Cyber security and the cloud are both high up the agenda for NHS IT leaders. With Digital Health’s Public Cyber Security conference taking place next week and the Cloud Summit in January 2018, Vivienne Raper hears they needn’t be mutually exclusive priorities.

Cyber security and the cloud are both high on the agenda for NHS IT leaders. Cyber threats to healthcare – in particular – were brought into focus by WannaCry earlier this year, which affected more than a quarter of NHS trusts.

Some 66% of the 152 individuals who responded to this year’s Digital Health Intelligence NHS IT leadership survey named cyber security as a priority. The previous year, only 23% of respondents saw it as such.

Meanwhile, Digital Health Intelligence’s forthcoming report on IT infrastructure – due to be published next month – shows 33% of 163 surveyed acute and mental health trusts are already delivering part of their infrastructure through the cloud, with 39% looking to do so in the next two years.

Turning to the cloud for security

With the adoption of cloud and awareness of cyber threats now growing in tandem, the question is whether improvements in cyber security can be provided through the cloud.

“The NHS is certainly starting to turn to the cloud for cyber [security], with the likes of Microsoft and Sophos – to name just two – benefiting from an increased perception that the cloud can not only be trusted when it comes to security, but can actually improve security posture,” says Davey Winder, cyber security columnist at Digital Health.

The general view is that cloud suppliers have expertise and resources to devote to cyber security beyond what individual trusts can provide locally. As Tara Athanasiou, director of research and networks at Digital Health Intelligence, puts it: “There’s no single organisation in the NHS with the IT budget to put the highest levels of cyber security in place.”

Adds Athanasiou, who co-authored the IT infrastructure report: “The take-up of cloud has historically been relatively slow because of the need to win hearts and minds, but as pieces of infrastructure come up for renewal, organisations are now seeing the benefits.

“From the CIOs I’ve spoken to, we’ll see a tipping point in the next two years. And within the next five years, NHS organisations will be delivering some or all of their infrastructure through the cloud.”

Delivering better governance

Cyber security is often about good information governance. Even when cloud suppliers only provide Infrastructure as a Service (IaaS) – such as the servers and storage that you’d normally find at an onsite data centre – they often set restrictions on the version of operating systems that NHS trusts can install.

Ensuring trusts have the most up-to-date operating system makes for better information governance, even if trusts remain responsible for patching their own software. Where NHS trusts are purchasing Software as a Service (SaaS) – which can be clinical software delivered through the cloud, or even productivity software such as Office 365 – the vendor is responsible for installing updates and patches for the software.

“From talking to CIOs, upgrading office software is a slog; it’s resource intensive and diverts attention from other activities,” Athanasiou reports. “Having it done by an external supplier reduces the burden.”

Less labour intensive

She suggests external suppliers could also help reduce the number of manual processes needed to keep systems safe from cyber attack.

“Looking at trends, in the longer term, you’re looking at real-time monitoring across networks and using emerging technology like artificial intelligence and machine learning to identify attacks earlier,” says Athanasiou.

Suppliers such as Microsoft offer products to detect emerging cyber threats and suspicious activity in real time. These use machine learning and artificial intelligence to process huge volumes of data, beyond what an IT team could do by themselves.

“There’s a whole raft of processes that are done manually and labour intensively,” says Athanasiou. “Cloud makes these increasingly automated.”

Cloud-based software can also detect uncharacteristic patterns of activity by users such as database administrators, and flag it to an IT team – a similar process as that used by credit card companies to identify fraudulent purchases.

Benefits already being seen

As Digital Health’s recent special report on IaaS makes clear, some are already reporting security benefits from the use of cloud. At Birmingham CrossCity CCG, a rollout of virtual desktop infrastructure to GPs was underway when WannaCry hit. The ransomware was quarantined by the offsite data centre.

But had the GPs’ computers been attacked and encrypted, John Uttley – e-innovation director at Midlands and East Lancashire CSU – told Digital Health it would have been possible to be back up and running within hours.

It a powerful example of just why cloud and cyber security might go hand in hand.

Digital Health’s new Public Cyber Security conference takes place next Thursday, 7 December, 2017 at the ICC Birmingham. It is focused on protecting citizen-facing public services, and is free to attend for public sector information security, IT and IG professionals. You can register by visiting the event’s website.

Digital Health’s Cloud Summit takes place on Wednesday 24 January 2018 at One Moorgate Place in London. It will explore how to successfully deploy cloud-based services in UK healthcare – and consider what the benefits might be. Places are limited, so register now to secure your spot at this free of charge event.