5 Unsafe Workaround Tactics With The NHS Smartcard

Isosec and the NHS Smartcard

Okay, firstly there will be no naming and shaming here, so if you were hoping to see organisations with poorer processes than yours, shame on you. Cybersecurity is no joke, especially when it comes to the NHS smartcard and protecting patient data.

What we are going to share are five very real examples of unsafe working practices involving NHS Smartcards.

We’ve been working with the NHS for fifteen years now and originated from an IT security background around smartcards and secure authentication. We have over 40,000 iO users (our smartcard identity agent) and as a result have seen thousands of local use-cases for the NHS smartcard, some hugely successful… some not so much.

If you’ve somehow wandered here by accident and aren’t sure what we’re talking about, NHS smartcards are similar to chip and pin cards that allow our healthcare professionals here in the UK to access the patient information that’s relevant to their role.

Here’s five ways we’ve seen organisations abuse the power of the NHS smartcard.

 

 5 Unsafe Workaround Tactics With The NHS Smartcard

  1. Passcode strength – Pretty obvious one to start with, but setting a secure passcode really is important! We’ve had people volunteer that their passcode is ‘passcode’,‘1234’, even ‘doctor’. It may be quicker to type 1234 in a hurry, but it belittles the whole authentication process if you fail to keep your personal security standards high.
  2. Card sharing – Again, it might seem easy enough to pass your card onto a colleague when they’re in a hurry, but it’s hard to criticise cybersecurity standards of an organisation if individuals don’t adhere to explicit security processes.
  3. Leaving a cut card in a reader – Possibly the worst offender on this list, but sadly we have seen it in action! The explanation we were given was that Information Governance colleagues would regularly walk around and check on how things were running. In order to avoid detection of card sharing whilst still having quick shortcut access, one card was left in a reader and then cut off, so IG couldn’t see the card in the reader or even know that the behaviour was going on.
  4. Robot smartcards – By having a machine with a smartcard permanently in a reader which automatically logs in with a fixed passcode poses an IG risk and most trusts are completely oblivious to this. Our analytics dashboard highlights this behaviour straight away so it’s not something we see with iO.
  5. Single sign on passcode manager software – By using software to remember your passcode and have it key them in for you, you’re no longer using two-factor authentication, you take the security level down to just one factor, which doesn’t adhere to NHS security standards and doesn’t stop someone else jumping on your card should they pick it up.

 

What Can You Do About It?

Some people don’t think NHS smartcards are the best and from the list above it’s clear to see that there is some education around the issue of cybersecurity to be done generally. It’s a strong case for how sometimes poorly managed technology can hinder users rather than benefit them, but sadly there are often unsafe workaround tactics like these that harbour high risk behaviour.

However, we think when smartcards are used properly they do the job for the NHS and we’ve even developed ways to maximise the security and efficiency with them.

From our experience with IT departments in the NHS we listened to these extensive issues some Trusts have with the smartcard. From there we expanded our iO identity agent capability and iO Virtual Smartcard was created. There are a wealth of benefits to using our Virtual Smartcard product, but most importantly we built it to maximise the security around authentication whilst still addressing the user issues we have witnessed along the way.

By creating an innovative technology that meets both the practicality of everyday working practices as well as high-level security standards we hope to further the efficiency of the NHS whilst still maintaining the necessary safeguarding of patient data in the modern world.

NHS smartcard cybersecurity image of padlocks and code

To find out more about how to avoid these high risk behaviours in your organisation you can download our Virtual Smartcard brochure or watch our explainer video on our website.

The WannaCry ransomware and how it (doesn’t) affect us

There’s been a great deal in the news over the past few days about the already infamous “WannaCry” (AKA “WannaCrypt”, “WanaCrypt0r”, “Wanna Decryptor” etc.) malware that’s spread like wildfire across the world, most notably infecting numerous NHS trusts. You may not already know that Isosec was built from a security background, we have cybersecurity expertise spanning 50 years. With this in mind we thought we’d let you know just what on earth is going on, how it might affect you, and how it, thankfully, doesn’t affect Isosec (despite the similarities in the name of other companies involved!).

What is it?

First and foremost we go onto the question that’s on most people’s minds; just what exactly is this thing? Well, “WannaCrypt” is a type of malware (malicious software) known as “ransomware”, which is software that will encrypt all of your most important files and folders, and then quite literally hold them ransom, asking you to make a payment in order to decrypt them for use (which more often than not is the worst possible thing you can do).

Now that the technical jargon is out of the way, a practical example. You receive an email with an attachment, you open this attachment and it runs a program on your computer, this program locks away all of your files with a password you don’t know, and then demands a sum of money in return for that password. Sound bad? It is! Ransomware has been around for many years in various forms, but what’s getting worse is not so much the programs themselves, but the way in which they spread.

In the case of “WannaCry”, the evidence thus far suggests that it’s capable of spreading across the entirety of a local network with ease, infecting every other computer on the network that isn’t up to date enough to protect against the vulnerability. Now if the “not up to date” part of that spiked your interest, that’s for good reason…

Staying safe

Whilst the usual security principles come into play here – always run an active anti-virus and keep a malware scanner to hand, don’t open unknown attachments, stay away from unfamiliar websites etc. – there is one that rises above all others in terms of importance; keep your computer up to date. The vulnerability in Microsoft’s Windows product that allowed the “WannaCry” attack to take place was fixed back in March of this year, meaning that the average computer was already safe by the time the attack began. But if you don’t regularly update – and don’t have automatic updates switched on – then you were, and possibly still are, at risk.

How this (doesn’t) affect Isosec

Due to the nature of Ransomware, attacks such as these are unlikely to affect us as a company. Our internal security policies keep us out of harms reach, and the fact we ship software rather than hardware means we’re not in the crosshairs of these sorts of attacks. But that doesn’t mean we can wash our hands of any responsibility, instead, it’s important to look at how we can help you to prevent these problems from happening.

Let’s use MIA Maternity as an example. MIA Maternity is completely offline-capable, and while that’s important for midwives who use our software in areas of limited or no connectivity, it’s even more important when a large scale cyber attack such as this one occurs.

This is because even though the Trust owned servers that hold the all important patient data might be compromised, the mobile devices remain functional, with a recent copy of all the patient data required to work. Midwives can continue to work without issue, and patient care isn’t compromised. Better yet, there’s no need to revert to older paper-based backups, midwives can continue to enter data into MIA Maternity, and it will be sent back to the server once the issue has been resolved by the Trust.

 

Here at Isosec we take security very seriously. It’s baked into how we make software, and is something on the minds of everyone here constantly.

Lack of cyber security for NHS mobile apps

Ok, SC Magazine (for IT Security Professionals) is maybe not everybody’s favourite bed-time reading, but one of their recent articles highlights a particular issue with the scramble to mobilise NHS apps on tablet devices (see the link here) oft heralded as the saviour for the NHS through efficiency.

The article contends that patient information is more valuable than financial data sold on the black market. If you consider that a mobile device has potentially 100s or 1000s of patient records stored on it or is connected to your clinical backend systems where there are potentially tens of thousands of patient records then it is beyond doubt that it is only a matter of time before cyber crims get their acts together.

I don’t want to discuss the obvious business case and benefits of transforming and mobilising healthcare – it could save billions. But at what cost if you don’t get the security right?

However, I do take exception to SC’s article on cyber-security training for users as being the answer. It’s a false sense of security. Sure, it makes sense to do this but pitted against a smart hacker they wouldn’t stand a chance. As an ex karate-ka, I’ve seen it many times and know people given some self-defence training think they can defend themselves (imagine the Lion in the Wizard of Oz – put ’em up).

I don’t want to go all security on you, but a) security isn’t black-and-white i.e. it’s secure or not, and b) it’s only as good as the weakest link i.e. the human. So, training the user suddenly doesn’t make it secure (or not) and if a user can be foiled, security is effectively compromised if you are relying on training alone.

The implications of a security compromise? Well, that’s for another day, but fines and reputation damage are certain.

To compound the matter (read “make it easy to fool users”) there are a number of mobile app solutions on the market and healthcare organisations that use usernames and passwords as a means to secure mobile clinical apps and patient data. They even think that having MDM to protect their devices makes it secure.

Security that is based on username and password will never be secure enough, even with tons of cyber security training for users.

As the architect of Isosec’s mobile application platform, MIA, it is quite clear to me that the NHS Smart Card is the only effective way to protect mobile apps on tablet devices. NHS clinicians are very familiar with its use – it is two-factor – something I have (the card) and something I know (the passcode). MIA uses the NHS Smart Card to not only log users on to a tablet device, but to also strongly encrypt patient data on the device as well as being required to connect in to the clinical backend systems. Without the card, no access to patient data on the device or back at base. Get the passcode wrong three times then the data becomes inaccessible. MIA also has various timers that blank and lock the device so even if the user leaves the card in the reader, everything is still safe. If they lose the card, it can effectively be revoked, again everything remains safe.

So, given the weakest link user argument, we have taken the approach of using something very secure and familiar (the NHS Smartcard) and made the user experience very simple – we don’t rely on user’s infallibility.

Even when a user fails to follow basic precautions, MIA security takes over to protect patient data and backend system access.

The take-home is don’t be lulled in to a false sense of security – if you’ve got username/password protecting your clinical data and access with MDM “remote wipe” with really good user training, your pants are down, from a security perspective that is.

Finally, we have a smartcard solution for iPads (with a natty sleeve from Precise Biometrics) as well as NFC authentication on Android and Windows devices (as well as contact reader for devices that support it).

Keypad saying cyber security