As 2018 draws to close and 2019 pokes its head around the corner, what does the balance sheet look like on cybersecurity and data protection? A day after his birthday, no less, expert columnist Davey Winder pushes aside the cake and party poppers to give us his take.
While, thankfully, the past 12 months haven’t brought another cybersecurity incident of WannaCry proportions, that’s no reason to start the new year celebrations just yet. The reality is that health remains a highly valuable sector to cyber criminals, and so highly targeted by them. And while the number of data security incidents has remained largely flat, that doesn’t necessarily equate to a good performance.
In my final column for the year, I thought I’d look back at just three security areas within the health sector that have caught my attention during 2018, but which also offer some hope as we look forward to 2019.
1) Legacy infrastructures
I have written much about the threat of legacy kit to NHS security. At the same time, I appreciate that if a piece of kit is working well and saving lives, then a costly replacement that will still save lives while also being more secure is a hard sell. The Internet of Medical Things is inherently insecure, of that there can be little doubt. But it would be a brave head of department (or politician for that matter) who called for existing resources to be redirected to update items that are working just fine – if not as securely as they could be.
Which does not mean updates should not be made. There is the Orangeworm group, actively targeting hospitals with malware to access vulnerable legacy equipment such as x-ray and MRI machines for example.
Or how about the researchers from cybersecurity vendor McAfee who identified unencrypted communications protocols between patient monitoring systems and the central monitoring station used by some hospitals? This vulnerability could be exploited to modify the patient data in real time. While it’s unclear how such an exploit might be profitable to a criminal endeavour, outside of a far-fetched nation-state assassination scenario, it does illustrate the problems with legacy kit where security was never a priority during system development.
And while we’re looking at problems with legacy communications kit, take a bow, fax machines. Back in July it was reported nearly 9,000 were still in use by NHS trusts. Some argue their function could relatively easily be subsumed into existing communications infrastructures at little cost. The value would be returned in doing away with a legacy system that makes it pretty much impossible to secure data transfers adequately. Not to mention that threat actors can potentially use them to access NHS networks.
Matt Hancock has announced that, from January 2019, NHS organisations will be banned from buying new fax machines. What’s more, they must be phased out altogether by 31st March 2020. Instead, from April 2020, all NHS organisations will be required to use more secure communication methods to improve patient safety and cybersecurity. Baby steps and all that, but it’s a welcome start to addressing the insecure thread that runs through NHS legacy technology.
2. Data protection
2018 has not, on the face of it, been such a bad year as far as breaches within the NHS are concerned; which again doesn’t necessarily equate to a good one for health sector data protection either. Here are just two examples of what I mean by that. A ‘coding error’ in the SystmOne application used by GPs to record objections to patient data being used for research purposes meant some 150,000 individuals had their objections effectively ignored. Not a systems breach, but a systems failure that led to a breach of trust and not a great moment for NHS Digital.
Then there was the compromise on the email system used by the East Anglian Air Ambulance service which led to the issuing of a warning to supporters of the charity to watch for potential phishing emails that looked like they came from someone within the organisation. The cause: a member of staff had their email account hacked. While the precise nature of the hacking was not revealed, my experience in dealing with such incidents leads me to suspect social engineering (either with clickbait or malicious attachment payloads) or password reuse across services.
A tweaking of processes should lead to some improved data protection outcomes as we move into the new year. The new national data opt-out which replaces the old system of patient objections should simplify control over data use and make incidents such as the SystmOne event a thing of the past.
It’s a little harder to say the ends of account hacking and the problems that social engineering bring to the security party are in sight. With 99% of NHS email domains having inadequate phishing protection, the solution has to start not with endpoint protection or AI-powered intrusion detection systems (although these obviously play their part) but simply with better risk awareness training.
NHS staff are both the weakest link and potentially the strongest defence when it comes to security threats. Awareness training, proper hands-on, dynamic, meaningful systems and not just some checkbox-ticking exercise, must be a mandatory part of every staff onboarding programme. CareCERT Assure, Knowledge and React programmes are all doing their bit, but I fear they won’t be enough. Which brings me nicely onto the third of my security sectors.
3. Security staffing
Literally as I was editing this column, penetration testing specialist Redscan was announcing data gleaned from a series of freedom of information requests about security staffing in the NHS. On average, it found trusts had only one member of staff with professional security credentials per 2,628 employees. A quarter of trusts have no formally qualified security professionals whatsoever. Throw in that this research also suggests expenditure on cybersecurity training across 2018 could be as little as £238 per trust, to £78,000 at the other end of the spending scale, and the skills and training gaps become all too apparent. If it wasn’t clear enough, the researchers also say that only 12% of trusts had met the NHS Digital target for mandatory staff information governance training.
While the skills gap is of huge concern to anyone with even the slightest understanding of cybersecurity issues, the appointment of Robert Coles as the new NHS Digital CISO will be of huge significance to those with a deeper understanding of the sector. I’ve met Coles on several occasions when he used to be a judge at the BT Information Security Journalism awards, and in my opinion he’s a man who has security know-how pumping through his veins. If anyone can instil a culture of security awareness into the NHS, at all levels, then I think it’s the former GlaxoSmithKline security chief. Assuming, that is, he’s given the freedom and resources to lead on this issue. If he isn’t, then 2019 might not be the year the NHS got a grip on its security problem after all…