The prevalence of cyber-attacks against the NHS supply chain, has significantly accelerated in the past 12 months. When the healthcare sector were under immense pressure at the onset of the pandemic, cyber-criminals took the opportunity to attack an industry in crisis. Although they have always been a prime target for internet criminals, last year we saw a markable rise in ransomware, phishing and IOT attacks.
The NHS supply chain is an extensive list of companies who supply many critical products and services to hospitals across the UK. This includes: lifesaving medical equipment, medicine/vaccines, software, hardware, applications, connectivity, consultancy, food, uniforms and much more. Although these companies are critical to the effective running of our healthcare system, they also pose significant cyber-risks to the NHS.
Hackers are frequently targeting these companies as a way of finding a ‘back-door’ into NHS systems. For instance, by exploiting vulnerabilities in a mobile healthcare application, an outdated version of firmware or an unprotected IOT medical device, they can then try to gain access to the wider network and patient data. The stark reality is that medical records are more valuable to cyber criminals than financial data.
Unlike bank details which can easily be modified in the event of card fraud, medical records are unique to an individual and cannot be easily changed. As these risks are only growing in frequency, NHS Trusts need assurance that their suppliers are implementing adequate security measures to defend themselves against attacks.
Supply chain attacks during the pandemic
In the height of the pandemic last year, cyber-criminals turned their attention to the firms who were developing lifesaving vaccines. These malicious attacks were particularly prevalent after the first vaccine was announced in the autumn. Hackers from around the globe bombarded pharmaceutical companies like Pfizer and AstraZeneca, in a desperate attempt to steal valuable research and treatment data. In one particular phishing scam which targeted AstraZeneca, fraudsters used a faux job listing which they shared on Linkedin and WhatsApp. This aimed to lure employees into downloading malware or providing confidential information which could be used to craft a spear phishing attack. Sadly, cyber-criminals did not stop there. In December 2020, security researchers at IBM discovered large-scale phishing attempts targeting logistics firms who were in charge of distributing the vaccine.
Unfortunately, the healthcare supply chain are targeted from all angles. They face daily disruption due to email spoofing, business email compromise and endless phishing attacks. During the pandemic, bad actors have targeted a wide range of companies linked to healthcare, these include: The World Health Organisation (who have been plagued with email impersonation attempts), construction firms in charge of building emergency hospitals, NHS appointment conferencing software, companies who manufacture dry ice for vaccine storage, universities/research institutions and pharmaceutical companies.
As an NHS supplier, it is important to take extra precaution in order to remain resilient against developing threats. Although all firms should follow the necessary steps to prevent cyber-breaches, businesses who operate within the healthcare space are particularly in the line of fire. As a healthcare supplier, having a bullet-proof security strategy not only improves the security of your critical systems, it also improves overall trust in your business. After all, a security breach which exposes NHS data, could be hugely detrimental to your ongoing supplier relationship.
So what are the top 4 ways NHS suppliers can improve security?
Prevent Email Spoofing
As the healthcare supply chain are heavily targeted with phishing scams, it is important to regularly test the cyber-awareness of your employees in a ‘real life’ scenario. The question is: would they really click on the malicious link? By running regular phishing simulation exercises, you can gain visibility into how savvy your employees are when it comes to malicious emails.
Our phishing simulation services allows you to send tailored faux-phishing campaigns to your work force. This allows you to see who will click on links, download files or enter their credentials. Those staff who do fall for the scam are redirected to training videos and cyber-awareness questionnaires. You are then provided with a comprehensive report which details the findings of the assessment, and how you can mitigate the weaknesses discovered.
Achieving Cyber Essentials Plus
How often do you test the cyber resilience of your security defences? Regular CREST Penetration Tests and Vulnerability Scans are an effective way of uncovering security weaknesses would could leave your business exposed to cyber-attacks. Standard 9 of the DSP Toolkit states: ‘Organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually’.
Vulnerability scans are used to identify a list of known vulnerabilities (The OWASP Top 10) in your applications, whereas penetration tests involve exploiting security weaknesses to determine whether a hacker would be able to access your corporate network. Penetration tests and vulnerability scans are particularly important for suppliers who provide mobile/web applications and software to the NHS. To reduce the risk of vulnerabilities, this security testing should be incorporated into the app/software development stage as well as regular testing post-development. This will help to reduce the risk of an NHS breach caused by application flaw. Although not all NHS suppliers need to comply with the DSP Toolkit, regular testing of your IT environment is a crucial component to any effective security strategy. Find out more about our CREST Penetration Testing Services here.
Phishing Simulations
As the healthcare supply chain are heavily targeted with phishing scams, it is important to regularly test the cyber-awareness of your employees in a ‘real life’ scenario. The question is: would they really click on the malicious link? By running regular phishing simulation exercises, you can gain visibility into how savvy your employees are when it comes to malicious emails.
Our phishing simulation services allows you to send tailored faux-phishing campaigns to your work force. This allows you to see who will click on links, download files or enter their credentials. Those staff who do fall for the scam are redirected to training videos and cyber-awareness questionnaires. You are then provided with a comprehensive report which details the findings of the assessment, and how you can mitigate the weaknesses discovered.
Penetration Testing and Vulnerability Scanning
How often do you test the cyber resilience of your security defences? Regular CREST Penetration Tests and Vulnerability Scans are an effective way of uncovering security weaknesses would could leave your business exposed to cyber-attacks. Standard 9 of the DSP Toolkit states: ‘Organisations must ensure their web applications are secure against top 10 vulnerabilities and undertake a penetration test annually’.
Vulnerability scans are used to identify a list of known vulnerabilities (The OWASP Top 10) in your applications, whereas penetration tests involve exploiting security weaknesses to determine whether a hacker would be able to access your corporate network. Penetration tests and vulnerability scans are particularly important for suppliers who provide mobile/web applications and software to the NHS. To reduce the risk of vulnerabilities, this security testing should be incorporated into the app/software development stage as well as regular testing post-development. This will help to reduce the risk of an NHS breach caused by application flaw. Although not all NHS suppliers need to comply with the DSP Toolkit, regular testing of your IT environment is a crucial component to any effective security strategy. Find out more about our CREST Penetration Testing Services here.
Are you looking for a healthcare Cyber Security company?
Here at Equilibrium, we are Cyber Essentials Certification Body, CREST Certified Penetration Testers and have worked alongside many NHS Trusts, and healthcare organisations as a trusted security partner. If you would like to find out more about the Cyber Essentials Certification cost or further healthcare Cyber Security services we offer please call our office on 0121 663 0055, or register your details below.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.
