The NHS is under attack.
In the last few months, citizens across the UK have been physically impaired after cyber attacks have brought NHS services to a standstill.
Firstly, the UK witnessed NHS Dumfries and Galloway suffering a devastating cyber attack that put the data of over 100,000 citizens at risk, while more recently hospitals across London have been left unable to perform surgeries and short of blood supplies after a key supplier suffered a cyber attack at the hands of Russian adversaries.
These attacks highlight the damaging consequences of attacks on the NHS, but they also inspire other adversaries. Now everyone knows firsthand the damage that can be caused to the UK public with little more than a mouse and a keyboard, which will undoubtedly spur more attacks.
Ransomware has been the weapon-of-choice in most incidents because criminals know a successful assault places the health service in a perilous position, but, that their chances of success are also incredibly high.
With a workforce running into the millions, the NHS hold one of the largest digital landscapes in the world. Every employee will hold multiple passwords to get access to the NHS network and a multitude of healthcare applications, yet attackers often only need to secure one valid set of credentials to execute a successful ransomware attack.
So, what steps should NHS organisations take to improve the security of their employees and increase their defences against ransomware?
The ransomware attack path
Ransomware is today’s most prevalent cyber threat and it involves a threat actor gaining unauthorised access into an organisation’s network then encrypting its files and data and demanding a ransom payment.
The most common way for criminals to gain initial access into an organisation’s network is often through phishing and social engineering. Criminals will often target the workforce within an organisation and trick them into handing over their passwords – either through convincing phishing emails or through spoofed websites. Once these logins have been obtained, they will then use them to gain access into the network before executing a ransomware attack.
Given that NHS employees will often hold multiple passwords to access applications and networks, this potentially provides criminals with multiple gateways into systems. Furthermore, clinicians and NHS workers are not security experts, their primary duty is to provide care to patients and they want to do this in the fastest and most efficient way possible. But this means they often see security as an obstacle that needs to be circumvented, which often results in them adopting insecure practices to introduce shortcuts.
This might involve using the same password across of their NHS and personal accounts or using easy-to-guess passwords, but this makes them even more vulnerable to attacks.
In the case of password-reuse, if an attacker successfully phishes one valid set of user credentials, they will test this against other applications and services, which could give them even deeper network access. While with easy-to-guess passwords, these can quickly be cracked using brute-force hacking tools.
So, what is the solution? Is there a way to improve security without impacting the efficiency of NHS workers and clinicians?
Bolstering NHS cyber defences
When it comes to remedying these issues, the best solution for the NHS is to remove passwords from the hands of the workforce so they are never seen, managed or known by them.
If the NHS was to introduce a solution which completely removed passwords to access systems from clinicians’ hands, this means they couldn’t be tricked into handing them out to cyber criminals via phishing or spoofed websites, which would provide a significant defence against ransomware.
This can be achieved using modern Identity & Access Management solutions that incorporate Single Sign-On and Enterprise Password Management that can centrally manage passwords for the NHS workforce, so employees never have to create their own. Instead, random, high-entropy passwords are automatically generated and updated on external applications by the solution, then hidden from users, so they are never seen or known by staff. The NHS workforce simply login to their work computer once and from then onwards don’t have to remember, manage or type any passwords to access the multiple applications and systems they need to perform their jobs.
Overall, this introduces significant time savings, eliminates a huge workforce frustration and also acts as a key defence against the ransomware attacks which are plaguing NHS organisations today and putting citizens of the UK at serious risk today.
