Advancing Digital Forensics and Incident Response Strategies Against Emerging Healthcare Cyber Threats

Abstract

The rapid proliferation of the Internet of Medical Things (IoMT) has brought significant advancements in patient care but also introduced new cyber-related challenges. This paper focuses on cyber-related attacks on medical devices to review the Digital Forensics and Incident Response (DFIR) capabilities in the UK healthcare industry. Case studies from the United Kingdom (UK), Ireland and the United States of America (USA) have been used to highlight vulnerabilities in medical devices and healthcare IT systems, ranging from data integrity issues to large scale ransomware attacks. These attacks show the lack of sufficient information regarding the DFIR capabilities within the National Healthcare Service (NHS) in the UK, which should be assessed and continuously monitored to ensure an effective response in the event of a cyber-attack. The paper highlights the limitations of cybersecurity considerations within the healthcare industry, as well as reviewing a range of medical cyber-attacks, examining existing policies and frameworks, and discussing future DFIR capabilities in healthcare. This paper’s key findings reveal gaps in current DFIR processes, including inadequate incident response plans, delayed detection of intrusions, and insufficient staff training on cybersecurity best practices. As the healthcare industry continues its digital transformation, the development and implementation of sophisticated DFIR capabilities must keep pace. A better understanding of cybersecurity challenges in healthcare and enhancing DFIR strategies will lead to improved protection of patient data and ensure the integrity of medical devices and services.

Introduction

The integration of Internet of Medical Things (IoMT) devices into healthcare systems, such as the UK's National Health Service (NHS), has revolutionized patient care by enabling real-time monitoring and personalized treatments. However, this digital transformation has introduced significant cybersecurity vulnerabilities, particularly concerning medical devices. These vulnerabilities have been exploited in several high-profile cyberattacks, underscoring the necessity for robust Digital Forensics and Incident Response (DFIR) capabilities.

Key Cybersecurity Incidents:

1. WannaCry Ransomware Attack (2017):

   • The NHS was severely impacted by the WannaCry ransomware, which exploited unpatched Windows 7 systems.

   • Approximately 34% of NHS trusts were disrupted, leading to the cancellation of over 6,900 appointments and operations.

   • A National Audit Office investigation revealed that the NHS's cyber-attack response plan had not been adequately tested, leading to delays in recovery and communication failures .committees.parliament.uk

2. Conti Ransomware Attack on Health Service Executive (HSE), Ireland (2021):

   • The HSE's IT systems were compromised after an employee opened a malicious email attachment.

   • The attack encrypted 80% of HSE's systems and exfiltrated over 700 GB of sensitive data, including patient records and COVID-19 vaccination information .

   • The incident highlighted deficiencies in HSE's cybersecurity governance and crisis management, leading to a comprehensive review and overhaul of their cybersecurity protocols .paubox.com+1bleepingcomputer.com+1cambridge-risk.com

3. Springhill Medical Centre Ransomware Attack (2019):

   • A ransomware attack compromised medical devices, including heart monitors, during a critical delivery.

   • The failure to detect the attack in time resulted in a newborn's death due to undiagnosed fetal distress .

   • This incident underscores the critical importance of timely detection and response to cyber threats in healthcare settings.

Challenges Identified:

• Lack of Cybersecurity Awareness:

  • A significant portion of NHS IoMT devices have known vulnerabilities, and many healthcare providers fail to implement basic security measures, such as changing default passwords and applying software patches .

• Inadequate DFIR Capabilities:

  • Many healthcare organizations lack comprehensive DFIR strategies, leading to delayed detection, ineffective response, and prolonged recovery times during cyber incidents .hcrlaw.com

• Insufficient Training and Preparedness:

  • Despite the prevalence of cyber threats, healthcare staff often receive inadequate training on cybersecurity best practices, leaving systems vulnerable to attacks .

Recommendations for Improvement:

• Enhanced DFIR Capabilities:

  • Healthcare organizations should develop and regularly test comprehensive DFIR plans to ensure swift and effective responses to cyber incidents.

• Regular Security Training:

  • Implementing continuous cybersecurity education for staff can significantly reduce the risk of successful attacks.

• Proactive Vulnerability Management:

  • Establishing robust processes for timely patching and updating of medical devices and IT systems is crucial to mitigate known vulnerabilities.

• Investment in Cybersecurity Infrastructure:

  • Allocating sufficient resources to cybersecurity initiatives, including the adoption of advanced threat detection and response technologies, is essential to protect patient safety and organizational integrity.

As healthcare systems continue to digitize, strengthening cybersecurity measures and DFIR capabilities is imperative to safeguard against evolving cyber threats and ensure the delivery of safe and effective patient care.

Conclusion

Over the past decade there have been critical vulnerabilities in medical devices and healthcare IT systems, ranging from data integrity issues to large-scale ransomware, that underscore the urgent need for robust DFIR capabilities in the healthcare sector. Healthcare faces unique challenges, including the complexity of medical device ecosystems, the critical nature of patient data, and the potential for cyber incidents to directly impact patient care and safety. Effective DFIR frameworks in healthcare must address several key areas: regular vulnerability assessments and patching of medical devices, continuous monitoring and incident detection, comprehensive incident response plans with regular testing, and enhanced staff training on cybersecurity best practices. Additionally, as healthcare continues its digital transformation, improved collaboration between IT, security, and clinical teams is essential to ensure a holistic approach to cybersecurity, and importantly, sophisticated DFIR capabilities must be implemented. This evolution is crucial not only for protecting patient data but also for maintaining the integrity and safety of medical devices and healthcare services. The future of healthcare cybersecurity lies in proactive, adaptive, and comprehensive DFIR strategies that can effectively mitigate the ever-evolving threat landscape.

References

[1] S. Razdan and S. Sharma, “Internet of Medical Things (IoMT): Overview, Emerging Technologies, and Case Studies,” IETE Technical Review, vol. 39(4), pp. 775–788. 2021. https://doi.org/10.1080/02564602.2021.1927863 [2] WHO (2024) WHO reports outline responses to cyber-attacks on health care and the rise of disinformation in public health emergencies. [Online]. Available: https://www.who.int/news/item/06-02-2024-who-reports-outline-responses-to-cyber-attacks-on-health-care-and-the-rise-of-disinformation-in-public-health-emergencies [3] NHS England (2024) Cyber Security. Version 1.1. [Online]. Available: https://www.england.nhs.uk/long-read/cyber-security/ [4] H. Thimbleby, Fix IT: See and Solve the Problems of Digital Healthcare. 1st ed. Oxford: Oxford University Press, 2021. [5] Cynerio (2023) The State of NHS Trust IoT Device Security 2023. [Online]. Available: https://www.cynerio.com/nhs-trusts-iot-security-report-cynerio-only [6] Capers, Z. (2022) More Healthcare Devices Means More Cyberattacks - How Weak Medical IoT Security Threatens Patient Care. Available: https://www.capterra.com/resources/medical-internet-of-things-iot-security/ [7] Palo Alto Networks (2022) Palo Alto Networks Announces Medical IoT Security to Protect Connected Devices Critical to Patient Care. [Online] [8] Available: https://investors.paloaltonetworks.com/news-releases/news-release-details/palo-alto-networks-announces-medical-iot-security-protect [9] NHS Digital (2025) Cyber Incident Response Exercise (CIRE). [Online]. Available: https://digital.nhs.uk/cyber-and-data-security/training/cyber-incident-response-exercise [10] H. Thimbleby, “Misunderstanding IT: Hospital cybersecurity and software problems reach the courts,” Digital Evidence and Electronic Signature Law Review, vol. 15, pp. 11-32. 2018. https://doi.org/10.14296/deeslr.v15i0.4891, [11] W. Smart (2018) Lessons learned review of the WannaCry Ransomware Cyber Attack. [Online]. Available: https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf [12] Cyber Security Policy (2018) Securing cyber resilience in health and care: Progress update October 2018. [Online]. Available: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/747464/securing-cyber-resilience-in-health-and-care-september-2018-update.pdf [13] National Audit Office (2017) Investigation: WannaCry cyber attack and the NHS. [Online]. Available https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/ PwC (2021) Conti cyber attack on the HSE. [Online]. Available: https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf [14] S. Trendall (2023) NHS issues warning over potential serious risks to patient safety posed by issues with maternity IT system. [Online]. Available: https://www.publictechnology.net/2023/12/08/health-and-social-care/nhs-issues-warning-over-potential-serious-risks-to-patient-safety-posed-by-issues-with-maternity-it-system/ [15] C. Lydon (2024) Euroking Patient Safety Alert: 13 Trusts Switch Supplier. [Online]. Available: https://www.digitalhealth.net/2024/04/euroking-patient-safety-alert-13-trusts-switch-supplier/ [16] K. Poulsen, R. McMillan and M. Evans (2021) A Hospital Hit By Hackers, A Baby In Distress: The Case Of The First Alleged Ransomware Death. [Online]. Available: https://www.namd.org/journal-of-medicine/2789-a-hospital-hit-by-hackers-a-baby-in-distress-the-case-of-the-first-alleged-ransomware-death.html [17] S. Alder (2021) Lawsuit Alleges Ransomware Attack Resulted in Hospital Baby Death. [Online]. Available: https://www.hipaajournal.com/lawsuit-alleges-ransomware-attack-resulted-in-hospital-baby-death/ [18] S. Alder (2023) CommonSpirit Health Reports $150 million Loss Due to Ransomware Attack. [Online]. Available: https://www.hipaajournal.com/commonspirit-health-reports-150-million-loss-due-to-ransomware-attack/ [19] K. Trupplaar (2023) 1M NextGen Patient Records Compromised in Data Breach. [Online]. Available: https://www.darkreading.com/application-security/1m-nextgen-healthcare-patient-records-stolen- [20] A. Al Qartah,?\"Evolving Ransomware Attacks on Healthcare Providers,\" MSc Cybersecurity dissertation, Utica College,?ProQuest Dissertations & Theses, Aug. 2020. [21] A. Antony, S. M. Thomas, T.K. Varghese and V. Padman, “Ransomware Attacks on Healthcare Systems: Case Studies and Mitigation Strategies,” preprint, 2023. http://dx.doi.org/10.13140/RG.2.2.34192.17928 [22] S. Morgan (2020) The 2020 Healthcare Cybersecurity Report. [Online]. Available: https://www.herjavecgroup.com/wp-content/uploads/2019/12/Healthcare-Cybersecurity-Report-2020.pdf [23] P. Mee and E. Southerlan (2023) Seriousness of Cyberattacks in Healthcare Cannot be Ignored [Online]. Available: https://www.oliverwyman.com/our-expertise/perspectives/health/2023/oct/seriousness-of-cyberattacks-in-healthcare-cannot-be-ignored.html [24] National Police Chiefs’ Council (2020) Digital Forensic Science Strategy. [Online]. Available: https://www.npcc.police.uk/SysSiteAssets/media/downloads/publications/publications-log/2020/national-digital-forensic-science-strategy.pdf [25] NHS England (2022) NHS England Incident Response Plan (National). Version 4.0. [Online]. Available: https://www.england.nhs.uk/wp-content/uploads/2017/07/B0992i-incident-response-plan-national-v4.pdf [26] V.R. Kebande and I. Ray, “A Generic Digital Forensic Investigation Framework for Internet of Things (IoT),” 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), IEEE, Vienna, Austria, pp. 356–362. 2016. https://doi.org/10.1109/FiCloud.2016.57 [27] A. Goudbeek, K.-K.R. Choo and N.-A. Le-Khac, “A Forensic Investigation Framework for Smart Home Environment,” 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications / 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), IEEE, New York, NY, USA, pp. 1446–1451. 2018. https://doi.org/10.1109/TrustCom/BigDataSE.2018.00201 [28] C. Meffert, D. Clark, I. Baggili and F. Breitinger, F., “Forensic State Acquisition from Internet of Things (FSAIoT): A general framework and practical approach for IoT forensics through IoT device state acquisition,” Proceedings of the 12th International Conference on Availability, Reliability and Security. ACM, Reggio Calabria Italy, pp. 1–11. 2017. https://doi.org/10.1145/3098954.3104053 [29] C. Vidal and K.-K.R. Choo, Cloud security and forensic readiness, in The Cloud Security Ecosystem, ScienceDirect: Elsevier, pp.401-428, 2015. https://doi.org/10.1016/C2014-0-00456-X

Copyright

Copyright © 2025 Rachael Medhurst, Richard Ward , Mabrouka Abuhmida. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.