5 lessons Medtech companies can learn from the HSE phishing crisis
In May, Ireland’s public health service, the HSE, was plunged into disarray. Servers were shut down, referrals ground to a halt, and an entire maternity hospital was put out of operation. Even now, patients are unable to find out whether their own personal data was compromised.
All of this happened because one member of staff clicked on a phishing email. Except, of course, they’re hardly to blame. The HSE crisis was the result of a number of connecting issues - issues which may affect all medtech companies to one degree or another.
Now the HSE is, of course, a huge public body that’s notoriously underfunded. So the implications for private medtech startups won’t exactly run in parallel. Nevertheless, all medtech companies are handling similarly sensitive information, and the consequences of a cyber attack could be equally severe.
1) It’s a question of when, not if
With the HSE crisis, the situation was made worse by slow response times. After the confusion, the various public bodies soon found they had no way of closing down or limiting the information the hackers had accessed.
In some ways, response protocols should be bread and butter security, even though they aren’t required under GDPR. If your Standard Operating Procedures aren’t already in place, we strongly recommend nailing them down, including your disaster recovery plans.
With the right failsafes around hosting, too, you can ensure your systems are not shut down completely in the event of an attack.
2) The latest patches are needed but there may still be gaps
Much of the criticism thrown at the HSE surrounded their use of Windows 7. It was running on many of their workstations, largely because a number of applications were dependent on that operating system.
Legacy systems are typically more of an issue in the public than the private sector. But it’s still good practice to prepare to update systems sooner rather than later. One of our customer’s products will be unsupported by Google when they stop supporting former versions of Android, so our customer is already preparing the product to ensure it will remain compliant and secure in years to come.
While we don’t find many legacy systems in our penetration tests, we do uncover a number of issues related to data patches and updates. Either software hasn’t received the latest patch or interdependencies are brought crashing down by an update. To ensure infrastructure that was secure yesterday is still secure today, medtech companies need to monitor these updates and test for vulnerabilities regularly.
3) Humans need to be as secure as software
It’s not just applications that need updating, it’s the people using them too. Software products can help serve as an early warning system to protect against phishing but they will never be completely foolproof against a sophisticated attack.
Of course, with over 100,000 staff, the HSE had far more phishing targets than the average medtech company. But that doesn’t mean the threat is any less real for you. To keep the virtual gates locked against unwelcome visitors, cyber security training should be part of any medtech company’s growth strategy.
Testing for your organisation could include identifying employees who are at risk of phishing attacks and assessing what level of training is needed based upon your employees’ activity.
4) A small breach can become a big one
The HSE crisis was almost certainly the result of a spear phishing attack rather than the generic emails that are easily sifted out by a spam filter.
In a targeted spear campaign, an attacker might use real information about your employees to masquerade as one of them. If the hacker has gathered enough information through a correspondence leak, they may even be able to refer to a recent conversation about an ongoing issue in your organisation. Their forged communication can be very convincing.
The risk is amplified in a remote working situation. And while more secure communication tools like Teams and Slack help here, they only go so far to bridge this gap. When you cannot quickly glance over at a colleague - who has apparently sent a Slack message that looks slightly off - you might not check in with them before you click the link they’ve sent.
5) Hybrid working will appeal to hackers
Finally, because HSE’s data was so decentralised, a number of weak points existed in their systems. For medtech companies continuing to work remotely, or pivoting to hybrid, this will be an important issue to bear in mind.
When you have more than one area where you’re storing information - and they link together in some way - there will be vulnerabilities that wouldn’t exist if the information was centralised.
On the other hand, while a single centralised system might seem like a bigger target, it’s far easier to protect. So long as you have enough safeguards covering a single vulnerable point, you mitigate the risk.
When Datavax began working remotely, we understood what we were up against. We quickly implemented company-wide antivirus software and paid for a company to install patch management software on all our workstations. This notifies our employees if any application or system goes out of date. It also enables us to keep track of our infrastructure as if it was all under one roof.
Ultimately, the more links in the chain you have, the more security you need. Your systems are likely much more secure than the HSE’s were in May but you still want to pass with flying colours every time an audit is done.
----
To check that your security is rock solid, you may want an independent penetration test. To learn more, don’t hesitate to get in touch.
