Health apps could be a killerThursday, February 9, 2017
Nearly half of NHS trusts scan internal apps for security-related defects only once a year, and huge number of Trusts have been compromised by ransomware, according to FOI requests
A series of Freedom of Information requests have revealed serious issues with NHS IT security. One particularly damning set of research found that an enormous 45 per cent of NHS trusts scan internal apps for security-related defects only once a year, and less than 8 per cent doing so on a daily basis, NHS trusts are potentially left with outdated software, which could put patient data at risk due to an increased likelihood of successful criminal attack.
In addition, the responses revealed that half of health trusts scan web perimeter apps only once a year, which leaves patient data at serious risk from legacy websites and third-party plugins. The findings were drawn from 27 responses to FoI requests sent to 36 NHS trusts on behalf of Veracode.
On a brighter note, 12 per cent of trusts do scan web application perimeters daily, demonstrating that at least in some quarters, application security awareness is on the rise. Of course, simply relying on automated scanning tools is not enough to secure any enterprise, even less so for something as complex and significant as an NHS Trust. Fully-automated scanning tools often create so many false-positives that the data is widely ignored, or have to be configured so loosely as to render the results useless. Of course, it’s possible that NHS IT teams are aware of this problem, and due increasingly tight NHS budgets are choosing not to scan at all, rather than whitewash the problem.
High-Tech Bridge’s award-winning web security testing platform ImmuniWeb combines proprietary machine learning technology and automated vulnerability scanning and detection, thus detecting at least twice as many vulnerabilities than any automated solution would, including the most sophisticated ones that usually require human intelligence.
Application security research published in late 2016 found that more than 90 per cent of in-house developed web applications designed to handle medical, financial or other sensitive data were vulnerable to high-risk improper access control or other application logic flaw not related to the sanitization of user-supplied input (like in XSS or SQL injections for example).
The Veracode research claimed that out of 300,000 assessments performed in the last 18 months, 67 per cent of healthcare applications failed OWASP policy compliance.
Coincidentally, another FOI-based report on the NHS has been released by a different company, this time into ransomware. Perhaps unsurprisingly given the recent volumes of ransomware being pumped into the ether, 34 per cent of NHS trusts in the UK have suffered a ransomware attack in the last 18 months. In total, 87 out of 260 trusts admitted suffering ransomware attacks, with 60 per cent of Scottish NHS trusts making it the most frequently targeted region.
Ilia Kolochenko, CEO High-Tech Bridge, said: “Ransomware attacks are relatively new, however are growing much faster than any other sector cybercrime. The success is explained by their technical simplicity to conduct and attackers' certainty to get paid by most of the victims, who often have no other choice that would be economically reasonable.”
“Propagation of IoT and smart devices into our everyday lives will definitely increase the risks, frequency and the consequences of the ransomware attacks. I wouldn't be surprised if in the next few years cybercriminals will lock operational rooms in hospitals or unlock doors in state prisons.”
“Unfortunately, our law enforcement agencies don't have enough experience, technical skills and most importantly - resources to fight cybercrime. If they don't get them today - in the next few years our society will lose confidence in a justice system that is unable to prosecute and prevent cybercrime."”
The NHS was one of the worst performing sectors in terms of data breaches, contributing to 64 percent of the total figure reported to the ICO in the period April 2015-March 2016. Based on these findings, that performance seems unlikely to improve in 2017...