As the WannaCry ransomware hack swept across NHS IT systems on Friday, 12 May; doctors found themselves unable to access medical records.
Patient data, test results, consultations and medication; access to all of it had been compromised.
NHS staff at the 61 affected hospitals were forced to persevere through the crisis while their IT infrastructure was held to ransom.
As stationary cupboards were emptied of pens, paper and post-it notes, many doctors and nurses turned instinctively to the one computer they could trust, the smartphone in their pocket.
This incident sets a new precedent for cyber security in the NHS.
Mobile devices, despite how useful they were during the WannaCry ransomware attack, are by no means free from the security risks plaguing legacy IT systems
The skeleton service that was available to patients during the aftermath of the attack was held together by devices not part of the existing IT infrastructure.
While the X-ray imaging, pathology tests, phone, and patient administration systems were down; the smartphone rose to the occasion.
Enterprise mobile devices are an emergent technology for hospitals everywhere and hospital treatment is being conducted to an even-greater extent on mobile devices.
Almost every hospital now has a mobile strategy and many are already equipping nurses with portable enterprise devices to access patient data.
If we look ahead 10 to 15 years, it may be that everyone will have access to data records online and on their mobile.
Security risks
The characteristics of mobile devices expose them to a significantly-higher number of security threats compared to desktop computers
Mobile devices, despite how useful they were during the WannaCry ransomware attack, are by no means free from the security risks plaguing legacy IT systems.
As mobile devices become ubiquitous in healthcare, several potential cybersecurity issues apply to the use of mobile devices in healthcare:
- Device loss: leaving a tablet or smartphone in a taxi or a restaurant
- Applications security: data being made available to developers of free mobile apps
- Device data leakage: the risk of cyber criminals accessing a corporate application running on personal devices
- Malware: Trojans, monitoring tools, or malicious applications
- Device theft: data exposure after a premium device has been stolen
According to research by ESET, ransomware attacks on Android devices have grown year on year by 50%.
The characteristics of mobile devices expose them to a significantly-higher number of security threats compared to desktop computers.
Security is not something to be sacrificed, and it’s a small price to pay that will, in the future, prevent UK health service from falling into the hands cyber criminals
And, because they are smaller and portable, they are at risk of theft.
The smartphone’s popularity offers a better chance of a pay-out to hackers who are keenly aware that most users do not know how susceptible their smartphones are to an attack.
Malware itself continues to evolve, making it crucial for health practitioners to understand the threat it could pose to their devices, even those not designed for consumer use.
Overall, the biggest risk is an outdated operating systems (OS) that leaves the door open to a WannaCry style attack or another yet-more-nefarious exploit.
With this in mind, hospitals should act now to protect patient data on these devices by investing in extended security now.
From a hacker’s perspective, an unpatched OS or application offers increasing pathways for exploitation.
With OS update support coming to an end for the dominant Windows CE and Windows Embedded Handheld OS; hospitals must face dealing with maintaining the security on their legacy OS by themselves or transitioning to a new OS that is fully supported by industry.
Extended security support on Android, along with periodic, predictable security updates significantly decreases attack risk and underlines the need for an expedited transition to a newer OS.
Even consumer OS security updates expire after 36 months, which is years short of the five-plus years of service life that a hospital needs.
From a hacker’s perspective, an unpatched OS or application offers increasing pathways for exploitation
These numerous considerations should be protected from budget pressures and a freeze on investment.
Security is not something to be sacrificed, and it’s a small price to pay that will, in the future, prevent UK health service from falling into the hands cyber criminals.