With ransomware attacks in the healthcare sector on the rise, Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, shares his thoughts on how healthcare organisations can avoid becoming a victim of cyber criminals.


The healthcare sector has been the hardest hit since the start of the pandemic. Against unprecedented demand for its services, it also faced workforce absences due to sickness underlined by supply shortages which all placed immense pressure on the UK’s NHS trusts. Against this, ransomware operators remained ruthless with cybersecurity breaches hitting record numbers while a report, published in November [2021] by National Cyber Security Centre (NCSC), showed that ransomware attacks were high on the healthcare agenda. This was echoed by Elizabeth Giugno, head of category for cybersecurity at Crown Commercial Service (CCS), who said that the NHS had seen a “significant increase in cyberattacks since the beginning of the pandemic” in her article written for Digital Heath.

Leaders in healthcare are today met with new responsibilities. Ensuring smooth daily operations, quality patient care, and employee safety, now go hand-in-hand with safeguarding computing systems from the severe impacts of cyberattacks. A sentiment shared by Ms Giugno in her article in which she also cited the procurement process as a key focus for cyber resilience. A lack of readiness in adopting new digital solutions as a response to work-from-home guidance being released, and the desperate need for daily operations to continue, have all contributed to the increased vulnerability of healthcare workers, patients and organisations.

Healthcare in the attackers’ crosshairs

One prominent cyberattack recently was the attack carried out by the Russian-based Conti ransomware group on Ireland’s Health Service Executive (HSE). The group crippled operations resulting in a near shutdown of the HSE’S national and local networks. The number of doctors’ appointments dropped in some areas by 80 per cent, and the cyber criminals demanded $20m (£14m) worth of digital currency to restore services. For the past five years, healthcare as a sector has become increasingly vulnerable to the threat posed by cybercriminals. The WannaCry” ransomware attack which affected 60 NHS trusts and spread to more than 200,000 computer systems in 150 countries, was the catalyst of this ongoing trend. In 2021, the ransomware attacks against Hillel Yaffe Medical Center, in Hadera left the organisation unable to immediately restore some of its IT systems, putting operations to a halt. Such breaches affect operations, employees and patients. These examples point toward a very real invisible crisis within the healthcare sector.

Hospitals are taking a great risk by overlooking their cybersecurity and threat response strategies. While financially, ransomware attacks can push organisations to closure, the impacts of these breaches on patients are incomparable. Once sensitive data is lost to public domains, it cannot be retrieved and it will stay in the public domain for the patient’s entire life. Improvements in IT and operational technology (OT) systems are long overdue, through action, health organisations can avoid becoming the victim.

Efficiency in threat response: a much-needed shift from “pen and paper”

Healthcare organisations can prevent breaches by ensuring IT departments have the capacity and resources to monitor and forge timely threat responses. The Hillel Yaffe Medical Centre cybersecurity attack shows how a lack of funding in tech capabilities and talent, heavily impacts business continuity after a breach. The small threat response team that handled the attack had to rely on “pen and paper” to log their data recovery actions, driving down efficiency. This is not a long-term solution, as once main networks are compromised, critical daily operations come to a halt. Investment in reliable cloud systems, with no direct access to the IT structure, ensures business continuity in the event of a cyberattack.

The focus should also be on attaining the required capacity to have these systems properly monitored. Currently, IT departments in hospitals are small, with a CTO and two or three employees monitoring operational technology (OT) which powers critical infrastructure. These small teams simply do not have the capacity to closely monitor the organisation’s systems. ‘Coupled with this, attackers are aware that hospitals have historically postponed investment in their IT and OT systems and their IT teams. Healthcare leaders should consider these aspects, and also take into account the steep “price tag” of a cybersecurity breach.

Outdated medical devices: an open door for cybercriminals

Medical devices, when first introduced to the market, were entirely disconnected from the network. Today, in an effort to improve patient care, these portable devices are now wifi enabled and encouraged to communicate with one another, sharing data in real-time. However, while this connectivity has been overhauled, most are built on legacy technology not designed with security top of mind. This IT/OT convergence presents challenges for the teams tasked with securing them while creating opportunities for threat actors to exploit. Ransomware operators are taking advantage of this to infiltrate and encrypt systems, extorting Trusts, and impacting the safety of patients and critical services.

One of the most prominent incidents involving outdated devices was PwnedPiper. PwnedPiper consisted of nine vulnerabilities discovered within Translogic pneumatic tube systems (PTS). The attack affected Swisslog Healthcare’s Translogic PTS, used by 80 per cent of major hospitals in North America, to transfer materials and documents via a series of pneumatic tubes. Cyber criminals could potentially exploit this breach, rerouting or completely shutting down the automated delivery of medication. This highlights the risks outdated devices pose when it comes to patient safety.

For each bed or room in a hospital, there are at least five devices and IP addresses active. These IP addresses are not connected to the IT network, meaning that they are not monitored or managed by CTOs. IP addresses provide access to sensitive patient data, so they should not be secluded. Usually, for managing these devices, vendors propose a closed IP system, with a dedicated VLAN which allows connectivity between different equipment such as ECG machines, screens and tablets. These VLAN networks become an opportunity for bad actors to infiltrate the whole network, and access a series of vulnerable devices, spreading the attack. These systems are put into place in such a way purely because the main vendors that have supplied hospitals for the past twenty years, are medical providers themselves. Their focus is on getting devices clinically approved. This poses a real threat in the current landscape: healthcare organisations should select providers that prioritise getting these clinical devices approved by security regulators, following initial medical checks.

Active Directory: the “low-hanging” fruit

Active Directory (AD) is a set of processes and services that governs all the applications nurses, doctors and administration staff use daily. Simply, it controls who can access what from where – akin to controlling who can go where and do what in the hospital. The importance of protecting (AD) cannot be underestimated, as 99 per cent of ransomware operators infiltrate networks and target AD to get access to sensitive information and systems. Security practitioners are coming to realise that AD misconfigurations are the “low hanging fruit” for threat actors, given they are often overly permissive and openly accessible. Ensuring AD is protected and monitored is crucial.

In response to work from home mandates, hospitals and surgeries have also made a move toward hybrid work environments. This adds another layer to the challenge as security teams need to provision and configure secure remote access and cloud environments. When it comes to managing sensitive patient data, working within the hospital or surgery is likely to be more secure given that security protocols will be more stringent within these environments. However, when accessing data from more familiar surroundings, such as a home environment, security practices might not be as tightly managed or locked down.

The vulnerability of the healthcare sector has increased due to long-lasting changes brought by the pandemic. Hybrid and remote models of work, introduced to protect patient and employee welfare, have been implemented rapidly by necessity. With ongoing oversight in expanding IT departments and upgrading systems, as well as device capabilities, the sector entered the Covid-19 era gravely unprepared on the cybersecurity front. To ensure the protection of sensitive patient data and critical infrastructure, hospitals and surgeries need to re-evaluate their threat response strategies in recognition of a world that has become increasingly digitised. Safety online and offline is paramount.


Bernard Montel, EMEA Technical Director and Security Strategist

With over 20 years in the security industry, Bernard Montel is Technical Director at Tenable. His expertise includes cryptography, Identity & Access Management, and SOC domains. Bernard has published numerous articles and is regularly invited to speak about cybersecurity providing insight into current cybersecurity threats, cyber risk management, and cyber exposure.

Before joining Tenable, Bernard held the position of EMEA Field CTO for RSA, where he played a leading role within its Threat Detection & Response department. He has significant experience advising both large and medium-size organizations on cybersecurity best practices.

Bernard holds a Master of Science in Network and Security and a Master 2 degree in Artificial Intelligence.

Cyber Security Review online – April 2022