The UK’s National Health Service is celebrating its 70th anniversary this year. To coincide with this, the UK government has made a big financial commitment to the service’s future. The NHS annual budget of £114 billion will rise by 3.4 percent a year.
Technology is one of the four main pillars to be covered in a new 10-year plan that’s supported by this new funding. But, as the service was seriously disrupted by cyber-attacks only a year ago, there is clearly a need to consider cybersecurity as part of any future investment in new technology.
The challenge of protecting NHS from cyber-attacks is complicated by its vast size and complexity. In England alone, the NHS is the largest public-sector employer with over 1.4 million staff. Medical services are accessed and delivered through a network of close to 500 hospitals and over 3,500 GP surgeries dotted across the UK. Despite the ‘national’ in its name, NHS reforms have meant the service is run on a very regionalised basis with local budgets and budget decision-makers, making it difficult for the NHS to coordinate a response to prevent or recover from a cyber-attack.
At the same time, the service has a chequered history of digitisation. For many years, there have been plans and targets to modernise how the NHS collects and shares patient information digitally. While progress has been difficult, the NHS is committed to digitisation where it can deliver better medical outcomes and patient experience.
Cybersecurity has a positive role in how it can facilitate the use of digital technologies across the NHS. It also can improve trust in how the NHS uses and shares data, especially critical when many patients and patient groups have expressed serious opposition to projects in this field in the past. However, cybersecurity for cybersecurity’s sake isn’t appropriate when what’s of prime importance to the NHS is that patient services are never interrupted by another cyber-attack.
The great lesson of the WannaCry incident wasn’t how the ransomware caused problems but because NHS IT teams didn’t know the extent of the threat and had to turn off IT systems. There was no operational crisis management in place in the event of an attack, with the outcome being that no individual, region or even central government body knew the extent or level of attack impact. It was this lack of clarity and certainty that meant a shutdown was the only option, which was what then directly disrupted medical services on an alarmingly wide scale.
A clear goal of the 10-year plan will be how technology helps deliver excellent medical services and outcomes for patients. Cybersecurity must serve this end but must not get in the way.
As WannaCry demonstrated, greater visibility of threats and vulnerabilities is key but not if it simply hands a small and overstretched team of NHS IT specialists an even longer to do list. There is great expertise and skill within the NHS, but the reality is the service cannot retain enough staff with top cybersecurity skills when it has rigid pay structures and competes with the private sector which can pay much more.
So, NHS IT teams are desperate for practical support that will help direct priorities, as well as technology that can automate much of the workload of mitigating vulnerabilities effectively. The answer is threat and vulnerability management solutions that use current threat intelligence to cut through the noise of vulnerabilities – which in large, complex networks can range in the millions – and more accurately prioritise remediation.
A threat-centric vulnerability management approach focuses action on the small subset of vulnerabilities most likely to be used in an attack – and often, those vulnerabilities are not the most obvious ones.
The solution must also have at its core the ability to consider network context, which comes from being able to model the entire hybrid network, including the security controls in place. This is key in situations where patching may not be an option, or when the team needs to consider more expedient, cost-effective or lower risk options, depending on the environment. This may include relying on existing security controls such as IPS signatures, changing firewall or security tags and adjusting configurations. The threat-centric approach not only has the greatest impact on risk reduction, it increases the efficiency and effectiveness of vulnerability management teams.
How this might be applied in NHS as digitisation is rolled out more widely? Empower NHS IT teams with technology that breaks down data silos by merging together all the information about the network into a single repository of truth, including assets, network topology, existing security controls, vulnerabilities and threats. This provides the foundation of network visibility and context that’s needed to identify and assess risks and security priorities clearly and – more importantly – efficiently address them without interrupting medical care or placing additional burden on the limited NHS IT resources.