Perhaps one of the most memorable data breaches from last year was WannaCry, affecting organizations across the globe, including the NHS. WannaCry disrupted critical services by hijacking high value data and holding it for ransom, demanding a payment in Bitcoin in order to access files.
Around 80 out of 236 hospital trusts were affected by the WannaCry attack, with some trusts taking drastic action and taking themselves completely offline to reduce the risk of infection. In the recent report reviewing the attack, the NHS rightly stated that, “no organization can be completely immune from a cyber attack and there is no room for complacency.” So, what lessons have been learned one year on?
Lesson one: Cyber attacks are inevitable
One of the key lessons from WannaCry is that organizations will need to face challenges of future cyber attacks: no defence will ever be enough to prevent a breach so steps need to be taken to limit the impact of any potential breach.
Cyber threats are constantly evolving and the attack surface has expanded considerably with connected mobile devices being used in all industries. If one device is compromised, the hacker is able to move laterally across the network, infecting potentially thousands of devices and bringing the network to a standstill. The WannaCry breach shows that no organization can afford to simply ‘turn off’ in order to prevent a compromise.
Lesson two: Look beyond complex infrastructure
The July 2016 EU legislation on cyber security requires healthcare providers to take “appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems which they use in their operations.” However hospitals, and other organizations alike, have learned that the sheer number of user entities and the plethora of IT resources is not easy to manage; as a result, replacing antiquated and vulnerable software or hardware often gets a lower priority. It doesn’t have to be this way.
Lesson three: Understand the weakest link
Users still remain the weakest link in network security, whether that’s through a compromised password or a malicious email attachment. The majority of organizations currently assume that everything inside the network is trusted. However, this model is outdated and makes the network and all the data within it incredibly vulnerable to compromise.
What needs to change?
Hospitals need to look beyond the network infrastructure, decouple it from security and overlay network access control on top of the existing architecture. As a result, this will protect data in motion over any network and grant restricted access for users to critical applications, devices, and information databases using cryptographic segmentation.
Hospitals, and other organizations, also need to introduce a software defined approach to their security posture which enables centralized orchestration of security policy to enforce capabilities such as software defined application access control, data in motion privacy and segmentation and a software defined perimeter. Most importantly, this uses cryptography to restrict hackers from moving freely between segments once a breach has occurred. Finally, they need to consider innovative approaches such as Layer 4 encryption which renders the data itself useless, and therefore worthless to hackers, without impacting the operational visibility of the enterprise network and data flows.
With cyber threats evolving all the time, it is essential that organizations are prepared for when an attack happens: it is no longer a case of if a breach will occur, but when a breach will occur, and hospitals will need to focus on raising the barriers to prevent the lateral movement of threats from device to the information infrastructure.