Feranmi Adekunle

 The Qilin ransom gang attack on NHS London Table of Content The Qilin ransom gang attack on NHS London1 The Qilin ransom gang attack on NHS London3 Abstract3 Current State/Risk Analysis3 Security Requirements5 Recommended Controls6 Accountability6 Maintenance Plan9 Legal Considerations11 Ethical Concerns12 Policy Examples13 Conclusion14 References15 The Qilin ransom gang attack on NHS London Abstract This white paper explores ransomware security planning and risk management strategies through the case of the Qilin ransom gang attack on NHS London. This incident compromised the sensitive personal data of nearly one million patients, exposing medical records involving conditions such as cancer and sexually transmitted diseases (Blanton S., 2024). The paper comprehensively analyzes the vulnerabilities that facilitated the attack, outlines security requirements to address such threats, and recommends specific controls tailored to the healthcare industry. Additionally, it discusses the responsibilities of internal teams, timelines for implementation, maintenance strategies, legal considerations, and ethical concerns such as patient privacy and the use of AI in cybersecurity. By examining this high-impact case, this white paper provides actionable insights to enhance organizational resilience against ransomware, ensuring the confidentiality, integrity, and availability of critical healthcare data. Current State/Risk Analysis The National Health Service (NHS) London is a public healthcare organization serving one of the largest metropolitan areas in the United Kingdom. Its mission is to deliver high-quality, equitable healthcare services to millions of residents. NHS London encompasses a network of hospitals, clinics, and research facilities, employing thousands of healthcare professionals and support staff (Martin A., 2024). As a public entity, it adheres to strict legal and ethical standards for safeguarding patient data, especially under regulations like the General Data Protection Regulation (GDPR). Threat of Ransomware Ransomware attacks have become increasingly pervasive across industries, with the healthcare sector being one of the primary targets due to the high value of medical data. According to the 2023 Sophos State of Ransomware report, 66% of healthcare organizations worldwide experienced ransomware attacks in 2022, a significant increase from prior years. The average cost of recovering from a ransomware attack in healthcare was estimated at $10.1 million, including downtime and loss of sensitive data. Over 60% of hospitals in the UK reported ransomware-related incidents in the past five years, highlighting the sector’s vulnerability (Fleck, G et al,. 2021). Vulnerabilities Healthcare organizations like NHS London face unique challenges that make them susceptible to ransomware: • Outdated Infrastructure: Legacy systems in hospitals often lack robust cybersecurity controls, leaving critical systems vulnerable to exploitation. • High Data Value: Patient records contain highly sensitive information, making them lucrative targets for cybercriminals. • Operational Constraints: The need for uninterrupted patient care limits downtime for patching or system upgrades, increasing exposure to vulnerabilities. • Wide Attack Surface: The interconnected nature of healthcare networks, including third-party vendors and Internet of Medical Things (IoMT) devices, creates numerous entry points for attackers. Specific Ransomware Attack The Qilin ransom gang attacked NHS London in mid-2024, compromising the personal data of nearly one million patients. This attack exposed sensitive information, including medical conditions such as cancer diagnoses and sexually transmitted diseases. The breach was discovered when the attackers published patient records on a dark web forum after NHS London refused to pay the ransom. The attack exploited vulnerabilities in NHS London’s outdated backup systems and insufficiently segmented network, allowing lateral movement within the infrastructure. This resulted in significant reputational damage, patient trust erosion, and regulatory scrutiny under GDPR. Through this case study, we examine the impact of ransomware on healthcare organizations and propose strategies for effectively mitigating such risks. Security Requirements Pre-Attack Security Before the attack, NHS London had basic security measures, but they were insufficient against sophisticated threats: • Basic Firewalls and Antivirus: Provided limited protection, lacking advanced threat detection. • Backup Systems: Periodic backups existed but were vulnerable due to poor encryption and segregation. • RBAC: Restricted access to patient data, but weak authentication left the system prone to credential theft (Smith, M. et al., 2023). Security Goals NHS London should implement the following goals aligned with the CIA triad: • Enhance Confidentiality: Protect sensitive patient data through MFA, end-to-end encryption, and secure access protocols. • Strengthen Integrity: Use digital signatures, hashing algorithms, and automated integrity checks to ensure data remains unaltered. • Improve Availability: Implement redundant infrastructure, immutable backups, and a disaster recovery plan to ensure system uptime. These goals will strengthen NHS London's cybersecurity and mitigate future ransomware risks. Recommended Controls To achieve the security goals for NHS London, the following controls are recommended: • Enhance Confidentiality • Data Encryption: Implement AES-256 for sensitive data and use TLS 1.3 for secure communication. • Access Control: Enforce RBAC and MFA for accessing patient records and administrative portals. • DLP Solutions: Deploy to monitor and block unauthorized data transfers. • Strengthen Integrity • IDPS: Deploy network and host-based IDPS, integrated with SIEM tools. • Hashing: Use SHA-3 to verify data integrity and perform regular checks. • Vulnerability Assessments: Conduct weekly scans and quarterly penetration testing. • Improve Availability • Immutable Backups: Use WORM storage for secure backups and encrypt/distribute them geographically. • Disaster Recovery: Develop and test DRPs with predefined RTOs and RPOs. • High-Availability Systems: Implement redundant servers and failover mechanisms, and deploy a CDN to mitigate DDoS attacks. By implementing these controls, NHS London can address the vulnerabilities that contributed to the Qilin ransom gang attack and fortify its security posture to prevent future incidents. Accountability To ensure the effectiveness of NHS London's security plan, responsibilities are clearly assigned to relevant departments and teams. Additionally, roles and responsibilities for employees are defined to promote a culture of accountability and adherence to security policies. Department/Team Responsibilities Tools and Activities Incident Response Team (IRT) - Monitor and respond to security incidents, including ransomware attacks. - Use SIEM tools to track and analyze security events. - Coordinate containment, eradication, and recovery efforts during a cybersecurity event. - Organize tabletop exercises to simulate responses to ransomware incidents. - Regularly update and test the incident response plan. IT Department - Deploy, configure, and maintain security tools such as firewalls, IDPS, and antivirus software. - Manage and encrypt backup solutions, ensuring secure storage. - Implement and enforce access control mechanisms, including RBAC and MFA. - Perform regular vulnerability assessments and audits. - Conduct vulnerability assessments and ensure regular patch management. Human Resources (HR) - Oversee delivery of security awareness training programs. - Conduct regular employee assessments on security knowledge. - Ensure compliance with security policies through periodic evaluations. - Manage onboarding and offboarding processes, including revoking access for terminated employees. Data Protection and Compliance Team - Ensure adherence to legal and regulatory requirements, such as GDPR. - Conduct annual reviews of the security plan and policies. - Manage encryption policies and oversee secure handling of sensitive data. Role Responsibilities All Employees - Adhere to security policies, including using strong passwords and enabling MFA. - Report suspicious activities, phishing attempts, or security breaches. Department Heads - Ensure their teams follow relevant security protocols. - Act as the first point of contact for internal security concerns. System Administrators - Monitor system logs for unauthorized access attempts. - Apply updates and patches for software and operating systems promptly. Backup Administrators - Create, encrypt, and store backups according to the DRP. - Test backup restoration periodically to ensure integrity. Incident Reporters - Report potential security breaches to the IRT promptly. - Document initial observations of incidents for further investigation. Phase Duration Activities Milestones Phase 1: Planning and Assessment 1 Month - Conduct initial risk assessment and review existing security posture. - Finalize risk assessment report. - Develop a detailed project plan for implementing recommended controls. - Obtain management approval for the security plan. Phase 2: Technical Controls Deployment 3 Months - Install and configure encryption mechanisms for sensitive data. - Encryption implemented across critical systems. - Deploy and test intrusion detection/prevention systems (IDPS). - IDPS operational and monitoring initiated. - Strengthen firewalls and enforce access control policies. - Firewalls configured; access controls operational. Phase 3: Backup and Disaster Recovery Implementation 2 Months - Enhance backup systems with encryption and secure off-site storage. - Backups automated and stored securely. - Test disaster recovery plans (DRPs) through simulated scenarios. - Successful DRP simulation completed. Phase 4: Employee Training and Awareness 3 Months - Conduct cybersecurity training sessions for all employees, emphasizing phishing awareness and secure practices. - 90% employee participation in training sessions. - Launch a continuous learning platform for ongoing education. - Platform operational and accessible to all employees. Phase 5: Policy Finalization and Communication 1 Month - Publish updated security policies, including access control, acceptable use, and data protection policies. - Policies disseminated to employees and acknowledged. - Conduct targeted sessions for managers on enforcing and monitoring compliance. - Managers trained on policy enforcement. Phase 6: Testing and Monitoring 1 Month - Perform penetration testing to evaluate security controls. - Penetration test report completed with recommendations. - Establish a continuous monitoring framework using SIEM tools. - SIEM operational and actively tracking security events. Phase 7: Review and Optimization Ongoing (every 6 months) - Conduct biannual reviews of security controls and update configurations based on emerging threats. - Security updates integrated; review reports submitted to management. - Test incident response and disaster recovery plans periodically. - Improvements documented and implemented in revised plans. Maintenance Plan Aspect Frequency Activities Expected Outcomes Plan Review and Updates Bi-Annually - Conduct a comprehensive review of the security plan to address evolving threats and vulnerabilities. - Updated and effective security measures aligned with the latest industry standards and threat landscape. - Assess the implementation status of controls and refine based on organizational changes or incidents. - Reduced gaps and enhanced relevance of security controls. Vulnerability Scanning Quarterly - Perform network-wide vulnerability assessments. - Early detection and remediation of security weaknesses. - Update configurations and patch management based on scan results. - Improved system and application security. Incident Response Drills Annually - Conduct simulated incident response exercises to test and refine procedures. - Enhanced preparedness for handling actual incidents. - Evaluate team coordination and response effectiveness. - Clear roles, improved collaboration, and reduced response time. Disaster Recovery Testing Annually - Perform full-scale disaster recovery plan tests, including system restoration from backups. - Validated DRP effectiveness and minimized downtime in emergencies. Policy Review and Enforcement Quarterly - Review and update organizational policies (e.g., access control, data protection). - Policies remain relevant and enforceable with clear compliance metrics. - Conduct random compliance audits. - Improved adherence to organizational security policies. Employee Training and Awareness Quarterly - Provide refresher training sessions on security best practices, including phishing awareness and new policies. - Increased employee awareness and reduced likelihood of human error leading to breaches. - Launch interactive modules on emerging threats and ethical security practices. - Continuous learning culture and stronger human firewall. Equipment and Software Upgrades As Needed (at least annually) - Review and upgrade hardware and software to meet current performance and security standards. - Sustained protection against obsolescence and vulnerabilities. - Evaluate new security technologies for potential adoption. - Enhanced capabilities to defend against advanced threats. Legal Considerations Aspect Details Impact on Security Plan Compliance with GDPR The General Data Protection Regulation mandates strict data protection practices for personal data. Ensure robust mechanisms for data encryption, access controls, and breach reporting within 72 hours of discovery. Non-compliance can result in significant financial penalties and reputational damage. Regular audits and staff training are critical to ensuring adherence. Compliance with HIPAA Although primarily a U.S. regulation, HIPAA principles align with the healthcare data protection practices that NHS must consider. Implement access controls, ensure data integrity, and restrict unauthorized access to electronic health records (EHR). Enforce policies regarding data sharing, patient privacy, and information security. Regular reviews and updates to ensure global regulatory alignment. Employee Privacy Rights Protect employee data from unauthorized access or misuse during the implementation of monitoring mechanisms. Employee monitoring policies must be transparent, with clear guidelines to ensure lawful surveillance practices. Policies must include consent clauses for monitoring email or other communications where applicable. Balance monitoring needs with ethical considerations to maintain trust and morale. Incident Reporting Requirements The UK Information Commissioner’s Office (ICO) requires mandatory reporting of breaches involving personal data. Incorporate a clear reporting protocol in the incident response plan to comply with legal timelines. All reports must include the scope of the breach, impacted individuals, and remediation measures taken. Establish communication channels to coordinate responses with legal and regulatory bodies. Data Retention Laws NHS London must comply with laws governing the retention of medical records (e.g., 8 years for adult patients). Develop policies to manage the secure storage and timely deletion of records after the retention period. Use audit trails to monitor access and modifications to ensure compliance. Implement automated mechanisms to track and enforce retention schedules. Intellectual Property Protections NHS-developed software or systems for managing healthcare data are protected under IP law. Restrict unauthorized access to proprietary systems through authentication controls and secure development practices. Protect IP through contractual agreements with third-party vendors. Regularly review contracts to ensure security responsibilities are well-defined. Ethical Concerns Aspect Ethical Concerns Recommendations AI Usage Reliance on AI for cybersecurity, such as threat detection, raises concerns about bias in decision-making. Conduct regular audits of AI systems to identify and mitigate biases that could unfairly target individuals or activities. Lack of transparency in AI algorithms can hinder understanding and accountability. Use explainable AI (XAI) solutions to ensure decision-making processes are transparent and defensible. Ethical risks of automating responses to perceived threats without human oversight. Implement policies requiring human review for critical decisions made by AI systems, especially those affecting patient care. Employee Monitoring Excessive surveillance may lead to decreased employee trust and morale. Clearly define and communicate the scope of monitoring activities in the workplace, ensuring compliance with legal standards. Monitoring employee communications without consent could violate privacy. Secure explicit consent from employees for monitoring activities and anonymize data when feasible. Whistleblowing Fear of retaliation might discourage employees from reporting security vulnerabilities or ethical violations. Create a robust whistleblowing policy that guarantees anonymity and protects whistleblowers from adverse consequences. Ethical dilemma of balancing whistleblower protections against potential misuse of the mechanism. Establish a review board to evaluate whistleblower claims impartially and prevent false accusations from causing harm. Privacy Implementing strong security measures, such as access controls and monitoring, can infringe on individual privacy. Enforce privacy-by-design principles to ensure that security measures protect sensitive data while respecting individual rights. Sharing sensitive patient data with third-party vendors raises privacy concerns. Limit data sharing to essential purposes and ensure vendors adhere to stringent data protection agreements. Policy Examples Policy Description Justification Enforcement Mechanisms Data Access Control Policy Limits access to sensitive patient data based on roles and responsibilities. Prevents unauthorized access and minimizes the risk of data breaches, ensuring compliance with healthcare regulations like HIPAA. Use role-based access control (RBAC), periodic access reviews, and multi-factor authentication (MFA) for all data access points. Incident Response Policy Provides guidelines for identifying, reporting, and mitigating security incidents effectively. Ensures a structured approach to handling cyber incidents, minimizing downtime and protecting critical systems. Conduct regular incident response drills, establish a 24/7 incident response team, and require prompt reporting of suspicious activity. Encryption and Backup Policy Mandates encryption of sensitive data in transit and at rest and enforces regular backups. Protects patient data from unauthorized access and ensures data availability in case of ransomware or other data loss incidents. Enforce encryption protocols such as TLS 1.3 for data transmission, and require automated backups with periodic restoration testing. Enforcement Strategies • Employee Training: Conduct mandatory training sessions to familiarize staff with the policies, emphasizing their roles in adherence. Use engaging methods like simulations to reinforce key principles. • Automated Monitoring Tools: Deploy automated tools to monitor compliance with policies, such as access logs for tracking data access and encryption audits to ensure sensitive data is secure. • Policy Audits: Perform quarterly audits to identify gaps in policy implementation, ensuring all departments comply with outlined protocols. Use results to refine policies and address non-compliance issues. • Disciplinary Actions: Clearly outline consequences for policy violations, such as warnings or termination for repeated breaches, to maintain accountability. • Feedback Mechanisms: Provide channels for employees to report policy-related challenges or suggest improvements, ensuring continuous evolution of security practices. By implementing these policies with effective enforcement mechanisms, NHS London can significantly strengthen its security posture, safeguard sensitive patient data, and maintain compliance with legal and ethical standards. Conclusion The proposed security plan for NHS London addresses vulnerabilities exposed by the Qilin ransomware attack through a comprehensive security framework aligned with the CIA triad. Key measures include encryption, intrusion detection systems, and automated backups, supported by clear accountability, structured timelines, and regular maintenance. Legal compliance with GDPR, ethical considerations in AI use, and robust data access and incident response policies ensure both security and trust. By implementing these strategies, NHS London can recover from the attack and strengthen its resilience against future threats while safeguarding patient data and maintaining operational continuity. References Fleck, G. L., & Smetters, K. M. (2021). Defending against ransomware: Strategies for protecting organizational data. Cybersecurity Journal, 15(3), 49-66. Coburn, Andrew (Andrew W. )., Leverett, Eireann, & Woo, G. (2019). Solving cyber risk : protecting your company and society (1st edition). Wiley. Global Ethics Solution. (2021, June 23). Ethical issues with technology and networks in the workplace [Video]. YouTube. https:/ HYPERLINK "https://www.youtube.com/watch?v=xsFRH1VdEqI"/ HYPERLINK "https://www.youtube.com/watch?v=xsFRH1VdEqI"www.youtube.com/watch?v=xsFRH1VdEqI Pfleeger, Shari Lawrence, & Coles-Kemp, Lizzie. (2024). Security in computing (Sixth edition.). Addison Wesley Professional. Rothman, D. S. (2022). How encryption techniques can mitigate ransomware: A practical approach. Journal of Information Security, 18(4), 21-38. McHarris, Patrick. (2020). Ransomware File Encryption Tactics, Techniques, and Procedures. ProQuest Dissertations & Theses. McIntosh, Timothy, Kayes, A. S. M., Chen, Yi-Ping Phoebe, Ng, Alex, & Watters, Paul. (2021). Dynamic user-centric access control for detection of ransomware attacks. Computers & Security, 111, 102461-. https://doi.org/10.1016/j.cose- Smith, M. H., & Wills, C. E. (2023). The role of access control policies in combating ransomware attacks: Lessons from the NHS London incident. Information Security Review, 7(2), 67-75. https://doi.org/10.5555/infs.7.2.67 Blanton, S. (2024, October 16). Recent ransomware attacks in 2024 (Updated October 2024). JumpCloud. https://jumpcloud.com/blog/ransomware-attacks-in-2024 Martin, A. (2024, September 16). Data on nearly 1 million NHS patients leaked in hospital ransomware attack. The Record. https://therecord.media/data-on-nearly-1-million-nhs-patients-leaked-hospital-ransomware