Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Evening Standard
Evening Standard
Technology
Mary-Ann Russon

NHS: Millions of medical devices in UK hospitals are completely unprotected against hackers

There are millions of medical devices in NHS Trust hospitals across England that are now entirely open to ransomware attacks by cybercriminal gangs.

These seemingly innocuous online devices, such as security cameras or blood monitors, are either incapable of running security software or rely on out-of-date versions. In many cases, they are totally unmonitored.

Hackers can shut down entire hospital systems, when they leapfrog from these devices into the central parts of hospital networks and leave a trail of technology destruction in their wake.

There have already been critical incidents in North America and other parts of the world when security experts have been called in to deal with the aftermath of these scenarios, some of which were caused by human error.

This is a ticking time-bomb and the true scale of the risks are today laid bare by Armis Security, a US cybersecurity firm, which sent out freedom of information (FOI) requests to 150 NHS Trusts in England.

Armis Security asked for details on how the hospitals catalogue and monitor their medical devices — namely all internet-enabled devices like laptops, desktop computers, MRI machines, CT scanners, drug dispensing stations, pacemakers, connected inhalers, or heart-rate and blood-pressure monitors.

Only 71 NHS Trusts responded with data, but what they said was eye-opening: one in five hospitals admitted they use spreadsheets to manually track each medical device added to their networks, while almost one in six devices on hospital networks are not monitored for cybersecurity risks at all.

In other words, these seemingly innocuous devices can be used by hackers to shut down entire hospital networks, because attackers are able to hack into and leapfrog from these devices to the central parts of hospital networks, leaving trails of destruction in their wake.

If a medical device or a laptop or IP camera gets compromised, they have the ability to take down the whole network.

Mohammad Waqas, principal solutions architect at Armis

While this study highlights the NHS, Armis told The Standard that it is calling for action from the international healthcare industry, because the problem is currently affecting hospitals all over the world.

Hackers typically want to steal data from organisations, or encrypt it and demand ransom money. With healthcare, there’s an added risk that patients’ lives can be impacted, both by the disruption caused by cyberattacks and network outages, but also by hacking attempts on medical devices, which might cause them to malfunction.

A spokeswoman for NHS England told The Standard: “NHS trusts are responsible for their own cybersecurity and must maintain a register of medical devices connected to their network, including information on their data security assurance process.

“The NHS will continue to review the requirements for cybersecurity relating to connected medical devices and take action to make improvements where appropriate.”

Why hospitals should monitor all internet-enabled devices

In January, global cybersecurity firm Trend Micro polled 145 healthcare organisations globally and found that more than half of them have been impacted by ransomware attacks in the past three years. Among these, one in four said they were so badly affected by the cyberattacks that they had to halt operations completely.

And US data protection and privacy research centre Ponemon Institute’s 2022 study found that more than half of the 517 healthcare providers surveyed saw their hospitals experience higher mortality rates following cyberattacks.

The last massive ransomware attack affecting the NHS that we know of was the WannaCry ransomware attacks in 2017. However, this doesn’t mean that we are in the clear.

“The reason we're good at tracking laptops and desktops is the IT department buys them and, when we receive them, we install security tools,” Mohammad Waqas, principal solutions architect at Armis, told The Standard at Infosecurity Europe 2023.

“With medical devices, the IT team is not involved, it’s the medical departments buying and installing them. But even if I was aware this department bought 10 CT scanners or 10 ultrasound machines, I still can't install my traditional security [software] on the machines to track them.”

Many medical devices run an open-source Linux operating system, similar to Windows for your computer or Android OS for your smartphone. None of these devices are “computers” in the traditional sense, but running Linux means that CCTV cameras and wireless glucose monitors are just as exposed to hackers as regular computers are.

Armis estimates that there are about 25,000 devices running on any single hospital network anywhere in the world on a daily basis.

Human incompetence also plays a part

Mr Waqas also highlights a familiar problem that Microsoft and Apple are always warning consumers and smaller businesses about — if you use computers with old operating systems no longer being maintained by their makers, you are not safe from any hacker who tries out one of the many existing security vulnerabilities on your PCs.

Plus, medical staff are only human, and often unaware of the cybersecurity risks these devices pose to hospitals. Armis has been brought in to deal with the aftermath of hospital cyberattacks in North America and discovered some rather foolish behaviour that likely contributed to the hackers’ success.

“We’ve seen staff operating CT scanners running Windows 7 [a 10-year-old operating system] which is also end-of-life, and then checking their personal Gmail and clicking on a phishing link that installs malware on the computer,” he said.

”In another example, staff members were streaming Netflix on the computer running an MRI machine. It should not have unfettered internet access... if they can browse Netflix, they have access to other websites and other websites can easily download malware onto your devices.”

The problem, he says, is that, unlike in other industries, in healthcare organisations, cybersecurity policies work differently.

“What’s exacerbating this problem is that healthcare networks are generally flat, in the sense that any device on the network can talk to any other device. So if a medical device or a laptop or IP camera gets compromised, they have the ability to take down the whole network.”

Ransomware attacks are only getting worse

Ponemon Institute’s 2022 study found 53% of 517 healthcare providers saw their hospitals experience higher mortality rates following cyberattacks (Alamy / PA)

Armis, which holds a medical database of more than three billion different devices, is warning the global healthcare industry to start taking ransomware more seriously, although it admits that this is difficult for hospitals to solve.

A third of the NHS Trusts said they lack sufficient staff to help them secure their networks.

It is also costly to fix. Even if IT departments insist on securing devices, Mr Waqas said medical departments and IT often end up pointing fingers at each other, because new software and machines cost millions of pounds.

In the UK, hospitals are required to follow the NHS Data Security and Protection Toolkit processes and respond to the NHS’s mandated cyber alerts within 48 hours. However, Armis’s research showed that one in five hospitals in England struggled to fix issues by the mandated two-week limit.

The problem is that, while ransomware attacks have been around for years, cybercriminals are only becoming smarter, according to Michael Smith, field chief technology officer at US cloud security firm Vercara.

During the WannaCry ransomware attacks in 2017, hackers locked up your data so you needed to pay to get it back, or threatened to leak it onto the internet, similar to the recent Clop cyberattacks, but now cybercriminals are going further and potentially causing more costly damage.

“Ransomware is changing, it’s an arms race,” Mr Smith told The Standard. “Now what they're doing is throwing a distributed denial of service (DDoS) attack on top of it. We will flood out your network and exhaust your staff.”

The solution, says Armis, is to start isolating devices, so your IP-enabled cameras shouldn’t be able to talk to anything else on the same network, for instance.

“You must know everything connected to your network,” said Mr Waqas. “The overall visibility of every connected asset on the network is a huge problem across the whole world, in healthcare as well as other industries.”

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.