As our NHS and our nation push through another lockdown toward the proverbial light at the end of the Corona-tunnel, work does not stop around ensuring that the very technology we now rely so heavily upon stays safe itself.
In the instance of information security however, the Corona-virus isn’t the harmful entity we need to concern ourselves with. It’s the electronic counterpart that can bring down health tech civilisation as we know it.
Covid-19 saw rapid “tooling up” of digital transformation and technology resources, resulting in a significant change in the delivery of services, transformation of processes and wider acceptance to innovation within establishment control.
In fact, most of my senior network believe that if anything, the past Covid-leaden six months has driven more transformation in certain digital fields than would have been accomplished in 2 years in normal circumstances.
Nuffield Trust white paper on “The impact of Covid-19 on the use of Digital Transformation in the NHS” (Rachel Hutchings) the leading healthcare provider state some key points:
- A figurative boom in the production of, innovation within and fund-seeded ideas for Health and Wellness technologies, covering not just consumer tech but clearly patient facing and collaborative Health Care apps/tech/transformation
- There has also been a surge in patients’ uptake of remote health services, including registrations for the NHS App, NHS login and e-prescription services.
- Internal transformation, be it newly implemented (e.g. O365) or archaic updating of systems adding capacity or meeting new regulation increased within 2020
But despite the undeniable progress that has been made, it is important to proceed with caution. Especially when changes happen at such a pace, there are possible risks of a hangover of information security capacity.
In July 2020 a cyber insurgent group called APT29 targeted several NHS organisations involved in the Covid vaccine development, a literal indirect attack on human life. Estimates online reckon it can cost of healthcare disruption alone can cost multi-millions per year.
So, what does this mean for Data, Information and Cyber Security agendas nationwide and for individual organisations?
“Hackers have the ability to make people’s lives a misery, especially in the health care sector. They target CT and MRI scanners because they hold personal data and they know how critical they are for diagnosis. They target medical records because they are worth more on the black market than financial records. They target the automation of car parking to prevent ambulances from accessing hospitals in an emergency. Data and cybersecurity are critical for so many reasons.” – Rosie Underwood, Cyber Security Consultant, NHS Digital
Information and Cyber Security is a primary concern for all CIOs and Digital chiefs in the NHS and wider health market. We speak with principal consultant, leader in the field and DefenceWatch Ltd owner Simon Brownhill on the current and future needs of this essential strategic service:
What are the main challenges that affect NHS leaders in delivering optimal information protection?
Large NHS organisations can often lag behind in their information security when compared to either less complex organisations or cash rich industries such as Pharma. When you have variable and dissected care organisations that, although part of a whole system, often operate individually, challenge can exist around better cyber monitoring, threat intelligence, and incident response times. Sometimes, the employees limited understanding and the ‘keeping of pace’ with hackers can be an indirect causation of cyber and information threats, such as patient data management errors or other basic information protection knowledge.
Although the wider NHS and local regions are improving, better support and guidance is needed to ensure increases in safety and better cyber training and greater awareness and engagement with cyber security best practice among NHS staff and organisations is essential.
Partnership working has come to the forefront of information security over the recent years. How can NHS organisations use strength in partnerships to deliver a safe and affordable cyber secure environment?
NHS system monitoring capabilities have vastly improved with NHS devices largely tracked using ATP. Companies that are ensuring their processes are encompassed in a standard operating model that drives security updates regularly and having security controls and alerts in place to stay ahead of the curve. Partnerships across the system (Trust to trust for example) can markedly increase success with a joined up approach to cyber risk management. Partnerships with specialists like DefenceWatch to build and deliver, drive and maintain check-ups on information security health can act as a back stop to any threats.
Tackling a persistent threat means that 24/7 surveillance and an agile response is paramount. How can NHS organisations ensue they stay one step ahead of the enemy?
Fluidity, agility and regimented process control. Organisations must build security into system design throughout all applications, their cloud networks, their data stores and through every device that is attached to the organisation. Investing in the knowledge of the leading security guidelines (such as DevSecOps) allows for organisations like the NHS an affordable way to design and code intelligent solutions.
At one of our customers, we showcase the benefits of agile security monitoring via an offsite monitoring team responsible for keeping the organisation safe whilst continually drafting patching and incident reporting as a service to the onsite head of data security. This allows a premium level service without the price tag of a consultancy.
Simon, the big question is – What’s the next big thing for the world of health and cyber? What tips do you share for organisations looking to improve their cyber security?
Security is not a secret – share ideas and capabilities, work with your peers and develop a better understanding of the threats – intelligence and collaboration will make the mission more effective. Within the NHS we need to see a high level of value for money – to create a positive and robust solution requires investment of course, thinking creatively about solutions and demonstrating the comparative ROI is essential. So partner with or employ someone who can easily demonstrate that. Reporting – demonstrable metrics are much easier to justify your costs and resourcing than a sense of security!
Rethink Healthcare and DefenceWatch have partnered with NHS Trusts over 4 years to provide essential Cyber Security and Information Security Services through onsite and remote support. Just some of the easily accessible gains through a simple service include:
- Rationalised security tooling with centralised, single point of management
- Cloud-based to provide universal coverage (first cloud deployment in Trust)
- Documented and exercised incident response playbook
- Formalised KPIs and KRIs reported to Board level
- Baseline logging and monitoring capability
- Controlled and managed, limited legacy systems
- Interaction and collaboration with industry and sector forums
For further information on Cyber and Information Security services that could help your organisation reach its cyber goals reach out to Chris Walker of Rethink Healthcare for an informal introduction.