It has been reported NHS Digital is opposing the post-WannaCry recommendation of a minimum-security standards bar in the form of mandatory compliance with Cyber Essentials Plus (CE+) standard by June 2021.
It seems documents refer to a presentation at an NHS Digital cybersecurity committee meeting in which it was estimated the cost of compliance would be anywhere between £800 million and £1 billion.
According to HSJ, a document reveals NHS Digital took the position that ensuring all providers get the CE+ accreditation, while useful as a benchmark, would not be value for money.
Yet the same document is said to also raise concerns over the ability of organisations within the NHS to adequately respond to any new major cyberattack.
Given that cyberattacks on the NHS have, by all accounts, not stopped or even slowed since WannaCry, this stance could be viewed as particularly worrying at first glance.
Who is in charge of cybersecurity in the NHS, the experts or the bean-counters? Let’s not forget this is a recommendation in a review that was written by Will Smart, the chief information officer for health and care in England. Let us not forget either that it was endorsed by the National Cyber Security Centre.
Accreditation schemes aren’t a silver bullet
First impressions, however, are often quite wrong. We must accept that NHS Digital might just be right in its recommendations, if its reasoning turns out to be an accurate reflection of the position.
Experience leads me to state categorically that very few security reviews are implemented word for word, with every recommendation put into place as is. Cost will always be a factor, and what delivers value for money is usually determined by a risk analysis who sets out the cost of failure against the cost to defend against particular scenarios.
While accreditation schemes are not bad things, neither are they some kind of silver bullet against falling victim to the bad guys. If they were then, frankly, we’d have sorted out cybersecurity years ago.
That said, CE+ does require organisations to be able to demonstrate a grip on the tools required to detect and protect against cyberattacks. That’s a really good thing, which is reflected in CE+ being seen pretty much an essential for an organisation wanting to get an NHS contract.
Constant evolution
Yet the truth of the matter is that threat actors’ methodologies and motivations constantly evolve, and security postures need to do likewise. That means an inevitable degree of budgetary restraint and process prioritisation. It is quite possible for the NHS – just like any large enterprise – to adequately improve security posture without throwing every weapon in the increasingly expensive arsenal at the problem.
It is equally possible for organisations to invest very heavily in security and still end up on the wrong side of a breach. It’s happened time and again, in fact. Certification is a tool, and it’s only right that the cost of implementing it is balanced against the return in terms of negating risk.
The industry mantra of there being no such thing as 100% secure is there for a reason. You can spend every penny in the bank trying to achieve an impossible goal.
One real plus point for NHS Digital, in my never humble opinion, is the appointment of Robert Coles as its new chief information security officer. I know Robert from his days as an industry judge for the BT Information Security Journalist of the Year awards, a title I was fortunate to win three times. In my opinion, he’s a man at the very top of his game and he brings with him decades of hands on experience at some very large organisations indeed. I don’t think he will quietly accept a wrong decision, and I am certain he’ll do whatever is required to secure data and systems within the financial boundaries of a resource-diminished health service.
As sagely pointed out by Sam Curry, chief security officer at security vendor Cybereason: “It’s possible that NHS Digital have made the right call, accepting some measures and rejecting others.” That’s what most sensible and serious organisations do after all.
18 October 2018 @ 17:04
Didn’t I read that the NHS had outsourced cybersecurity to IBM for £ 30 m.??
17 October 2018 @ 12:05
A very well reasoned summary of the situation. It would be all too easy to see CE+ certification as an end in itself.
If the NHS is to set the bar at the lower CE level, there also needs to be some minimum but pragmatic standards set in particular for security patch management timescales. My understanding is that there is a fundamental conflict between the requirement to apply security patches in a timely manner with the requirement to test each patch for unintended and unexpected consequences on all services which sit on the platform being patched. With some Trusts having hundreds of systems and applications underpinning clinical service delivery, getting the balance right is difficult to say the least.
The organisations which got the balance wrong were more likely to be adversely affected by WannaCry. Adequate testing uses a lot of resource and my guess is that the extra resource needed to improve processes and have them formally certified would account for a large chunk of the £800m to £1bn estimate.