Cybersecurity in the NHS plays a huge role in our nation's health, and if there’s a disruption to that protection, it can directly impact patient care due to the increase in workload for medical staff. That’s before you even consider the financial, compliance, and privacy complications that come with getting it wrong.
Despite of the fact that in serious cases, a cyber incident in healthcare can carry with it the ultimate human price, cybersecurity teams at the NHS aren’t granted large budgets, especially in comparison to their private-sector counterparts.
In addition to the lack of funding, there are many sector-specific challenges that make securing the NHS and enabling it to carry out its critical operations without interruption, an uphill battle. From our work within the NHS and through research and conversations with IT leaders within the health service, we have identified a number of cybersecurity considerations for the NHS in 2022. Here are our thoughts on five key ones.
Quickly, let’s take a look - at what's covered:
Cybersecurity challenges in NHS 2022
5 Steps to improve cyber posture at the NHS in 2022
Cybersecurity challenges in NHS 2022
Complexity in NHS IT
IT networks are notoriously complex, especially at a health trust. Complexity introduces a range of challenges, including application performance, network performance, root cause analysis and difficulty in monitoring. On top of this is the added challenge of having to secure everything, including every endpoint, many of which will be scattered far and wide.
The more complex a network is, the more ‘things’ there are to secure, introducing more potential avenues that can be compromised. NHS networks are built for a purpose, which is to share patient data and resources to medical and support staff, whilst underpinning all the various medical devices and systems that sit within.
As the NHS network has grown over time to support new systems, adapt to new technology, pivot to accommodate remote working etc., there is still a reliance on legacy systems. These are older parts of the network that aren’t able to be upgraded or moved, and through this combination of new and old, blind spots, back doors and vulnerabilities thrive.
We’ve seen examples in a number of NHS trusts where multiple solutions are in place that actually achieve similar or the same outcomes.
Why does this occur and why is it a problem?
This can occur when procurement decision-makers are put in the ‘use it or lose it’ scenario and if their budget isn’t spent, it’s lost. That’s fine, the budget is there to be spent. The problem is that there isn’t a clear roadmap of where money needs to be spent and why. This opens the door to the opportunistic salesman to shoehorn his solution into whatever problem a Trust tells him they’re trying to solve.
Why is this a problem? - Numerous reasons, firstly, it’s a waste of budget, given that money could be desperately needed elsewhere. Secondly, overlapping solutions, systems, applications, etc., just adds to the complexity. Another concern is that you widen your vendor portfolio and therefore the risk of a supply-chain attack.
Whether it’s financial, operational or a security threat that concerns you, tooling overlap is an often unnecessary problem.
Lack of visibility
As the well-used expression goes - you can’t protect what you can’t see.
If you consider how IT is used in 2022, people access data, systems and resources from multiple locations, including from their own homes. This access no longer requires a visit through a central hub with security solutions protecting these resources, they can be accessed from anywhere, at any time via cloud services.
If you add this distributed manner of IT usage to the general complexity we have previously discussed and also consider unmanaged devices and medical equipment connecting to the network, you can begin to see the amount of potential ingress paths and vulnerabilities present at any one point in time.
Without deep visibility into this connectivity and activity across the network, what hope can there be to secure such an operation? Of course critical systems and their access need securing first, but outside of that, the importance surely needs to be knowing what the priorities are. The only way to do that is to gain visibility into the situation as a whole.
Unmanaged IoT and Medical devices
IoT is associated with an increased cyber risk due to an increased attack surface which is susceptible to brute force attacks and can be compromised through default passwords or vulnerabilities and used as a backdoor into the network.
Looking more closely at medical devices or Operational Technology (OT) that are unmanaged, at least from a security perspective, which are built for their medical purposes and not predominantly with security in mind. What would happen if one of them was to get compromised? Would anyone know? Also, they tend to fall outside of normal jurisdiction, so if a CT scanner was infected with malware who’s responsibility is that?
These types of devices tend to sit outside of traditional security solutions or monitoring solutions in general, therefore uncharacteristic or unusual behaviour is rarely picked up, providing the perfect environment for malicious activity to fester.
The risk? If Malware were to infect a medical device, it could stop working - preventing a patient from receiving treatment. The device might also allow the malware to spread - impacting more patients.
Threat of ransomware
Ransomware in the NHS has already made headlines with the WannaCry attack devastating health systems in 2017 and that wasn’t even targeted.
So, why was the NHS so vulnerable to ransomware?
As we now know, it came down to an exploitation of a Microsoft vulnerability, for which a patch had been released, so why did it wreak havoc?
A quick look at some of the points mentioned earlier in this list will answer this question.- The complexity, difficulty to isolate, lack of visibility into device status/behaviour - all of these are likely to have been contributing factors. It’s also worth considering the pressure that IT teams are under due to the issues mentioned in this article, and how much employee burnout plays a part. Tired, under-resourced teams aren’t going to perform at the top of their game and mistakes will be made - it’s a human condition and it’s a vicious cycle.
So what can be done about cyber concerns in the NHS?
The only viable strategy is to gain an understanding of the entire situation and create a roadmap going forward. Taking the time to step back from the situation and invest in understanding the scope in all its dimensions means you can begin to strategise effectively. Armed with a deep level of knowledge and understanding of what your network consists of will allow you to take strides in the right direction.
After all, it only takes one card to make the house fall and ignoring a dark corner in your IT estate, which is seen as difficult, assumed unimportant or simply forgotten about can undermine security operations.
5 Steps to improve cyber posture at the NHS in 2022
1. Get visibility
Visibility provides the foundation of decision making, without it you’re making blind decisions based on assumptions.
Visibility into critical systems, their access and security policies & protection is paramount. From there, an understanding of how IT is used across the estate/enterprise/business, is critical to security planning.
It’s important to understand how things are used, what is connected to what, and what can be accessed from where. It's also important to consider the health of these systems and whether or not they’re patched? Are they behaving as normal? Is there a legacy system that needs to be secured or have restricted access?
2. Understand threats
Once you have a clear picture and visibility into all the relevant areas, this information can be reviewed from a security perspective and vulnerabilities can be identified.
It’s important to identify not only threats and vulnerabilities, but if they were to be exploited, what the impact would be and what then becomes vulnerable if that part of the network is compromised.
During this process, it’s important to review external information. Ensuring whether or not your system is up to standard to protect against modern attack vectors and zero-day exploits is vital.
A threat intelligence feed is extremely valuable at this point to ensure you’re up to date with a constantly evolving database of threats and cross referencing this against your security setup.
3. Identify tooling overlap, gaps in defences
Once you understand your threats and vulnerabilities, you can compare this to your current security solutions.
Firstly, look for gaps in your cybersecurity solutions. Do you have any areas that aren’t currently secured? What is the impact of these gaps remaining unsecured? What can be done to make them more secure?
Secondly, look for overlaps in your security tooling. Do you have redundant tooling? Are some solutions inhibiting others? Are you using three solutions when one would do? Look for opportunities to clear up a messy situation and potentially reduce your licensing and associated costs.
4. Clear roadmap & prioritise
If you know about a threat or vulnerability, you can mitigate against it
Once you have a clear idea of the health of IT, with all its contributing factors, the vulnerabilities, risks and current efforts in place to mitigate these threats, you can plan to fill the gaps.
Understanding priority should come down to the criticality of the system, the usage, the impact if compromised, likelihood of it being compromised and the ability to pivot from that point and target other systems.
Look for the low-hanging fruit, some seemingly small vulnerabilities may grant access or allow ingress into large amounts or critical parts of the network or the systems that sit on it. A quick fix here can greatly improve cyber posture.
This is where deep visibility paired with understanding is invaluable.
5. Allocate budget accordingly and start implementing changes
Once you have the roadmap of priorities, which is based on solid data, visibility and knowledge, you have the blueprint to achieve a strong cybersecurity posture.
It might not always be perfect, but by following this process you’re able to ensure your critical systems are secure and maintained. Any incident can be isolated and contained and health operations are protected and can be restored to full capacity as quickly as possible.
Cybersecurity at the NHS is not a tick box exercise, it’s about taking the bull by the horns and dealing with the facts.
Head of Cyber Security Services and Operations
Here to help
We've got an hour for you
Securing NHS users, networks, applications and data is an intricate process. A reliance of legacy systems and a move to hybrid networking, paired with a mass of medical devices and data shared far and wide, means understanding the landscape is critical.
We have recently helped NHS boards tackle cybersecurity challenges and we'd be happy to provide helpful advice.
Take advantage of an hour of free consultancy to get help with your cyber concerns.
Fill out the form below and we'll be in touch shortly.