Guest contributor Sascha Giese, Head Geek™ at SolarWinds, explores the challenges facing cybersecurity in the healthcare sector.
Many large organisations are currently under massive pressure to improve cybersecurity effectiveness. Unfortunately for the NHS, its sheer size means there are many more points of entry for cybercriminals than commonly found elsewhere. Add to that the uncertainty surrounding healthcare funding levels, the large amount of legacy technology still in daily use and a global cybersecurity skills shortage—and we have something akin to a chronic health issue.
There’s no doubt that risk awareness has grown considerably in recent years, but the situation remains alarming. A SolarWinds Freedom of Information (FOI) survey, which examines the cybersecurity challenges and preparations across public sector organisations as a whole, revealed that nearly all (98%) respondents surveyed said they were aware of the UK government’s 2018 Minimum Cyber Security Standard. While over a third (38%) claimed to have experienced no cyberattacks in 2018, compared to 30% who said the same for 2017, there was an increase in the number of organisations reporting in excess of 1,000 cyberattacks. 18% of respondents said this was the case in 2018, up from 14% in 2017.
This is particularly important within the healthcare sector, because once security is breached, the consequences can be severe. The most infamous example of this is the 2018 Wannacry ransomware attack, which cost the NHS £92m (€109m), according to a report from the Department of Health.
Improving cybersecurity health
Fast forward to the present day; the sense of urgency to improve cybersecurity across the NHS remains undiminished. In July, Lord Darzi and Imperial College London’s Institute of Global Health Innovation presented a white paper to the House of Lords calling for major improvements in NHS cybersecurity, with more investment needed to protect patient safety.
This is reflected by efforts across the NHS to raise standards. In the last two months, NHS Digital launched the Keep IT Confidential cybersecurity campaign, designed to protect patient data and help NHS staff improve security across the organisation. This is important work; and as any security expert knows, employees play a vital role in preventing security breaches. However, as far as cybersecurity in the NHS is concerned, the cliché ‘there’s always more we can do’ is as valid and relevant as ever.
Cybersecurity and healthcare policy
Achieving a strong cybersecurity posture focusing on detection and prevention improvement from the top down requires a coordinated approach, especially across an organisation as large as the NHS. At a policy level, efforts should be focused on improved strategy and processes to apply security best practices. For instance, in an organisation that employs around 1.7 million people, the risks presented by insider threats are considerable. Indeed, the security risks from insiders can often prove more numerous and acute than those coming from outside criminal hackers or foreign governments.
End user security awareness training, network access control and effective patching are among the most effective approaches to improving insider threat detection and prevention. Organisations that invest in best practices often see an improvement in security effectiveness. Processes, such as employee background checks, can play an important role in controlling the risks presented by malicious insider threats. These should form part of basic security hygiene for the NHS.
At a higher level, technology professionals in the public sector—including healthcare—continue to pursue upskilling to maintain good cybersecurity postures and keep digital transformation on track. SolarWinds’ ‘IT Trends Report 2019: Skills for Tech Pros of Tomorrow’ showed the top three technology sets according to respondents to achieve this over the next three to five years are:
- Cloud and/or hybrid IT (66%);
- Automation and/or orchestration (52%); and
- SIEM and/or threat intelligence (56%).
Of course, given the time and resources pressure on training, tech pros should consider approaching skills development strategically, prioritising necessary learning based around the needs of daily operations and IT environments—along with skills that support organisational growth.
There is no getting away from the fact that better cybersecurity costs money, but part of the challenge is that more advanced and sophisticated security tools can focus on a wide range of priorities. The shopping list can be long, but for many, intrusion detection and prevention tools, endpoint and mobile security, web application firewalls, and encryption technologies are now must-haves.
In many ways, cybersecurity in the NHS represents a long term health issue for the organisation as a whole. Implementing good cybersecurity hygiene within the healthcare sector from the top down, inside and out, will provide the best kind of protection and preparedness against a whole range of threats. As with personal wellbeing, preventive measures will often prove far more effective than responding to a crisis. Only when we analyse the impact of cybersecurity breaches on the NHS—years from now—will we know how effective the collective effort has been.