It was revealed that NHS patients’ genetic data was targeted as foreign hackers attempted to attack Genomics England. It was even speculated that the sensitive patient data had to be transferred to a high security MOD unit as a result. Genomics England has since refuted the allegations that it has had to move data due to attacks, but regardless, this highlights the incredibly worrying and rising trend of hackers trying to steal our identities, writes David Higgins, of IT access security product company CyberArk.
Stealing financial information or passwords is one thing but stealing details of genetic makeup sheds light on a bleak new reality in the world of cybercrime.
Perhaps a world where critical patient data, such as DNA records are in fact stored in high-security, government-owned facilities, isn’t so far-fetched an idea.
The threat landscape is evolving at a rapid pace. As hackers look to obtain sensitive medical records, we should change our attitude to health data and treat it as critical national infrastructure (CNI). There is too much at stake if this critical data falls into the wrong hands, at both an individual and governmental perspective.
Human identities: the new prize for hackers
We expect to see attempted hacks like this only escalate in the year ahead, across a range of sectors and industries. Biometric fingerprint, voice and face ID authentication controls have proven effective in consumer devices, and organisations will look to new authentication methods – like embedded human microchips, for example.
Hackers will target these identities to garner notable amounts of biometric data for future modelling purposes and nefarious use. Genetic consumer-services, biometric stores, such as Genomics England and within organisations and more will become key targets, further escalating privacy concerns.
Our own Global Advanced Threat Landscape report, released earlier this year, revealed that 52% of healthcare IT decision-makers believe that they cannot prevent hackers from infiltrating their networks, and a further 59% believe that customers’ PII could be at risk. What picture does this paint?
There is a real lack of confidence that a cyber breach can be prevented. A member of staff may unknowingly be exposing their organisation to risk every day. It has to come down to education allied to advanced security. Healthcare professionals need to be equipped with the tools and knowledge to play their part in stopping threats that have got past the perimeter. Moreover, healthcare organisations must implement strong privileged access security procedures to make sure the right people have access to the right software and data at the right time. This limits the possibility of a hacker already in the network wreaking havoc.
Safeguarding data as CNI
We can take this topic beyond hospitals and individuals. As the threat landscape for cyber crime grows, global governments must reassess how critical data, such as patient data is stored and protected . When we think of CNI, we often think of physical things – power plants, dams, electricity networks. But in the Fourth Industrial Revolution, data has to be categorised as CNI. Data is the new commodity that is sparking the era of cyber espionage, and indeed 21st century warfare.
Next year, we predict a new round of nation-state attacks designed to steal intellectual property and other trade secrets to gain competitive market advantages. Nation-state attackers will combine existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data.
While these attacks will predominantly be carried out by malicious external attackers, we’ll also see an increase of insider attacks, especially in cutting-edge industries like autonomous cars (much like occurred at Apple in June 2018). We’ll see attacker dwell times extend as nation-states spend more time conducting reconnaissance and carrying out these trade-driven attacks. We’ll also see the emergence of nation-state weapons commercialised on the black market. This same phenomenon happened after Stuxnet, Petya and NotPetya – where cyber criminals take pieces of code from massive nation-state attacks and incorporate them into their attacks.
Looking ahead to 2019
We are living in a critical time in cyber security. Hackers, whether operating individually or as part of a nation-state attack, are increasingly going to look for ways to target the data which means the most to us. Whilst a mass data breach wouldn’t cause the same damage or mass panic to a country in the same way that a poisoned water supply or power outage would, let’s be clear that data can increasingly be used as the ‘route in’ for hackers to exploit critical systems. Genetic data theft could be the stepping stone for hackers to target government organisations and CNI, by specifically targeting employees at these organisations. The key for governments and organisations is to equip employees to better understand how to protect data, as the first line of defence in modern cyber warfare.
