Special Report: Cybersecurity
Despite cybersecurity mainly keeping out of the headlines in recent times, the importance of data security still remains. Claire Read explores why continuing investment in cybersecurity is crucial and the impact it has on the NHS.
As lead for digital health at Imperial College London’s Institute of Global Health Innovation, Saira Ghafur spends much of her working life thinking about cybersecurity in healthcare. But she says it’s when she puts on her other hat – that of a respiratory medicine consultant – that the need to highlight its importance to all NHS staff becomes particularly clear.
“If you ask my clinical colleagues: ‘Tell me about cybersecurity,’ they look at you blankly,” reports Ghafur. “People need to understand that [as frontline staff] we are guardians of data and any cyber attack, any cyber threat, has got to be seen as a patient safety issue.”
It was an argument put forth in a report she and colleagues published last year, urging continuing investment in cybersecurity even as WannaCry starts to fade somewhat into history. Certainly, there is no doubt that the mass of attention-grabbing pledges and promises of national support that followed the serious impact of the attack on the NHS have passed. But, interestingly, Ghafur does not see that as necessarily a bad thing.
“I think initially post-WannaCry we saw that flurry of activity. There was a lot going on from the national perspective in terms of capital investment as well. There was the announcement of the big price tag [projects] – £150m and everyone upgraded to Windows 10.
“In the meantime, cybersecurity’s certainly tapered off in terms of the headlines. But I think there’s a lot more work going on in the background, which I think is more important than the attention-grabbing headlines – it’s what is the difference on the ground?”
For Scott Wilson there has been one very clear difference: the frequency with which he and his colleagues are now asked to give detailed information on security when working with new and existing clients.
Wilson is business director of eFax, an internet-based fax provider which enables users to dispense with traditional fax machines – and with the associated risk of information ending up in the wrong hands. He says around 95% of customers now ask the company to complete a security audit prior to signing up to the product.
“An event like WannaCry makes people jittery and since GDPR [the General Data Protection Regulation] came in customers are also being much more thorough in their sign up process with us,” he says. “I think that’s really good, because it shows that people do care about security. It’s something people know they need to be aware of.”
Benefits of cash boosts
It’s a theme echoed by Andy Wilcox, senior product marketing manager at Imprivata. The firm offers a variety of authentication tools, including a single sign on solution, and he says interest has remained strong even as WannaCry has become more distant.
“My feeling is very much that people are still cognisant of cybersecurity. It feels to me like there’s been an investment in money, there’s been an investment in time, and we are seeing the benefits of that.”
His concern – like Ghafur’s – lies not with persuading national and local leaders of the importance of protecting their computer systems and networks, but with supporting frontline users to make it happen.
“There’s a natural thought process that says in order to improve security we’ve got to increase passwords and password complexity and password length; we’ve got to make accessing systems more restrictive.
“There’s a knock on effect I think with introducing more cybersecurity controls that, if you don’t provide the right mechanisms to smooth their impact, it takes clinician time away from patient care.”
He suggests the result is users creating workarounds, such as leaving one person logged in under whose details everyone accesses the system. “Organisations are absolutely right to implement cybersecurity measures – it’s fundamental. But what you’ve got to do is find the balance of the right level of security and the right ease of access for the people who use it.”
Doing so, he argues, necessitates an approach in which all relevant parties are engaged. “Having engagement and representation across all of the different stakeholder groups – from management down – leads to success and a much more joined up approach to cybersecurity and to technology in general,” contends Wilcox.
Awareness at local level
Because while national initiatives such as NHS Digital’s Cyber Security Operations Centre are acknowledged to have made a difference, there is an awareness it is at the local level that continuing action needs to be taking place.
“That’s where I would urge focus,” says Jonathan Lee, UK healthcare sector manager at cybersecurity firm Sophos. “At the centre, I think there’s been a lot of reinventing the wheel in terms of national agreements on this, that and the other.
“The Windows agreement was great in terms of introducing a modern operating system. But maybe we should be focusing more on standards, and making sure that whatever products trusts or CCGs use come up to a certain cybersecurity standard and that it’s local choice.”
Taking eyes of the ball
Certainly Imperial College London’s Saira Ghafur feels there are developing areas of healthcare digitisation in which such standards are now urgently needed. Among them: increasingly connected medical devices and artificial intelligence algorithms. “We don’t have minimum security requirements for either,” she points out. “For medical devices, the security requirements are very patchy. There’s so much we need to do to make sure they’re safe – I think that’s one of the biggest threats coming up.”
“You can’t stand still on cybersecurity,” agrees Imprivata’s Wilcox. “It’s not the kind of thing that’s ‘do once and forget about it’. It’s a constantly evolving landscape of attack profiles and methods.”
Or as Jonathan Lee from Sophos puts it: “You take your eyes off the ball at your own peril.” And he does fear that some organisations are doing just that, in part through making ‘increased cybersecurity’ synonymous with ‘introducing Windows 10′.
“I think there’s been a lot of focus on that Windows 10 migration,” he muses. “Upgrading to a modern operating system is a good thing. But I do think that it’s sometimes led to people taking their eye of the ball in terms of the overall security picture – thinking, well, WannaCry was a few years ago now and ransomware is yesterday’s problem.”
That, he emphasises, is a serious mistake. “We know that ransomware is still very much a global threat – not just to the NHS but across the board. And it’s becoming more and more targeted as well.” Last October, for instance, three hospitals in Alabama were hit by an attack which forced staff to go back to using paper and to turn away all but the most critical patientd. DCH Health Systems, the group running the hospitals, ultimately paid an undisclosed amount to the attacker for a decryption key.
Board level attention
For Lee, the work NHS Digital has done to train board members on such risks is helpful. “But that training also needs to feed down to the users themselves,” he suggests. “We know, for example, that phishing is the most prevalent way of getting malware onto an estate, so we need to do more to educate people around what a phishing e-mail looks like – how people can help to protect their own organisations.”
In other words, there is a need to make sure any clinical colleague currently looking blankly at the mention of the word ‘cybersecurity’ is brought fully up to speed. Lee reports that’s a mission most commonly accomplished when an organisation-wide cyber lead is in place.
“[It’s valuable to have] a cyber lead that sits across different silos. Organisations in the past used to have a desktop team, a server team, telephony etc. Where that falls down is where someone’s not looking at security as a whole. I think it’s very important that NHS organisations look at security as a whole, and not something that’s led just on cost, for example, seeing an opportunity to save money and almost forgetting what happened two and a bit years ago.
“When you look back, everything in the NHS on cybersecurity is pre- and post-WannaCry,” he continues. “And it is a conversation that we have – make sure this is still on your agenda, make sure you’re paying attention to it.”
Even as she and her colleagues prepare to write a paper about the increasing security risks represented by medical devices, Ghafur feels positive about the progress that has been made since WannaCry.
“Things are going in the right direction,” she concludes. “But,” she adds, “there’s lots more that needs to be done.”