploying a disparate range of security solutions across the same trust can result in configuration and integration issues. It is therefore wise to rollout the same solution at all locations, even if the management and deployment is handled separately by each site.

Online threats

The internet has become a ubiquitous tool used by billions worldwide every day, and as such, 2007 was the year when the cyber-underworld made the web its preferred vector of attack. In particular, hackers have begun to plant their malicious code on legitimate webpages, which the vast majority of surfers would assume were safe and secure. In reality, the web presents a relatively unprotected route to users’ desktops and laptops, posing a very real threat of both personal and corporate identity theft.

Once compromised, infected computers can give cybercriminals complete access to personal details, passwords and confidential data, and can also result in email accounts being hijacked to send out millions of spam messages.

It can be difficult for organisations to know how best to secure their networks from the growing threat of web-based attacks, not least because they represent relatively new threats. But to avoid falling victim and risking the integrity of personal information relating to millions of patients, it is crucial that healthcare organisations apply the same structured, routine security measures to the web as they do at the email gateway and their desktops and servers.

The first step here is for trusts to ensure their own websites are fully protected, with no vulnerabilities, and that all software patches are up to date. They should also consider deploying web security solutions that filter based both on website categorisation, such as high risk gambling sites or social networking sites, but also by comprehensively inspecting the code of every webpage before granting access.

This latter approach is critical because fraudsters are not discriminating; they will infect pottery websites just as quickly as they will infect porn sites. By taking these simple precautions, healthcare organisations will be safe in the knowledge that they are doing everything in their power to snub web attacks.

Conclusion

Despite the range of risks posed to healthcare networks by criminals who are intent on making easy money, if the right precautions are taken, organisations need not worry about patient records being exposed and their networks falling victim to attack. In short, confidential data and reputations will be kept safe if networks are kept secure.

Graham Cluley, senior technology consultant at Sophos