The recent review of WannaCry attack by NHS England CIO has shone a bright light into NHS cyber defence deficiencies. With the General Data Protection Regulation coming into force this Spring, and an array of legacy Microsoft systems hitting their end of support status, just where do things stand now regarding cybersecurity strategy within the NHS? Davey Winder investigates.

According to the newly published review authored by Will Smart, chief information officer of NHS England, only 1 percent of NHS activity was directly impacted by WannaCry with 80 of the 236 hospital trusts affected, plus 595 of the 7,545 GP practices. However, the vulnerability of NHS infrastructure was laid bare for all to see.

An historic underinvestment in network security, unpatched legacy software and unpatchable hardware devices, were exposed; along with poor discipline and accountability at the highest levels within individual trusts.

Although the number of devices in the NHS running on unsupported Windows XP software has dropped to just 1.8 percent at the end of January, NHS England admits that most devices infected by WannaCry were running on the supported, but unpatched, Windows 7 OS.

Indeed, none of those 80 trusts that were affected by WannaCry had applied the Microsoft patch that would have prevented it, despite a CareCERT advisory more than two weeks prior to the attack itself.

“A weekly intelligence bulletin is sent to all of health and care identifying new and emerging threats, offering mitigation and remediation advice,” according to an NHS Digital spokesperson.

“We have further developed our alert system by introducing CareCERT SMS which is used to alert contacts that a major incident has been raised.”

National strategy, local focus

So, what cybersecurity steps are being taken by NHS organisations right now, and are they enough to prevent future attacks?

The NHS Digital spokesperson points out that the organisation is increasing its capacity to support local organisations by developing an enhanced Security Operations Centre.

“This will increase our ability to monitor local networks, providing health and care organisations with near-real-time threat intelligence on their infrastructure.”

She adds that NHS Digital has already completed more than 150 “on-site assessments identifying the problems to fix in local infrastructure” which have been followed by “on-site support to help fix any identified issues” as part of the non-intrusive vulnerability scanning process now in place.

While this is encouraging, Dr Saif Abed, European medical director at Imprivata and an NHS doctor, warns: At the local level specifically, we need to continue to push for C-level executives to sponsor and address the criticality of cybersecurity contingency plans.”

This is an area that Will Smart addresses when he says “local organisations must ensure effective management of their technology infrastructure, systems and services.”

Graeme Stewart, director of public sector at Fortinet, strongly believes that cybersecurity is getting more airtime with management. “It is now a better understood risk at an organisational level and this is driving a change in behaviours down to individual IT departments.”

Reducing vulnerabilities

Smart adds that “nationally, a new agreement with Microsoft has been signed, which includes patches for all its current Windows devices operating XP.”

The Enterprise Threat Detection Service (ETDS) from Microsoft is a good start, but the “rollout has been slow and ETDS alone will not solve the problem” warns Mike Pannell, chief technology officer, Cyber and Secure Propositions for Majors & Public Sector at BT.

In the Spring, NHS Digital will launch a new Data Security and Protection Toolkit, to provide NHS organisations “a revised process to assess, measure and publish their performance against the National Data Guardian’s 10 Data Security Standards.”

Right now, anything that can build resilience within the NHS, and focus on remediation plans to reduce vulnerabilities has to be welcomed with open arms.

Looking back to WannaCry, the inability by many trusts to properly secure their firewalls facing the N3 broadband network, was highlighted in the NHS England report as being one of the many missed mitigation opportunities.

N3 is currently being replaced by the Health and Social Care Network (HSCN) which, according to Des Ward, information governance director of Innopsis, will provide a “great opportunity for health and social care organisations to pool resources to detect cyberattacks at the network level.”

HSCN includes provision of network monitoring and network analytics tools to identify attacks that originate from the Internet for example.

Education, education, education

Adrian Byrne, CIO at the Southampton University Hospitals Trust, says as far as preventing future attacks goes “we are pretty well where we’ve always been which is focussing on doing good perimeter security, a bit more on mail, and a bit more on training.”

Byrne admits that staff remain the biggest vulnerability. Something that Keiron Salt, CIO Health & Transport at BT, picks up on when he says that “health organisations must consider the people, culture and process elements of a successful cyber security strategy; ensuring appropriate training, knowledge and processes are in place that are relative to the risks.”

When Palo Alto Networks surveyed 100 NHS IT managers at the end of last year, it found only 11 percent of doctors and 6 percent of nurses receive cybersecurity training.

Smart admits the challenge is to “change our mindset to one that systematically evaluates and manages the threat to our services posed by cyber-attacks.” NHS England’s WannaCry review recommends that “boards for NHS organisations should undertake annual cyber awareness training” and that “all organisations should consider whether access to IT systems and services should be removed from members of staff who have not successfully completed this mandatory training.”

This is bolstered by another recommendation that in addition to mandatory and statutory training, there should be “regular and targeted cyber and information security awareness training appropriate to their job role.”

Does cybersecurity spending add up?

All of which, of course, costs money. Which begs the question, is the NHS spending enough on cybersecurity?

According to NHS England, immediately following the WannaCry attack the Digital Delivery Board “reprioritised” £21m capital to address key vulnerabilities in major trauma centres and ambulance trusts.

A further £25m of capital funding has been identified to support those organisations whose self-assessments show them to be non-compliant against high-severity CareCERT alerts.

As part of an exercise to reprioritise cyber investment between 2018/2019 and 2020/21, £150m has been identified to focus on local infrastructure along with “national systems and services to improve monitoring, resilience and response.”

This against a contextual backdrop whereby in December the NHS Improvement technology and data assurance committee noted that implementing just one of the NHS England WannaCry review’s recommendations would cost in the region of £1 billion.

However, as Neil Mellor, business development director at BT Security, points out “it’s not just a question of whether the NHS is spending enough, but whether they are investing in the right security mitigations to keep cyber risk at an acceptable level.”

Which means understanding that risk exposure is based on an accurate picture of the IT estate and known vulnerabilities in the light of both potential exploits and being able to properly value that risk.

The ‘lessons learned review’ report from NHS England has made 22 recommendations, from NHS Digital drawing up a national response protocol which all approved IT suppliers must comply with to ensure 24/7 on call care and linkages to commissioning support units.

Smart is clear that a one-size-fits-all approach will not work across health and social care, insisting that the NHS response needs to be “proportionate to the scale and type of services being provided by each organisation, given the difference between a large acute hospital or major trauma centre and a small residential care home.”

It remains to be seen how many of the review recommendations are implemented, and how long that implementation process takes.